Pc-kernel variation builds - location of and access to deb packages

Hi,

As far as I can tell, most pc-kernel snap variations seem to be built from deb packages. These packages are just variations of, or similar, to packages that you might install on Ubuntu Classic.

The snap recipes seem to be in various branches of the following repo:

I can clone that, and inspect the snapcraft files.

However, unless I’m missing something, some of the versions of snaps that are produced from these branches don’t seem to have publicly available packages.

For instance, of particualr interest to me is pc-kernel, 24-rt/stable

The snapcraft for that, kernel part, has a build-package line of linux-image-uc-realtime=@SWM:version@

My assumption is that @SWM:version@ is a placeholder string that gets replaced in a build system somewhere outside of the actual snapcraft file, before snapcraft is run.

The current version info for this package in noble repos is, 6.8.1-1015.16

$ apt-cache madison linux-image-uc-realtime
linux-image-uc-realtime | 6.8.1-1015.16 | http://gb.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages
linux-meta-realtime | 6.8.1-1015.16 | http://gb.archive.ubuntu.com/ubuntu noble-updates/universe Sources

But, the current snap version is, 6.8.1-1036.37

$ snap info pc-kernel
~~~8<~~~
  24-rt/stable:             6.8.1-1036.37               2025-10-20 (2886) 360MB -
~~~8<~~~

Googling around turns up a few CVE notification messages for package version 6.8.1-1036.37, but I can’t find it in an apt repo or launchpad anywhere.

The reason I want to packages is to get hold of the accompanying header files. The relevant versions of those are available for linux-image-uc-realtime=6.8.1-1015.16 in the noble repo, as:

linux-realtime-headers-6.8.1-1015=6.8.1-1015.16
linux-headers-6.8.1-1015-realtime=6.8.1-1015.16

Where can I find them and other realted packages for linux-image-uc-realtime=6.8.1-1036.37 ?

Thanks!

Cheers, Just

After reading this, it seems clear that the publicly available deb packages are deliberately left old:

So, I can assume that packages for 6.8.1-1036.37 are locked away somewhere unless you have Ubuntu Pro.

For brand store users and it feels like there should be a mechanism to get access to the correct version of the packages still, ideally. Even if I pick the current old version, not all required packages are available to build if you need anything more than headers [ like the complete patched linux source tree ].

Cheers, Just

As a Brand Store User you have received an Ubuntu Pro token that is supposed to be set up on your build machines (so that your snap builds can get the CVE fixes from the Pro esm archive) …

A build machine set up like this should also be able to do apt-get source linux-image-$foo to get the realtime kernel source package … This is admittedly indeed not a git tree but should get you all the sources you need …

1 Like

Ahh, that’s interesting, thanks :+1:

I wasn’t sure if that was some kind of mis-use of that token or not, as the license technically covers X number of connected machines, and use in a CI/CD env would artificially inflate that number.

If that’s acceptable we can certainly go that way.

Cheers, Just

Although that is a good pointer, automatically setting up Pro in a build is not support via snapcraft for anything other than core22 it seems:

--ua-token <token>

Configure the build environment with ESM using specified UA token.

Requires LXD or Multipass. Only works for snaps built on core22.

Ref: https://documentation.ubuntu.com/snapcraft/stable/reference/build-environment-options/

Seems perhaps based based on an assumption that pro should only be used for ESM apps/infra, and not realtime. I’d be surprised if it was a technical one.

I guess it can be manually setup still, it’s just many more hoops to go through because you can’t leverage snapcraft automated build env any more. Probably have to create the env first and then and run snapcraft within it.

Cheers, Just

Yeah, what I do personally is to set up a dedicated lxd container and use snapcraft with the --desctructive-mode option inside, there you could pre-attach the token …