diff --git a/.gitea/workflows/build-iso-dev.yml b/.gitea/workflows/build-iso-dev.yml
index ce7bbb80..1b75258e 100644
--- a/.gitea/workflows/build-iso-dev.yml
+++ b/.gitea/workflows/build-iso-dev.yml
@@ -198,19 +198,13 @@ jobs:
           HOST=$(hostname -I 2>/dev/null | awk '{print $1}')
           BASE_URL="http://${HOST:-192.168.1.228}:8083/Builds/releases/v${VERSION}"
 
-          # Get changelog from recent commits
-          CHANGELOG=$(git log --oneline -10 --format='%s' | python3 -c "
-          import sys, json
-          lines = [l.strip() for l in sys.stdin if l.strip()]
-          print(json.dumps(lines[:10]))
-          " 2>/dev/null || echo '["Update to version '"$VERSION"'"]')
-
+          # Generate manifest JSON
           python3 -c "
           import json
           manifest = {
               'version': '$VERSION',
               'release_date': '$DATE',
-              'changelog': $CHANGELOG,
+              'changelog': ['Update to version $VERSION'],
               'components': []
           }
           if '$BACKEND_HASH':
@@ -220,7 +214,7 @@ jobs:
                   'new_version': '$VERSION',
                   'download_url': '$BASE_URL/archipelago',
                   'sha256': '$BACKEND_HASH',
-                  'size_bytes': $BACKEND_SIZE
+                  'size_bytes': int('$BACKEND_SIZE' or '0')
               })
           if '$FRONTEND_HASH':
               manifest['components'].append({
@@ -229,7 +223,7 @@ jobs:
                   'new_version': '$VERSION',
                   'download_url': '$BASE_URL/$FRONTEND_NAME',
                   'sha256': '$FRONTEND_HASH',
-                  'size_bytes': $FRONTEND_SIZE
+                  'size_bytes': int('$FRONTEND_SIZE' or '0')
               })
           print(json.dumps(manifest, indent=2))
           " | sudo tee "$RELEASE_DIR/manifest.json" > /dev/null
diff --git a/core/archipelago/src/api/rpc/package/install.rs b/core/archipelago/src/api/rpc/package/install.rs
index a7fafeb7..5898ef49 100644
--- a/core/archipelago/src/api/rpc/package/install.rs
+++ b/core/archipelago/src/api/rpc/package/install.rs
@@ -872,15 +872,22 @@ autopilot.active=false\n",
                 };
 
                 // Run with --network=host (UIs proxy to localhost backend/bitcoin)
+                // --user 0:0: run as root inside container (still unprivileged on host
+                // in rootless podman) to avoid nginx chown failures
                 let run = tokio::process::Command::new("podman")
                     .args([
                         "run", "-d",
                         "--name", &name,
                         "--restart=unless-stopped",
                         "--network=host",
+                        "--user=0:0",
                         "--cap-drop=ALL",
+                        "--cap-add=CHOWN",
+                        "--cap-add=DAC_OVERRIDE",
                         "--cap-add=NET_BIND_SERVICE",
-                        "--memory=64m",
+                        "--cap-add=SETUID",
+                        "--cap-add=SETGID",
+                        "--memory=128m",
                         &image,
                     ])
                     .output()