Accepting request 649586 from GNOME:Factory

- Make polkit_rules_usability.patch effective by adding a 60- prefix to the
  rules file. This will cause it to be executed before the
  polkit-default-privs are executed (bsc#984817). (forwarded request 649535 from mgerstner)

OBS-URL: https://build.opensuse.org/request/show/649586
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=24

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">refs/tags/1.0.3</param>
+    <param name="revision">refs/tags/1.0.5</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/flatpak/flatpak.git</param>
-              <param name="changesrevision">b6a8cab35ff7628050a5e5c385979a034a2ff2dc</param></service></servicedata>
+              <param name="changesrevision">89a7da60a21678bd1fc4b020050cf66feb676a0d</param></service></servicedata>

flatpak-1.0.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:75110b38705e5a553918c7708c721efecba9ea9f0fa7466e8496636cf5e5e9b4
-size 715136

flatpak-1.0.5.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7cc295be5d5cf99d4fc29d523e6fe39620ee17c5357a295f71ab1934b6eb14d
+size 718180

flatpak.changes

@@ -1,3 +1,54 @@
+-------------------------------------------------------------------
+Fri Nov 16 10:09:01 UTC 2018 - matthias.gerstner@suse.com
+
+- Make polkit_rules_usability.patch effective by adding a 60- prefix to the
+  rules file. This will cause it to be executed before the
+  polkit-default-privs are executed (bsc#984817).
+
+-------------------------------------------------------------------
+Tue Nov 13 08:55:03 UTC 2018 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to version 1.0.5:
+  + Make the /etc -> /usr/etc bind-mounts read-only.
+  + Make various app-specific configuration files read-only.
+  + flatpak is more picky about remote names to avoid problems with
+    storing weird names in the ostree config.
+  + A segfault in libflatpak handling of bundles was fixed.
+  + Updated translations
+  + Fixed a regression in flatpak run that caused problems running
+    user-installed apps when the system installation was broken.
+  + Implicity grant MPRIS2 permissions
+- Changes from version 1.0.4:
+  + Flatpak 0.99.1 removed the inheritance of permissions from the
+    runtime due to concerns with dynamic app permissions. Due to
+    popular requests, this version re-introduces such inheritance,
+    but does it instead at build time. This solved the issues with
+    dynamic permissions while still allowing runtimes to have
+    default permissions. Apps can disable this by passing
+    --no-inherit-permissions to build-finish.
+  + The sandbox now always includes a /etc/timezone file, following
+    the (old) debian standard for this. This is needed, because the
+    more modern way of exposing the timezone name by having
+    /etc/localtime be a symlink into /usr/share/zoneinfo doesn't
+    work when exposing the host timezone.
+  + All apps now have automatic permissions to own their own app id
+    as a subname of org.mpris.MediaPlayer2.
+  + We now properly re-load remote state in FlatpakTransaction if
+    the metadata was updated for the remote.
+  + The signature of the FlatpakTransaction::operation-done signal
+    was wrong in the header and has now been corrected to the
+    signature that is actually emitted.
+  + A crash was fixed when reading invalid .flatpakref files.
+  + A crash during updates when a local ref was unexpectedly
+    missing was fixed.
+  + An error case on uninstalling was incorrectly returning success
+    even thought there was an error.
+  + flatpak_installation_modify_remote did not correctly save the
+    nodeps state.
+  + flatpak_installation_load_app_overrides() was improperly
+    returning freed memory.
+  + The tarball now ships with an icon (flatpak.png).
+
 -------------------------------------------------------------------
 Fri Oct 19 12:05:14 UTC 2018 - alarrosa@suse.com
 

flatpak.spec

@@ -12,13 +12,13 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
 
 %define libname libflatpak0
 Name:           flatpak
-Version:        1.0.3
+Version:        1.0.5
 Release:        0
 Summary:        OSTree based application bundles management
 License:        LGPL-2.1-or-later
@@ -132,6 +132,12 @@ make %{?_smp_mflags}
 find %{buildroot} -type f -name "*.la" -delete -print
 mkdir -p %{buildroot}%{_sbindir}
 ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
+# add a 60- prefix to the rules file, otherwise it is not effective, because
+# /etc/polkit-1/rules.d/90-default-privs.rules is executed first and if no
+# polkit-default-privs rule grants access then an explicit reject is the
+# result. This should fix bsc#984817, granting members of group wheel access
+# w/o password entry.
+mv %{buildroot}/%{_datadir}/polkit-1/rules.d/{,60-}org.freedesktop.Flatpak.rules
 
 %find_lang %{name}
 
@@ -170,7 +176,7 @@ ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
 %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
 # policykit rules
 %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
-%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
+%{_datadir}/polkit-1/rules.d/60-org.freedesktop.Flatpak.rules
 %{_mandir}/man1/%{name}*.1%{ext_man}
 %{_mandir}/man5/flatpak-metadata.5%{ext_man}
 %{_mandir}/man5/flatpak-flatpakref.5%{ext_man}