From d4f79d4767d9de1dbcd2d8f41217443b625db356088183b3d8f418b62ed06805 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Thu, 15 Nov 2018 12:10:25 +0000
Subject: [PATCH 1/2] Accepting request 649033 from GNOME:Next

- Update to version 1.0.5:
  + Make the /etc -> /usr/etc bind-mounts read-only.
  + Make various app-specific configuration files read-only.
  + flatpak is more picky about remote names to avoid problems with
    storing weird names in the ostree config.
  + A segfault in libflatpak handling of bundles was fixed.
  + Updated translations
  + Fixed a regression in flatpak run that caused problems running
    user-installed apps when the system installation was broken.
  + Implicity grant MPRIS2 permissions
- Changes from version 1.0.4:
  + Flatpak 0.99.1 removed the inheritance of permissions from the
    runtime due to concerns with dynamic app permissions. Due to
    popular requests, this version re-introduces such inheritance,
    but does it instead at build time. This solved the issues with
    dynamic permissions while still allowing runtimes to have
    default permissions. Apps can disable this by passing
    --no-inherit-permissions to build-finish.
  + The sandbox now always includes a /etc/timezone file, following
    the (old) debian standard for this. This is needed, because the
    more modern way of exposing the timezone name by having
    /etc/localtime be a symlink into /usr/share/zoneinfo doesn't
    work when exposing the host timezone.
  + All apps now have automatic permissions to own their own app id
    as a subname of org.mpris.MediaPlayer2.
  + We now properly re-load remote state in FlatpakTransaction if
    the metadata was updated for the remote.
  + The signature of the FlatpakTransaction::operation-done signal
    was wrong in the header and has now been corrected to the
    signature that is actually emitted.

OBS-URL: https://build.opensuse.org/request/show/649033
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=62
---
 _service             |  2 +-
 _servicedata         |  2 +-
 flatpak-1.0.3.tar.xz |  3 ---
 flatpak-1.0.5.tar.xz |  3 +++
 flatpak.changes      | 44 ++++++++++++++++++++++++++++++++++++++++++++
 flatpak.spec         |  2 +-
 6 files changed, 50 insertions(+), 6 deletions(-)
 delete mode 100644 flatpak-1.0.3.tar.xz
 create mode 100644 flatpak-1.0.5.tar.xz

diff --git a/_service b/_service
index a4b24b8..93bbb47 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">refs/tags/1.0.3</param>
+    <param name="revision">refs/tags/1.0.5</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>
diff --git a/_servicedata b/_servicedata
index 70ac5db..80776b7 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/flatpak/flatpak.git</param>
-              <param name="changesrevision">b6a8cab35ff7628050a5e5c385979a034a2ff2dc</param></service></servicedata>
+              <param name="changesrevision">89a7da60a21678bd1fc4b020050cf66feb676a0d</param></service></servicedata>
\ No newline at end of file
diff --git a/flatpak-1.0.3.tar.xz b/flatpak-1.0.3.tar.xz
deleted file mode 100644
index aecd3be..0000000
--- a/flatpak-1.0.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:75110b38705e5a553918c7708c721efecba9ea9f0fa7466e8496636cf5e5e9b4
-size 715136
diff --git a/flatpak-1.0.5.tar.xz b/flatpak-1.0.5.tar.xz
new file mode 100644
index 0000000..de0bee2
--- /dev/null
+++ b/flatpak-1.0.5.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c7cc295be5d5cf99d4fc29d523e6fe39620ee17c5357a295f71ab1934b6eb14d
+size 718180
diff --git a/flatpak.changes b/flatpak.changes
index cc08924..56df280 100644
--- a/flatpak.changes
+++ b/flatpak.changes
@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Tue Nov 13 08:55:03 UTC 2018 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to version 1.0.5:
+  + Make the /etc -> /usr/etc bind-mounts read-only.
+  + Make various app-specific configuration files read-only.
+  + flatpak is more picky about remote names to avoid problems with
+    storing weird names in the ostree config.
+  + A segfault in libflatpak handling of bundles was fixed.
+  + Updated translations
+  + Fixed a regression in flatpak run that caused problems running
+    user-installed apps when the system installation was broken.
+  + Implicity grant MPRIS2 permissions
+- Changes from version 1.0.4:
+  + Flatpak 0.99.1 removed the inheritance of permissions from the
+    runtime due to concerns with dynamic app permissions. Due to
+    popular requests, this version re-introduces such inheritance,
+    but does it instead at build time. This solved the issues with
+    dynamic permissions while still allowing runtimes to have
+    default permissions. Apps can disable this by passing
+    --no-inherit-permissions to build-finish.
+  + The sandbox now always includes a /etc/timezone file, following
+    the (old) debian standard for this. This is needed, because the
+    more modern way of exposing the timezone name by having
+    /etc/localtime be a symlink into /usr/share/zoneinfo doesn't
+    work when exposing the host timezone.
+  + All apps now have automatic permissions to own their own app id
+    as a subname of org.mpris.MediaPlayer2.
+  + We now properly re-load remote state in FlatpakTransaction if
+    the metadata was updated for the remote.
+  + The signature of the FlatpakTransaction::operation-done signal
+    was wrong in the header and has now been corrected to the
+    signature that is actually emitted.
+  + A crash was fixed when reading invalid .flatpakref files.
+  + A crash during updates when a local ref was unexpectedly
+    missing was fixed.
+  + An error case on uninstalling was incorrectly returning success
+    even thought there was an error.
+  + flatpak_installation_modify_remote did not correctly save the
+    nodeps state.
+  + flatpak_installation_load_app_overrides() was improperly
+    returning freed memory.
+  + The tarball now ships with an icon (flatpak.png).
+
 -------------------------------------------------------------------
 Fri Oct 19 12:05:14 UTC 2018 - alarrosa@suse.com
 
diff --git a/flatpak.spec b/flatpak.spec
index 2a21f8e..3e69b7c 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -18,7 +18,7 @@
 
 %define libname libflatpak0
 Name:           flatpak
-Version:        1.0.3
+Version:        1.0.5
 Release:        0
 Summary:        OSTree based application bundles management
 License:        LGPL-2.1-or-later

From 3d0c987ece8cce4001785396ab1916b6ae88194aa3b66018b0083038a218d9f6 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Fri, 16 Nov 2018 13:54:57 +0000
Subject: [PATCH 2/2] Accepting request 649535 from
 home:mgerstner:branches:GNOME:Factory

- Make polkit_rules_usability.patch effective by adding a 60- prefix to the
  rules file. This will cause it to be executed before the
  polkit-default-privs are executed (bsc#984817).

OBS-URL: https://build.opensuse.org/request/show/649535
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=63
---
 flatpak.changes |  7 +++++++
 flatpak.spec    | 10 ++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/flatpak.changes b/flatpak.changes
index 56df280..26ab20f 100644
--- a/flatpak.changes
+++ b/flatpak.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov 16 10:09:01 UTC 2018 - matthias.gerstner@suse.com
+
+- Make polkit_rules_usability.patch effective by adding a 60- prefix to the
+  rules file. This will cause it to be executed before the
+  polkit-default-privs are executed (bsc#984817).
+
 -------------------------------------------------------------------
 Tue Nov 13 08:55:03 UTC 2018 - Antonio Larrosa <alarrosa@suse.com>
 
diff --git a/flatpak.spec b/flatpak.spec
index 3e69b7c..ecde752 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
 
@@ -132,6 +132,12 @@ make %{?_smp_mflags}
 find %{buildroot} -type f -name "*.la" -delete -print
 mkdir -p %{buildroot}%{_sbindir}
 ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
+# add a 60- prefix to the rules file, otherwise it is not effective, because
+# /etc/polkit-1/rules.d/90-default-privs.rules is executed first and if no
+# polkit-default-privs rule grants access then an explicit reject is the
+# result. This should fix bsc#984817, granting members of group wheel access
+# w/o password entry.
+mv %{buildroot}/%{_datadir}/polkit-1/rules.d/{,60-}org.freedesktop.Flatpak.rules
 
 %find_lang %{name}
 
@@ -170,7 +176,7 @@ ln -s service %{buildroot}%{_sbindir}/rcflatpak-system-helper
 %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
 # policykit rules
 %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
-%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
+%{_datadir}/polkit-1/rules.d/60-org.freedesktop.Flatpak.rules
 %{_mandir}/man1/%{name}*.1%{ext_man}
 %{_mandir}/man5/flatpak-metadata.5%{ext_man}
 %{_mandir}/man5/flatpak-flatpakref.5%{ext_man}