From 0f6d92739961f72676d7c98ab5b6292e93027cb973bed65cff557d4117c6bead Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 18 Dec 2018 08:28:51 +0000 Subject: [PATCH] Accepting request 657831 from home:alarrosa:branches:GNOME:Factory - Update to version 1.0.6: * This release fixes an issue that lets system-wide installed applications create setuid root files inside their app dir (somewhere in /var/lib/flatpak/app). Setuid support is disabled inside flatpaks, so such files are only a risk if the user runs them manually outside flatpak. Installing a flatpak system-wide needs root access, so this isn't a privilege elevation for non-root users. * The permissions of the files created by the apply_extra script is canonicalized and the script itself is run without any capabilities. * Better matching of existing remotes when the local and remote configuration differs wrt collection ids. * New flatpakrepo DeployCollectionID replaces CollectionID, doing the same thing. It is recommended to use this instead because older versions of flatpak has bugs in the support of collection ids, and this key will only be respected in versions where it works. * The X11 socket is now mounted read-only. - Mark flatpak.sh as %config and move the systemhelper dbus config file under /usr - Remove the flatpak-rpmlintrc file that is no longer needed. - Make polkit_rules_usability.patch effective by adding a 60- prefix to the rules file. This will cause it to be executed before the OBS-URL: https://build.opensuse.org/request/show/657831 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=65 --- _service | 2 +- _servicedata | 2 +- flatpak-1.0.5.tar.xz | 3 --- flatpak-1.0.6.tar.xz | 3 +++ flatpak-rpmlintrc | 5 ----- flatpak.changes | 34 +++++++++++++++++++++++++++++++--- flatpak.spec | 12 ++++++------ 7 files changed, 42 insertions(+), 19 deletions(-) delete mode 100644 flatpak-1.0.5.tar.xz create mode 100644 flatpak-1.0.6.tar.xz delete mode 100644 flatpak-rpmlintrc diff --git a/_service b/_service index 93bbb47..19dd220 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git @PARENT_TAG@ enable - refs/tags/1.0.5 + refs/tags/1.0.6 *.tar diff --git a/_servicedata b/_servicedata index 80776b7..5ab358e 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/flatpak/flatpak.git - 89a7da60a21678bd1fc4b020050cf66feb676a0d \ No newline at end of file + 38b5560c66a5b28287df964b6a61d928ec163ed2 \ No newline at end of file diff --git a/flatpak-1.0.5.tar.xz b/flatpak-1.0.5.tar.xz deleted file mode 100644 index de0bee2..0000000 --- a/flatpak-1.0.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c7cc295be5d5cf99d4fc29d523e6fe39620ee17c5357a295f71ab1934b6eb14d -size 718180 diff --git a/flatpak-1.0.6.tar.xz b/flatpak-1.0.6.tar.xz new file mode 100644 index 0000000..9331277 --- /dev/null +++ b/flatpak-1.0.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0da41c8a5ee5782188fea4fd0376275dd6eba1c21e3bd59b1fd03cb367d7b4c4 +size 719476 diff --git a/flatpak-rpmlintrc b/flatpak-rpmlintrc deleted file mode 100644 index 90d9a0d..0000000 --- a/flatpak-rpmlintrc +++ /dev/null @@ -1,5 +0,0 @@ -# Files /etc/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf -# and /etc/profile.d/flatpak.sh are not actually config files so there's -# no way we can mark them as %config - -addFilter("non-conffile-in-etc") diff --git a/flatpak.changes b/flatpak.changes index 26ab20f..948b41f 100644 --- a/flatpak.changes +++ b/flatpak.changes @@ -1,12 +1,40 @@ +------------------------------------------------------------------- +Thu Dec 13 12:54:42 UTC 2018 - alarrosa@suse.com + +- Update to version 1.0.6: + * This release fixes an issue that lets system-wide installed + applications create setuid root files inside their app dir + (somewhere in /var/lib/flatpak/app). Setuid support is disabled + inside flatpaks, so such files are only a risk if the user runs + them manually outside flatpak. Installing a flatpak system-wide + needs root access, so this isn't a privilege elevation for + non-root users. + * The permissions of the files created by the apply_extra script is + canonicalized and the script itself is run without any capabilities. + * Better matching of existing remotes when the local and remote configuration + differs wrt collection ids. + * New flatpakrepo DeployCollectionID replaces CollectionID, doing the + same thing. It is recommended to use this instead because older versions + of flatpak has bugs in the support of collection ids, and this key + will only be respected in versions where it works. + * The X11 socket is now mounted read-only. + +------------------------------------------------------------------- +Thu Dec 13 12:29:18 UTC 2018 - alarrosa@suse.com + +- Mark flatpak.sh as %config and move the systemhelper dbus config + file under /usr +- Remove the flatpak-rpmlintrc file that is no longer needed. + ------------------------------------------------------------------- Fri Nov 16 10:09:01 UTC 2018 - matthias.gerstner@suse.com -- Make polkit_rules_usability.patch effective by adding a 60- prefix to the - rules file. This will cause it to be executed before the +- Make polkit_rules_usability.patch effective by adding a 60- prefix + to the rules file. This will cause it to be executed before the polkit-default-privs are executed (bsc#984817). ------------------------------------------------------------------- -Tue Nov 13 08:55:03 UTC 2018 - Antonio Larrosa +Tue Nov 13 08:55:03 UTC 2018 - alarrosa@suse.com - Update to version 1.0.5: + Make the /etc -> /usr/etc bind-mounts read-only. diff --git a/flatpak.spec b/flatpak.spec index ecde752..03a2d36 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -12,20 +12,19 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define libname libflatpak0 Name: flatpak -Version: 1.0.5 +Version: 1.0.6 Release: 0 Summary: OSTree based application bundles management License: LGPL-2.1-or-later Group: System/Packages URL: https://flatpak.github.io/ Source: %{name}-%{version}.tar.xz -Source99: %{name}-rpmlintrc Patch0: polkit_rules_usability.patch BuildRequires: bison BuildRequires: bubblewrap >= 0.2.1 @@ -124,7 +123,8 @@ NOCONFIGURE=1 ./autogen.sh --enable-gtk-doc \ --disable-document-portal \ --with-system-bubblewrap \ - --with-priv-mode=none + --with-priv-mode=none \ + --with-dbus-config-dir=%{_datadir}/dbus-1/system.d make %{?_smp_mflags} %install @@ -174,6 +174,7 @@ mv %{buildroot}/%{_datadir}/polkit-1/rules.d/{,60-}org.freedesktop.Flatpak.rules %{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service +%{_datadir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf # policykit rules %{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy %{_datadir}/polkit-1/rules.d/60-org.freedesktop.Flatpak.rules @@ -184,8 +185,7 @@ mv %{buildroot}/%{_datadir}/polkit-1/rules.d/{,60-}org.freedesktop.Flatpak.rules %{_mandir}/man5/flatpak-installation.5%{ext_man} %{_mandir}/man5/flatpak-remote.5%{ext_man} %{_datadir}/%{name}/ -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf -%{_sysconfdir}/profile.d/flatpak.sh +%config %{_sysconfdir}/profile.d/flatpak.sh # Own dirs so we don't have to depend on gdm for building. %dir %{_datadir}/gdm/ %dir %{_datadir}/gdm/env.d/