Accepting request 511713 from home:Zaitor:branches:GNOME:Factory

I suggest we downgrade to stable branch for flatpak - that way we at least get sec updates while we argue with sec team for new features.
I know this is not the ideal thing to do, but I think the benefits outweigh the drawbacks.

OBS-URL: https://build.opensuse.org/request/show/511713
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=25

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">refs/tags/0.9.1</param>
+    <param name="revision">refs/tags/0.8.7</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
-            <param name="url">https://github.com/flatpak/flatpak.git</param>
+                <param name="url">https://github.com/flatpak/flatpak.git</param>
-          <param name="changesrevision">696775687721748ba779dfb58f29ab47ed1fd6ae</param></service></servicedata>
+              <param name="changesrevision">fd186307b56d34f4bf99943251dfaa29bb9864a1</param></service></servicedata>

flatpak-0.8.7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81c25888e1aa303e4bc4507cc30ddb928201301e60694b996e17abc632e1f29c
+size 554412

flatpak-0.9.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4b461701057cb60f3210c0c065369c41c14d23498190c2360a7e068e29965ae7
-size 569988

flatpak.changes

@@ -1,53 +1,72 @@
 -------------------------------------------------------------------
-Thu Mar 16 11:59:38 UTC 2017 - adrien.plazas@suse.com
+Thu Jul 20 20:12:58 UTC 2017 - zaitor@opensuse.org
 
-- Update to version 0.9.1:
+- Update to version 0.8.7:
-  + The flatpak-builder build cache now uses the rofiles-fuse
+  + This is a minor security update, matching the behaviour on
-    ostree feature.
+    master where we avoid ever creating setuid files or
-  + The cflags and cxxflags module properties now work by
+    world-writable directories. However, the fix is more localized
-    appending, rather that replacing, when there are multiple
+    and does not require a new ostree.
-    values specified.
+  + After pulling from a remote, always verify that the staged new
-  + Do not invalidate build cache when the installed version of the
+    files and directories have safe permissions.
-    SDK changed by default. Use --rebuild-on-sdk-change to force
+  + Ensure ~/.local/share/flatpak is not readable to other users,
-    rebuild otherwise.
+    to avoid anyone ever seeing possibly world-writeable
-  + The build cache is now per-arch.
+    directories therein.
-  + New buildsystem "cmake-ninja" which works like "cmake", but
+  + Fix double-setting a error in case of errors when pulling.
-    builds using ninja.
+  + Fix timeout in testcase.
-  + New buildsystem "simple" which just runs a set of shell
+
-    commands specified in the "build-commands" property.
+-------------------------------------------------------------------
-  + flatpak-builder now has build-runtime and build-extension
+Thu Jul 20 20:12:42 UTC 2017 - zaitor@opensuse.org
-    properties that makes it easier to build runtimes and
+
-    extensions.
+- Update to version 0.8.6:
-  + FLATPAK_DEST is set in the build environment to the
+  + TMPDIR is now unset in the sandbox, if set on the host. Each
-    installation destination.
+    sandbox has a personal /tmp that is used.
-  + flatpak-builder now supports --from-git=URL which pulls the
+  + Flatpak run now works if /tmp is a symlink on the host.
-    json manifest and related files directly from a git repo.
+  + /etc/hosts and /etc/hosts.conf from the host are now exposed in
-  + modules have a new no-make-install property which skips the
+    the sandbox in addition to /etc/resolv.conf.
-    make install step.
+  + flatpak now stores the app id in the X-Flatpak key when
-  + Modules and sources have only-arches and skip-arches
+    exporting a desktop file.
-    properties, which lets you enable/disable them based on the
+  + Exports are now whitelisted, and the only thing you can
-    build architecture.
+    export are: desktop files, icons, dbus services.
-  + build-options has a new property ldflags, which is similar to
+    This is somewhat different from the 0.9.x series, where als
-    cflags and cxxflags.
+    mime definitions, and gnome-shell search providers are allowed.
-  + flatpak build (and thus flatpak-builder --run) now supports
+  + Fixed minor race condition in portal application
-    dbus proxies when needed.
+    identification.
-  + All git repos are cloned with fsckObjects=true, which means we
+  + Support WAYLAND_DISPLAY environment var.
-    verify that the repos are valid.
+  + dbus-portal: Fix handling of NameHasOwner.
-  + New flatpak-builder argument --build-shell=MODULE extracts and
+  + run: Allow regular files for --filesystem=xdg-config/path.
-    prepares the sources for a specified module and then starts a
+  + run: Allow --filesystem=xdg-config/subdir:ro (previously
-    build sandbox inside it.
+    it needed to be writable).
-  + build-export: Now supports --timestamp=ISO-8601-TIMESTAMP,
+  + Support for updating to new gpg keys and url when using
-    which allows you to create reproducible commits.
+    flatpak remote-modify --update-metadata. This is a manual
-  + The OCI support has been updated to the latest version of the
+    operation in 0.8.x but is automatic in the 0.9.x series.
-    OCI image specification format.
+
-  + There is a new flatpak-bisect script that can be used to bisect
+-------------------------------------------------------------------
-    flatpak applications, looking for regressions.
+Thu Jul 20 20:12:04 UTC 2017 - zaitor@opensuse.org
-  + flatpak list got a revamp. It now shows more information, and
+
-    shows both apps and runtimes by default.
+- Update to version 0.8.5:
-  + flatpak remote-list was renamed flatpak remotes in order to
+  + Fixed a use-after-free and some leaks in the dbus-proxy. This
-    minimize confusion with flatpak remote-ls. The old name is
+    is not currently believed to be exploitable, but the proxy is a
-    deprecated but still works.
+    security boundary, so we still recommend to update.
-- Bump minimal glib to 2.44.
+  + Regular updates now never allow updates to an older version
+    than what is currently installed (unless you explicitly specify
+    an old commit id). This closes a hole where a MITM attacker can
+    force clients to downgrade to an earlier (gpg-signed) version
+    of the application.
+  + The automatic detection of --from in flatpak install now
+    detects flatpakref extensions even in URIs that end in a query
+    string such as https://git.gnome.org/browse/gnome-apps-nightly/plain/gedit.flatpakref?h=stable
+  + The detection of "unmaintained" system extensions was broken,
+    and in some cases these extensions were not found. This now
+    always works.
+  + Flatpak now builds with latest OSTree. This required some
+    fixing for multiple definitions of the g_auto* macros as OSTree
+    now exports those.
+  + We no longer rely on ostree trivial-httpd for the tests,
+    because this is optional in later versions of ostree. Instead
+    we use the python SimpleHTTPServer.
+  + The minimum glib version has been corrected to 2.44.
+  + The minumum automake version has been increased to 1.13.4
+    because some older version didn't work.
 
 -------------------------------------------------------------------
 Fri Mar 10 20:58:11 UTC 2017 - dimstar@opensuse.org

flatpak.spec

@@ -22,7 +22,7 @@
 
 %define libname libflatpak0
 Name:           flatpak
-Version:        0.9.1
+Version:        0.8.7
 Release:        0
 Summary:        Manage OSTree based application bundles
 License:        LGPL-2.1+
@@ -199,7 +199,6 @@ flatpak remote-list --system > /dev/null 2>&1
 
 %files builder
 %defattr(-,root,root)
-%{_bindir}/flatpak-bisect
 %{_bindir}/flatpak-builder
 %{_mandir}/man1/flatpak-builder.1%{ext_man}