- Added p11-kit-server to fix boo#1221557
After OBS Studio flatpak updating to KDE Runtime 6.6 it was revealed that it no longer could verify SSL certificates. The root cause turned out to be a missing p11-kit-server which on most distributions is installed as recommended along side flatpak (see Fedora).
With this little addition I hope to fix random SSL errors for KDE Runtime 6.6 and newer also for openSUSE Tumbleweed.
As a side note Leap is affected as well by this. Might be worth back porting this patch?
- As per documentation from flatpak 1.0: add weak dep on
p11-kit-server for certificate transfer (boo#1188902) (forwarded request 1192619 from dimstar)
OBS-URL: https://build.opensuse.org/request/show/1192622
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=87
After OBS Studio flatpak updating to KDE Runtime 6.6 it was revealed that it no longer could verify SSL certificates. The root cause turned out to be a missing p11-kit-server which on most distributions is installed as recommended along side flatpak (see Fedora).
With this little addition I hope to fix random SSL errors for KDE Runtime 6.6 and newer also for openSUSE Tumbleweed.
As a side note Leap is affected as well by this. Might be worth back porting this patch?
- As per documentation from flatpak 1.0: add weak dep on
p11-kit-server for certificate transfer (boo#1188902)
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=202
- Don't allow an executable name to be misinterpreted as a
command-line option for bwrap(1). This prevents a sandbox
escape where a malicious or compromised app could ask
xdg-desktop-portal to generate a .desktop file with access to
files outside the sandbox. (CVE-2024-32462, boo#1223110).
- Pass the -export-dynamic linker option as
-Wl,-export-dynamic, fixing build failures with clang 18 and
lld 18.
- Fix a double-free when installation is cancelled.
- Fix installed-tests failure with "FUSERMOUNT: unbound
variable".
- Changes from version 1.15.7:
- Automatically remove obsolete driver versions and other
autopruned refs.
- --socket=inherit-wayland-socket.
- Automatically reload D-Bus session bus configuration after
installing or upgrading apps, to pick up any exported D-Bus
services.
- Don't parse <developer><name/></developer> as the application
name.
- Don't refuse to start apps when there is no D-Bus system bus
available.
- Don't try to repeat migration of apps whose data was migrated
to a new name and then deleted.
- Improve handling of mixed locales on systems with
systemd-localed.
- Improve display of ellipsized columns in wide terminals.
- Make flatpak info -e look for extensions in all
installations.
- Fix warnings from newer GLib versions.
OBS-URL: https://build.opensuse.org/request/show/1169145
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=194
- Update to version 1.15.6:
+ In distributions that compile Flatpak to use a separate
bubblewrap (bwrap) executable, version 0.8.0 is now required.
+ Enabling the optional Wayland security context feature requires
libwayland-client, wayland-scanner >= 1.15 and
wayland-protocols >= 1.32.
+ Add --device=input, for access to evdev devices in /dev/input
+ Update bundled copy of bubblewrap to version 0.8.0, and rely on
its features:
+ Improve error message if seccomp is disabled in kernel config
+ Security hardening: set user namespace limit to 0, to prevent
creation of nested user namespaces in a more robust way
+ For subsandboxes started by flatpak-portal, inherit
environment variables from the flatpak run that started the
original instance rather than from flatpak-portal, fixing
behaviour of FLATPAK_GL_DRIVERS and similar features
+ Stop http transfers if a download in progress becomes very slow
+ Make it easier to configure extra languages, by picking them up
from AccountsService if configured there
+ Add new flatpak_transaction_add_rebase_and_uninstall() API,
allowing end-of-life apps to be replaced by their intended
replacement more reliably
+ Create a private Wayland socket with the "security context"
extension if available, allowing the compositor to identify
connections from sandboxed apps as belonging to the sandbox
+ Update libglnx to 2023-08-29
+ Use features of newer GLib versions if available
+ Turn off system-level crash reporting infrastructure during
some unit tests that involve intentional assertion failures
+ Add anchors to link to sections of flatpak-metadata
documentation
+ Bug fixes:
- Avoid warnings processing symbolic links with GLib >= 2.77.0,
and with GLib 2.76.0 (GLib 2.76.1 or later silences these
warnings)
- Bypass page cache for backend requests in revokefs, fixing
installation errors with libostree 2023.4
- Show AppStream metadata in flatpak remote-info as intended
- Don't let Flatpak apps inherit VK_DRIVER_FILES or
VK_ICD_FILENAMES from the host system, which would be wrong
for the sandbox
- Fix build failure with prereleases of libappstream 0.17.x
- Forward-compatibility with libappstream 1.0
- Fix installation with Meson if configured with
-Dauto_sideloading=true
- Fix a memory leak
- Fix compiler warnings
- Make the tests fail more comprehensibly if a required tool is
missing
- Clean up /var/tmp/flatpak-cache-* directories on boot
- Don't force GIO_USE_VFS=local for programs launched via
flatpak-spawn
- Clarify documentation for D-Bus name ownership
+ Internal changes:
- Split up large source files into smaller modules, reducing
internal circular dependencies
- Re-synchronize code backported from GLib with the version in
GLib
- Clarify documentation for D-Bus name ownership
- Make the flags used to apply "extra data" clearer
- Use glnx_opendirat() where possible
+ Updated translations.
- Add pkgconfig(wayland-client), pkgconfig(wayland-scanner) and
pkgconfig(wayland-protocols) BuildRequires and pass
with-wayland-security-context=yes to configure: Enable the
optional Wayland security context. (forwarded request 1126468 from iznogood)
OBS-URL: https://build.opensuse.org/request/show/1127339
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=81
- Update to version 1.15.6:
+ In distributions that compile Flatpak to use a separate
bubblewrap (bwrap) executable, version 0.8.0 is now required.
+ Enabling the optional Wayland security context feature requires
libwayland-client, wayland-scanner >= 1.15 and
wayland-protocols >= 1.32.
+ Add --device=input, for access to evdev devices in /dev/input
+ Update bundled copy of bubblewrap to version 0.8.0, and rely on
its features:
+ Improve error message if seccomp is disabled in kernel config
+ Security hardening: set user namespace limit to 0, to prevent
creation of nested user namespaces in a more robust way
+ For subsandboxes started by flatpak-portal, inherit
environment variables from the flatpak run that started the
original instance rather than from flatpak-portal, fixing
behaviour of FLATPAK_GL_DRIVERS and similar features
+ Stop http transfers if a download in progress becomes very slow
+ Make it easier to configure extra languages, by picking them up
from AccountsService if configured there
+ Add new flatpak_transaction_add_rebase_and_uninstall() API,
allowing end-of-life apps to be replaced by their intended
replacement more reliably
+ Create a private Wayland socket with the "security context"
extension if available, allowing the compositor to identify
connections from sandboxed apps as belonging to the sandbox
+ Update libglnx to 2023-08-29
+ Use features of newer GLib versions if available
+ Turn off system-level crash reporting infrastructure during
some unit tests that involve intentional assertion failures
+ Add anchors to link to sections of flatpak-metadata
documentation
+ Bug fixes:
- Avoid warnings processing symbolic links with GLib >= 2.77.0,
and with GLib 2.76.0 (GLib 2.76.1 or later silences these
warnings)
- Bypass page cache for backend requests in revokefs, fixing
installation errors with libostree 2023.4
- Show AppStream metadata in flatpak remote-info as intended
- Don't let Flatpak apps inherit VK_DRIVER_FILES or
VK_ICD_FILENAMES from the host system, which would be wrong
for the sandbox
- Fix build failure with prereleases of libappstream 0.17.x
- Forward-compatibility with libappstream 1.0
- Fix installation with Meson if configured with
-Dauto_sideloading=true
- Fix a memory leak
- Fix compiler warnings
- Make the tests fail more comprehensibly if a required tool is
missing
- Clean up /var/tmp/flatpak-cache-* directories on boot
- Don't force GIO_USE_VFS=local for programs launched via
flatpak-spawn
- Clarify documentation for D-Bus name ownership
+ Internal changes:
- Split up large source files into smaller modules, reducing
internal circular dependencies
- Re-synchronize code backported from GLib with the version in
GLib
- Clarify documentation for D-Bus name ownership
- Make the flags used to apply "extra data" clearer
- Use glnx_opendirat() where possible
+ Updated translations.
- Add pkgconfig(wayland-client), pkgconfig(wayland-scanner) and
pkgconfig(wayland-protocols) BuildRequires and pass
with-wayland-security-context=yes to configure: Enable the
optional Wayland security context.
OBS-URL: https://build.opensuse.org/request/show/1126468
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=187
+ Allow sub-sandboxes to own MPRIS names on the session bus.
for that.
info messages.
transaction when printing end-of-life messages.
in-use runtimes or runtime extensions.
and related commands.
+ Curl supported as default HTTP backend.
+ Uses Fuse 3.
is renamed.
SDK/debuginfo along with a ref.
+ defense in depth against arbitrary file deletion by
flatpak-system-helper when using very old libostree
(boo#1202639).
+ Updated translations.
- Replace pkgconfig(fuse) BuildRequires with pkgconfig(fuse3):
Follow upstreams port to fuse3.
- Add pkgconfig(libcurl) BuildRequires: enable the new HTTP
backend.
- Drop gtk-doc BuildRequires and no longer pass --enable-gtk-doc to
configure: no longer supported.
- Drop libtool BuildRequires: no need to bootstrap the tarball.
- Replace pkgconfig(appstream-glib) BuildRequires with
pkgconfig(appstream): match what configure checks for.
- Add pkgconfig(gdk-pixbuf-2.0): verified dependency that was
implicitly included by appstream-glib before.
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=167
