- Update to version 1.15.6:
+ In distributions that compile Flatpak to use a separate
bubblewrap (bwrap) executable, version 0.8.0 is now required.
+ Enabling the optional Wayland security context feature requires
libwayland-client, wayland-scanner >= 1.15 and
wayland-protocols >= 1.32.
+ Add --device=input, for access to evdev devices in /dev/input
+ Update bundled copy of bubblewrap to version 0.8.0, and rely on
its features:
+ Improve error message if seccomp is disabled in kernel config
+ Security hardening: set user namespace limit to 0, to prevent
creation of nested user namespaces in a more robust way
+ For subsandboxes started by flatpak-portal, inherit
environment variables from the flatpak run that started the
original instance rather than from flatpak-portal, fixing
behaviour of FLATPAK_GL_DRIVERS and similar features
+ Stop http transfers if a download in progress becomes very slow
+ Make it easier to configure extra languages, by picking them up
from AccountsService if configured there
+ Add new flatpak_transaction_add_rebase_and_uninstall() API,
allowing end-of-life apps to be replaced by their intended
replacement more reliably
+ Create a private Wayland socket with the "security context"
extension if available, allowing the compositor to identify
connections from sandboxed apps as belonging to the sandbox
+ Update libglnx to 2023-08-29
+ Use features of newer GLib versions if available
+ Turn off system-level crash reporting infrastructure during
some unit tests that involve intentional assertion failures
+ Add anchors to link to sections of flatpak-metadata
documentation
+ Bug fixes:
- Avoid warnings processing symbolic links with GLib >= 2.77.0,
and with GLib 2.76.0 (GLib 2.76.1 or later silences these
warnings)
- Bypass page cache for backend requests in revokefs, fixing
installation errors with libostree 2023.4
- Show AppStream metadata in flatpak remote-info as intended
- Don't let Flatpak apps inherit VK_DRIVER_FILES or
VK_ICD_FILENAMES from the host system, which would be wrong
for the sandbox
- Fix build failure with prereleases of libappstream 0.17.x
- Forward-compatibility with libappstream 1.0
- Fix installation with Meson if configured with
-Dauto_sideloading=true
- Fix a memory leak
- Fix compiler warnings
- Make the tests fail more comprehensibly if a required tool is
missing
- Clean up /var/tmp/flatpak-cache-* directories on boot
- Don't force GIO_USE_VFS=local for programs launched via
flatpak-spawn
- Clarify documentation for D-Bus name ownership
+ Internal changes:
- Split up large source files into smaller modules, reducing
internal circular dependencies
- Re-synchronize code backported from GLib with the version in
GLib
- Clarify documentation for D-Bus name ownership
- Make the flags used to apply "extra data" clearer
- Use glnx_opendirat() where possible
+ Updated translations.
- Add pkgconfig(wayland-client), pkgconfig(wayland-scanner) and
pkgconfig(wayland-protocols) BuildRequires and pass
with-wayland-security-context=yes to configure: Enable the
optional Wayland security context.
OBS-URL: https://build.opensuse.org/request/show/1126468
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=187
- Update to version 1.11.3.
* Bug fixes:
* Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox,
fixing a regression introduced when CVE-2021-21261 was fixed in
1.8.5 and 1.10.0
* Update the included copy of bubblewrap (flatpak-bwrap) to 0.5.0
* Better diagnostics when a --bind or other bind-mount fails
* Create non-directories with safer permissions
* Allow mounting an non-directory over an existing non-directory
* Silence kernel messages for our bind-mounts
* Improve ability to bind-mount directories on case-insensitive
filesystems
* Don't ask user which remote to download from if there is only
one option
* Internal changes:
* Improve test coverage
* Spelling fixes
* Translation updates: Brazilian Portuguese, Russian, Spanish, Ukrainian
OBS-URL: https://build.opensuse.org/request/show/914444
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=144
- Update to version 1.11.2:
+ Bug fixes:
- Fix logic error when migrating AppStream XML
- Improve error-checking
- Fix various memory and file descriptor leaks, in particular
with flatpak-spawn --env=...
- Fix fd confusion in flatpak-spawn --env=... --forward-fd=...,
which caused "Steam Linux Runtime" containers to fail to start
- Avoid a crash when looking up summary for a ref without an arch
- Improve handling of refs belonging to more than one
architecture, e.g. for cross-compilation
- Don't abort uninstall if deploy metadata is missing
- Don't fail transaction if searching for dependencies fails
in one remote
- Fix test failure when running tests as root
- Improve error message for 'sudo flatpak run'
+ Internal changes:
- Improve printf format string validation
- Improve test coverage
- Reduce risk of accidentally hard-coding x86 in the tests
OBS-URL: https://build.opensuse.org/request/show/900724
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=141
- When SLE uses GNOME desktop environment, GNOME Software is
automatically started to provide key update features. During the
startup, it setups flatpak repository so that related features
can function properly. In a system environment of no flatpak
repository has ever been setup before, this triggers
"org.freedesktop.Flatpak.modify-repo" polkit action.
Therefore in systems which use a restrictive security policy
(eg. SLES) for the aforementioned policy action, a polkit
authentication dialog will pop up without any user interaction
for the first time login. This is not user friendly.
This submission creates /var/lib/flatpak/repo at package
installation to avoid such a confusing authentication pop-up, at
nearly 0 cost of security compromise (bsc#1171822).
OBS-URL: https://build.opensuse.org/request/show/807123
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=107
