- Change %_prefix/lib to %_libexecdir: Makefile installs the file
explicitly into libexecdir. Let's be ready in case this path is
going to change.
- Co-own /usr/lib/systemd/user-environment-generators. We don't
want to forcibly pull in systemd into the buildroot just to own
this directory.
- Update to version 1.6.0:
+ This is the first stable release in the 1.6 series, main
changes since 1.4 is the support for protected content and
improvements in the self-sandboxing support.
+ There is one change in the support for OCI remotes, we now only
support the use of labels, not annotations, as labels work with
more registries. This means pre-existing OCI flatpak registries
(like fedora) may need some changes.
+ New permissions --socket=cups for direct cups access.
+ Fix some leaks.
+ Fix reporting of progress with latest version of ostree.
+ New no-interaction flag for authenticators.
+ Support for auto-installing authenticators from a flatpak
remote.
+ Warn less about unset XDG_DATA_DIRS.
+ Don't poll for updates in the portal when on a metered
connection.
- Modernize spec with current macros.
OBS-URL: https://build.opensuse.org/request/show/760017
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=91
- Update to verson 1.2.4 (CVE-2019-10063):
+ It has been discovered that the previous fix for CVE-2017-5226,
which uses seccomp to prevent sandboxed apps from using the
(dangerous) TIOCSTI ioctl was only incomplete on 64bit arches.
This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which
is a symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Updated translations.
OBS-URL: https://build.opensuse.org/request/show/689362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=28
- Update to verson 1.2.4
This release fixes CVE-2019-10063.
It has been discovered that the previous fix for CVE-2017-5226, which uses
seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl
was only incomplete on 64bit arches. This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which is a
symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Update translations
OBS-URL: https://build.opensuse.org/request/show/689356
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=71
- Update to version 1.2.0:
+ Ensure DeployCollectionID works in flatpakrepo files in all
cases.
+ Don't error out with empty installations in uninstall.
+ Add helper that validates icon files during export.
+ Don't allow root to modify the (non-root) per-user flatpak
installation, as this risks causing problems later.
+ Remove some incorrect warnings from flatpak repair.
+ Allow multiple name segments after prefix when exporting files.
+ Allow specification of ellipsization in --colums options.
+ Handle dates as well as timestamps in appdata
+ Fixed a bug where flatpak remote-delete removed too many refs.
+ Now we use raw terminal mode during a transaction to a avoid
problems with input during the operation causing problems with
escape sequences.
+ Generate a fontconfig directory remapping snippet as will be
needed for newer versions of fontconfig.
+ Support --extra-collection-id in build-commit-from to bind the
commit to multiple collection ids. This is work in progress in
ostree.
- Add pkgconfig(dconf) BuildRequires: New dependency.
+ This release fixes an issue that lets system-wide installed
+ The permissions of the files created by the apply_extra script
is canonicalized and the script itself is run without any
capabilities.
+ Better matching of existing remotes when the local and remote
configuration differs wrt collection ids.
+ New flatpakrepo DeployCollectionID replaces CollectionID, doing
the same thing. It is recommended to use this instead because
OBS-URL: https://build.opensuse.org/request/show/672437
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=67
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the (forwarded request 657831 from alarrosa)
OBS-URL: https://build.opensuse.org/request/show/659047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=25
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the
OBS-URL: https://build.opensuse.org/request/show/657831
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=65
- Update to version 1.0.5:
+ Make the /etc -> /usr/etc bind-mounts read-only.
+ Make various app-specific configuration files read-only.
+ flatpak is more picky about remote names to avoid problems with
storing weird names in the ostree config.
+ A segfault in libflatpak handling of bundles was fixed.
+ Updated translations
+ Fixed a regression in flatpak run that caused problems running
user-installed apps when the system installation was broken.
+ Implicity grant MPRIS2 permissions
- Changes from version 1.0.4:
+ Flatpak 0.99.1 removed the inheritance of permissions from the
runtime due to concerns with dynamic app permissions. Due to
popular requests, this version re-introduces such inheritance,
but does it instead at build time. This solved the issues with
dynamic permissions while still allowing runtimes to have
default permissions. Apps can disable this by passing
--no-inherit-permissions to build-finish.
+ The sandbox now always includes a /etc/timezone file, following
the (old) debian standard for this. This is needed, because the
more modern way of exposing the timezone name by having
/etc/localtime be a symlink into /usr/share/zoneinfo doesn't
work when exposing the host timezone.
+ All apps now have automatic permissions to own their own app id
as a subname of org.mpris.MediaPlayer2.
+ We now properly re-load remote state in FlatpakTransaction if
the metadata was updated for the remote.
+ The signature of the FlatpakTransaction::operation-done signal
was wrong in the header and has now been corrected to the
signature that is actually emitted.
OBS-URL: https://build.opensuse.org/request/show/649033
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=62
- Add rpmlintrc to ignore files being installed under /etc not
marked as %config (since they're not).
- Don't run "flatpak remote-list --system" on %post anymore since
it's not needed nowadays. Also let /var/lib/flatpak be created on
demand since writing to /var should be avoided for transactional
updates (boo#1111385, fate#325524).
- Update to version 1.0.3:
+ run: You can now use --system to run an app that otherwise
would run the user version.
+ New permission --allow=canbus that filters out access to AF_CAN
sockets.
+ lib: New install flags FLATPAK_INSTALL_FLAGS_NO_TRIGGERS and
new function flatpak_installation_run_triggers()
+ lib: Better error reporting, including some new error values
that replace the generic FAILED.
+ uninstall --unused: Improve handling of which .Locale
extensions are used
+ run: Make flatpak run on systems where $XDG_RUNTIME_DIR
contains a symlink beneath /var (commonly /var/run -> /run).
+ Don't export any desktop/dbus/mimetype files in subdirectories.
+ build-init: We now record the base ref (if used) in the
metadata. Nothing uses this atm, but it can be used by tools.
+ We now respect the upstream ostree.deploy-collection-id instead
of the flatpak-specific xa.collection-id metadata key to decide
whether to switch to collection ids for a remote. This is
useful, because if you use the new one, only new clients (that
support it better) will use it.
+ create-usb: Fix assertion failure in some error cases
OBS-URL: https://build.opensuse.org/request/show/643193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=23
- Add rpmlintrc to ignore files being installed under /etc not
marked as %config (since they're not).
- Don't run "flatpak remote-list --system" on %post anymore since
it's not needed nowadays. Also let /var/lib/flatpak be created on
demand since writing to /var should be avoided for transactional
updates (boo#1111385, fate#325524).
- Update to version 1.0.3:
+ run: You can now use --system to run an app that otherwise
would run the user version.
+ New permission --allow=canbus that filters out access to AF_CAN
sockets.
+ lib: New install flags FLATPAK_INSTALL_FLAGS_NO_TRIGGERS and
new function flatpak_installation_run_triggers()
+ lib: Better error reporting, including some new error values
that replace the generic FAILED.
+ uninstall --unused: Improve handling of which .Locale
extensions are used
+ run: Make flatpak run on systems where $XDG_RUNTIME_DIR
contains a symlink beneath /var (commonly /var/run -> /run).
+ Don't export any desktop/dbus/mimetype files in subdirectories.
+ build-init: We now record the base ref (if used) in the
metadata. Nothing uses this atm, but it can be used by tools.
+ We now respect the upstream ostree.deploy-collection-id instead
of the flatpak-specific xa.collection-id metadata key to decide
whether to switch to collection ids for a remote. This is
useful, because if you use the new one, only new clients (that
support it better) will use it.
+ create-usb: Fix assertion failure in some error cases
OBS-URL: https://build.opensuse.org/request/show/643183
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=59
- polkit_rules_usability.patch: Improve usability by allowing members of the
group 'wheel' to bypass polkit authentication checks when locally logged in
(bnc#984817). This adds a few polkit actions to the rules that are not
covered by upstream, because they are set to 'yes' for active users by
default. On SUSE we require 'auth_admin' for regular users, however.
OBS-URL: https://build.opensuse.org/request/show/624834
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=53
