- When SLE uses GNOME desktop environment, GNOME Software is
automatically started to provide key update features. During the
startup, it setups flatpak repository so that related features
can function properly. In a system environment of no flatpak
repository has ever been setup before, this triggers
"org.freedesktop.Flatpak.modify-repo" polkit action.
Therefore in systems which use a restrictive security policy
(eg. SLES) for the aforementioned policy action, a polkit
authentication dialog will pop up without any user interaction
for the first time login. This is not user friendly.
This submission creates /var/lib/flatpak/repo at package
installation to avoid such a confusing authentication pop-up, at
nearly 0 cost of security compromise (bsc#1171822).
OBS-URL: https://build.opensuse.org/request/show/807123
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=107
- Change %_prefix/lib to %_libexecdir: Makefile installs the file
explicitly into libexecdir. Let's be ready in case this path is
going to change.
- Co-own /usr/lib/systemd/user-environment-generators. We don't
want to forcibly pull in systemd into the buildroot just to own
this directory.
- Update to version 1.6.0:
+ This is the first stable release in the 1.6 series, main
changes since 1.4 is the support for protected content and
improvements in the self-sandboxing support.
+ There is one change in the support for OCI remotes, we now only
support the use of labels, not annotations, as labels work with
more registries. This means pre-existing OCI flatpak registries
(like fedora) may need some changes.
+ New permissions --socket=cups for direct cups access.
+ Fix some leaks.
+ Fix reporting of progress with latest version of ostree.
+ New no-interaction flag for authenticators.
+ Support for auto-installing authenticators from a flatpak
remote.
+ Warn less about unset XDG_DATA_DIRS.
+ Don't poll for updates in the portal when on a metered
connection.
- Modernize spec with current macros.
OBS-URL: https://build.opensuse.org/request/show/760017
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=91
- Update to verson 1.2.4 (CVE-2019-10063):
+ It has been discovered that the previous fix for CVE-2017-5226,
which uses seccomp to prevent sandboxed apps from using the
(dangerous) TIOCSTI ioctl was only incomplete on 64bit arches.
This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which
is a symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Updated translations.
OBS-URL: https://build.opensuse.org/request/show/689362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=28
- Update to verson 1.2.4
This release fixes CVE-2019-10063.
It has been discovered that the previous fix for CVE-2017-5226, which uses
seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl
was only incomplete on 64bit arches. This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which is a
symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Update translations
OBS-URL: https://build.opensuse.org/request/show/689356
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=71
- Update to version 1.2.0:
+ Ensure DeployCollectionID works in flatpakrepo files in all
cases.
+ Don't error out with empty installations in uninstall.
+ Add helper that validates icon files during export.
+ Don't allow root to modify the (non-root) per-user flatpak
installation, as this risks causing problems later.
+ Remove some incorrect warnings from flatpak repair.
+ Allow multiple name segments after prefix when exporting files.
+ Allow specification of ellipsization in --colums options.
+ Handle dates as well as timestamps in appdata
+ Fixed a bug where flatpak remote-delete removed too many refs.
+ Now we use raw terminal mode during a transaction to a avoid
problems with input during the operation causing problems with
escape sequences.
+ Generate a fontconfig directory remapping snippet as will be
needed for newer versions of fontconfig.
+ Support --extra-collection-id in build-commit-from to bind the
commit to multiple collection ids. This is work in progress in
ostree.
- Add pkgconfig(dconf) BuildRequires: New dependency.
+ This release fixes an issue that lets system-wide installed
+ The permissions of the files created by the apply_extra script
is canonicalized and the script itself is run without any
capabilities.
+ Better matching of existing remotes when the local and remote
configuration differs wrt collection ids.
+ New flatpakrepo DeployCollectionID replaces CollectionID, doing
the same thing. It is recommended to use this instead because
OBS-URL: https://build.opensuse.org/request/show/672437
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=67
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the (forwarded request 657831 from alarrosa)
OBS-URL: https://build.opensuse.org/request/show/659047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=25
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the
OBS-URL: https://build.opensuse.org/request/show/657831
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=65
- Update to version 1.0.5:
+ Make the /etc -> /usr/etc bind-mounts read-only.
+ Make various app-specific configuration files read-only.
+ flatpak is more picky about remote names to avoid problems with
storing weird names in the ostree config.
+ A segfault in libflatpak handling of bundles was fixed.
+ Updated translations
+ Fixed a regression in flatpak run that caused problems running
user-installed apps when the system installation was broken.
+ Implicity grant MPRIS2 permissions
- Changes from version 1.0.4:
+ Flatpak 0.99.1 removed the inheritance of permissions from the
runtime due to concerns with dynamic app permissions. Due to
popular requests, this version re-introduces such inheritance,
but does it instead at build time. This solved the issues with
dynamic permissions while still allowing runtimes to have
default permissions. Apps can disable this by passing
--no-inherit-permissions to build-finish.
+ The sandbox now always includes a /etc/timezone file, following
the (old) debian standard for this. This is needed, because the
more modern way of exposing the timezone name by having
/etc/localtime be a symlink into /usr/share/zoneinfo doesn't
work when exposing the host timezone.
+ All apps now have automatic permissions to own their own app id
as a subname of org.mpris.MediaPlayer2.
+ We now properly re-load remote state in FlatpakTransaction if
the metadata was updated for the remote.
+ The signature of the FlatpakTransaction::operation-done signal
was wrong in the header and has now been corrected to the
signature that is actually emitted.
OBS-URL: https://build.opensuse.org/request/show/649033
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=62
