- When SLE uses GNOME desktop environment, GNOME Software is
automatically started to provide key update features. During the
startup, it setups flatpak repository so that related features
can function properly. In a system environment of no flatpak
repository has ever been setup before, this triggers
"org.freedesktop.Flatpak.modify-repo" polkit action.
Therefore in systems which use a restrictive security policy
(eg. SLES) for the aforementioned policy action, a polkit
authentication dialog will pop up without any user interaction
for the first time login. This is not user friendly.
This submission creates /var/lib/flatpak/repo at package
installation to avoid such a confusing authentication pop-up, at
nearly 0 cost of security compromise (bsc#1171822).
OBS-URL: https://build.opensuse.org/request/show/807123
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=107
- Change %_prefix/lib to %_libexecdir: Makefile installs the file
explicitly into libexecdir. Let's be ready in case this path is
going to change.
- Co-own /usr/lib/systemd/user-environment-generators. We don't
want to forcibly pull in systemd into the buildroot just to own
this directory.
- Update to version 1.6.0:
+ This is the first stable release in the 1.6 series, main
changes since 1.4 is the support for protected content and
improvements in the self-sandboxing support.
+ There is one change in the support for OCI remotes, we now only
support the use of labels, not annotations, as labels work with
more registries. This means pre-existing OCI flatpak registries
(like fedora) may need some changes.
+ New permissions --socket=cups for direct cups access.
+ Fix some leaks.
+ Fix reporting of progress with latest version of ostree.
+ New no-interaction flag for authenticators.
+ Support for auto-installing authenticators from a flatpak
remote.
+ Warn less about unset XDG_DATA_DIRS.
+ Don't poll for updates in the portal when on a metered
connection.
- Modernize spec with current macros.
OBS-URL: https://build.opensuse.org/request/show/760017
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=91
- Update to verson 1.2.4 (CVE-2019-10063):
+ It has been discovered that the previous fix for CVE-2017-5226,
which uses seccomp to prevent sandboxed apps from using the
(dangerous) TIOCSTI ioctl was only incomplete on 64bit arches.
This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which
is a symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Updated translations.
OBS-URL: https://build.opensuse.org/request/show/689362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=28
- Update to verson 1.2.4
This release fixes CVE-2019-10063.
It has been discovered that the previous fix for CVE-2017-5226, which uses
seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl
was only incomplete on 64bit arches. This is now fixed.
+ seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
+ Support multiple nvidia cards on the machine
+ Fix support for systems where XDG_RUNTIME_DIR is /var/run which is a
symlink like gentoo.
+ Fix potential crash when updating apps.
+ flatpak list --arch now works correctly again.
+ Update translations
OBS-URL: https://build.opensuse.org/request/show/689356
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=71
- Update to version 1.2.0:
+ Ensure DeployCollectionID works in flatpakrepo files in all
cases.
+ Don't error out with empty installations in uninstall.
+ Add helper that validates icon files during export.
+ Don't allow root to modify the (non-root) per-user flatpak
installation, as this risks causing problems later.
+ Remove some incorrect warnings from flatpak repair.
+ Allow multiple name segments after prefix when exporting files.
+ Allow specification of ellipsization in --colums options.
+ Handle dates as well as timestamps in appdata
+ Fixed a bug where flatpak remote-delete removed too many refs.
+ Now we use raw terminal mode during a transaction to a avoid
problems with input during the operation causing problems with
escape sequences.
+ Generate a fontconfig directory remapping snippet as will be
needed for newer versions of fontconfig.
+ Support --extra-collection-id in build-commit-from to bind the
commit to multiple collection ids. This is work in progress in
ostree.
- Add pkgconfig(dconf) BuildRequires: New dependency.
+ This release fixes an issue that lets system-wide installed
+ The permissions of the files created by the apply_extra script
is canonicalized and the script itself is run without any
capabilities.
+ Better matching of existing remotes when the local and remote
configuration differs wrt collection ids.
+ New flatpakrepo DeployCollectionID replaces CollectionID, doing
the same thing. It is recommended to use this instead because
OBS-URL: https://build.opensuse.org/request/show/672437
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=67
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the (forwarded request 657831 from alarrosa)
OBS-URL: https://build.opensuse.org/request/show/659047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flatpak?expand=0&rev=25
- Update to version 1.0.6:
* This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
non-root users.
* The permissions of the files created by the apply_extra script is
canonicalized and the script itself is run without any capabilities.
* Better matching of existing remotes when the local and remote configuration
differs wrt collection ids.
* New flatpakrepo DeployCollectionID replaces CollectionID, doing the
same thing. It is recommended to use this instead because older versions
of flatpak has bugs in the support of collection ids, and this key
will only be respected in versions where it works.
* The X11 socket is now mounted read-only.
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.
- Make polkit_rules_usability.patch effective by adding a 60- prefix
to the rules file. This will cause it to be executed before the
OBS-URL: https://build.opensuse.org/request/show/657831
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/flatpak?expand=0&rev=65
