flatpak (1.14.8-1~deb12u1) bookworm; urgency=medium
* Backport upstream stable release for Debian 12
* Changes relative to 1.14.4-1+deb12u1 in bookworm-security:
- New upstream stable release 1.14.6
+ Don't parse `<developer><name/></developer>` as though it was
the application name
+ Install a tmpfiles.d snippet to clean up /var/tmp/flatpak-cache-*
during boot
+ Stop http transfers if a download in progress becomes very slow
+ Silence warnings when using GLib 2.77.0 or later
+ Bypass page cache for backend requests in revokefs, fixing
installation errors with libostree 2023.4 or later
+ Show AppStream metadata in `flatpak remote-info` as intended,
fixing a regression in 1.9.1
+ Don't let Flatpak apps inherit $VK_DRIVER_FILES or $VK_ICD_FILENAMES
from the host system, which would be wrong in the sandbox
+ Fix forward-compatibility with libappstream 0.17.x and 1.0
+ Fix a memory leak
+ Fix some compiler warnings
+ Make the test failure produce a clearer message if a required tool
is missing
+ Don't force `GIO_USE_VFS=local` for programs launched via
flatpak-spawn
+ Documentation improvements
- New upstream stable release 1.14.7
+ Automatically reload D-Bus session bus configuration when apps are
installed or upgraded, ensuring that any new .service files get
picked up
+ Allow apps to be run if the D-Bus system bus is missing or
non-functional
+ Add several more environment variables to the list not inherited
into the sandbox:
* $LD_AUDIT, $LD_PRELOAD for ld.so
* $__EGL_VENDOR_LIBRARY_DIRS, etc. for EGL
* $VK_ADD_DRIVER_FILES, etc. for Vulkan
* $container, when running Flatpak inside a container manager
+ Use xdg-desktop-portal-gnome, if installed, to detect whether apps
are running in the background
+ If an app's data is migrated to a new name and then deleted, don't
try to migrate it again, avoiding a recursive symlink loop
+ Don't leak temporary variable $new_dirs from /etc/profile.d/flatpak.sh
into user shell sessions
+ Avoid an out-of-bounds left-shift (which is technically undefined
behaviour) when hashing object names
+ Fix critical warnings "GFileInfo created without
standard::is-symlink" when using /var/lib/flatpak/extension with
testing/unstable glib2.0
+ Fix validation of documentation against Docbook DTD
+ Fix a misleading comment in the test for CVE-2024-32462
+ Fix a double-free in the test suite
+ Skip more tests if bubblewrap works but FUSE doesn't
- New upstream stable release 1.14.8
+ Respin of 1.14.7 reverting unintended submodule changes
- d/control: Move dbus-system-bus from Depends to Recommends.
`flatpak run` no longer has a working system bus as a hard requirement
(verified in `podman run --privileged --rm -it debian:sid-slim`)
- Drop CVE-2024-32462 patches, included in the upstream stable release
- debian/test.sh: Disable http proxy if used, to ensure we can reach
a HTTP server on localhost during automated tests
* Changes relative to 1.14.8-1 in unstable:
- Revert polkitd dependencies to polkitd | policykit-1 as previously
used in bookworm
- Revert pkgconf dependencies to pkg-config as previously used in
bookworm
- Revert location of systemd unit to /lib/systemd/system as previously
used in bookworm, dropping versioned dependency on debhelper 13.11.6~
- Revert changes related to Debian 13 GIR XML packaging policy
-- Simon McVittie <smcv@debian.org> Tue, 30 Apr 2024 16:50:10 +0100
flatpak (1.14.4-1+deb12u1) bookworm-security; urgency=high
* d/p/When-starting-non-static-command-using-bwrap-use.patch,
d/p/test-run-Add-a-reproducer-for-CVE-2024-32462.patch:
Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
* d/gbp.conf: Use debian/bookworm packaging branch
-- Simon McVittie <smcv@debian.org> Wed, 17 Apr 2024 19:39:48 +0100
flatpak (1.14.8-1) unstable; urgency=medium
* New upstream stable release 1.14.7
- Automatically reload D-Bus session bus configuration when apps are
installed or upgraded, ensuring that any new .service files get
picked up
- Allow apps to be run if the D-Bus system bus is missing or
non-functional
- Add several more environment variables to the list not inherited
into the sandbox:
+ $LD_AUDIT, $LD_PRELOAD for ld.so
+ $__EGL_VENDOR_LIBRARY_DIRS, etc. for EGL
+ $VK_ADD_DRIVER_FILES, etc. for Vulkan
+ $container, when running Flatpak inside a container manager
- Use xdg-desktop-portal-gnome, if installed, to detect whether apps
are running in the background
- If an app's data is migrated to a new name and then deleted, don't
try to migrate it again, avoiding a recursive symlink loop
- Don't leak temporary variable $new_dirs from /etc/profile.d/flatpak.sh
into user shell sessions
- Avoid an out-of-bounds left-shift (which is technically undefined
behaviour) when hashing object names
- Fix critical warnings "GFileInfo created without
standard::is-symlink" when using /var/lib/flatpak/extension with
testing/unstable glib2.0
- Fix validation of documentation against Docbook DTD
- Fix a misleading comment in the test for CVE-2024-32462
- Fix a double-free in the test suite
- Skip more tests if bubblewrap works but FUSE doesn't
* New upstream stable release 1.14.8
- Respin of 1.14.7 reverting unintended submodule changes
* d/control: Replace one more polkitd|policykit-1 dependency with polkitd
* d/control: Move dbus-system-bus from Depends to Recommends.
`flatpak run` no longer has a working system bus as a hard requirement.
-- Simon McVittie <smcv@debian.org> Tue, 30 Apr 2024 15:08:35 +0100
flatpak (1.14.6-1~deb13u1) trixie; urgency=high
* Rebuild for trixie
-- Simon McVittie <smcv@debian.org> Fri, 19 Apr 2024 11:00:13 +0100
flatpak (1.14.6-1) unstable; urgency=high
* New upstream stable release 1.14.6
- Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
- Don't parse `<developer><name/></developer>` as the application name
* d/control: Drop alternative dependencies on transitional policykit-1.
polkitd was released in Debian 12 and Ubuntu 22.04.
-- Simon McVittie <smcv@debian.org> Wed, 17 Apr 2024 19:34:28 +0100
flatpak (1.14.5-1) unstable; urgency=medium
* New upstream stable release
* Drop patches cherry-picked in 1.14.4-2, applied upstream
* d/flatpak.install: Install new tmpfiles.d snippet
* d/test.sh: Disable http proxy if used, to ensure we can reach localhost.
Some reproducible.org builders set http_proxy, which makes attempts
to access our temporary http server on localhost fail with a 503 error.
* d/control: (Build-)depend on pkgconf in preference to pkg-config
* d/control: Add ${gir:Depends}, ${gir:Provides} to -dev package
(Helps: #1030223)
* d/control: Build-depend on required GIR XML files (Helps: #1030223)
* Install systemd system unit into /usr/lib/systemd/system.
This was allowed by TC resolution #1053901.
Build-depend on debhelper 13.11.6~ to ensure that the unit is still
picked up by dh_installsystemd.
-- Simon McVittie <smcv@debian.org> Fri, 08 Dec 2023 12:25:50 +0000
flatpak (1.14.4-2) unstable; urgency=medium
* Team upload
[ Simon McVittie ]
* Mention #1033098, #1033099 in previous changelog entry
[ Jeremy Bicha ]
* Cherry-pick 2 patches for compatibility with glib 2.77
-- Jeremy BĂcha <jbicha@ubuntu.com> Tue, 18 Jul 2023 17:05:30 -0400
flatpak (1.14.4-1) unstable; urgency=high
* New upstream security fix release
- Escape special characters when displaying permissions and metadata,
preventing malicious apps from manipulating the appearance of the
permissions list using crafted metadata
(Closes: #1033098; CVE-2023-28101)
- If a Flatpak app is run on a Linux virtual console (tty1, etc.),
don't allow copy/paste via the TIOCLINUX ioctl
(Closes: #1033099; CVE-2023-28100).
Note that this is specific to virtual consoles: Flatpak is not
vulnerable to this if run from a graphical terminal emulator such
as xterm, gnome-terminal or Konsole.
- Translation update: pl
-- Simon McVittie <smcv@debian.org> Thu, 16 Mar 2023 10:39:01 +0000
flatpak (1.14.3-1) unstable; urgency=medium
* New upstream stable release
- Fix handling of apps superseded by an app of a different name
in GNOME Software (flatpak#5172)
- Fix a crash when an app has --socket=gpg-agent permission
(flatpak#5095)
- Fix a crash when listing broken or misconfigured apps (flatpak#5293)
- If an app has invalid syntax in its overrides or metadata, mention
the filename in the error message (flatpak#5293)
- Unset $GDK_BACKEND so that GTK apps with --socket=fallback-x11
work reliably (flatpak#5303)
- Ignore some --filesystem permissions which would otherwise prevent
all apps from starting (flatpak#1357, flatpak#5205, flatpak#5207)
- Show a warning when a --filesystem exists but cannot be shared with
the sandbox (flatpak#1357, flatpak#5035, flatpak#5205, flatpak#5207)
-- Simon McVittie <smcv@debian.org> Mon, 27 Feb 2023 12:52:48 +0000
flatpak (1.14.2-1) unstable; urgency=medium
* New upstream stable release
* Update standards version to 4.6.2 (no changes needed)
-- Simon McVittie <smcv@debian.org> Mon, 06 Feb 2023 17:21:47 +0000
flatpak (1.14.1-1) unstable; urgency=medium
* New upstream stable release
* Remove obsolete maintscript entries
* Avoid explicitly specifying -Wl,--as-needed linker flag, which is
the default with newer toolchains
-- Simon McVittie <smcv@debian.org> Fri, 18 Nov 2022 13:45:56 +0000
flatpak (1.14.0-2) unstable; urgency=medium
* d/control: Add dependency on fuse3, for fusermount3.
Strictly speaking this is only needed for system installations, but
those are the default, and a missing fusermount3 produces unclear
symptoms.
* d/control: Depend on polkitd in preference to transitional policykit-1.
This package doesn't need pkexec.
* Update Lintian overrides
-- Simon McVittie <smcv@debian.org> Fri, 02 Sep 2022 08:59:06 +0100
flatpak (1.14.0-1) unstable; urgency=medium
* New upstream release
* d/copyright: Update
* Build with libfuse3
-- Simon McVittie <smcv@debian.org> Tue, 23 Aug 2022 20:26:06 +0100
flatpak (1.13.3-2) experimental; urgency=medium
* Build with libcurl http backend.
This avoids library conflicts during the transition to GNOME 43, in
which core apps and libraries have switched to libsoup3, which conflicts
with libsoup2.4. See #1016589.
* d/control: Remove backwards-compat with libgdk-pixbuf2.0-dev.
libgdk-pixbuf-2.0-dev was released in bullseye, and official backports
to old distributions need to swap the dependency anyway, because of
how buildds resolve alternative dependencies.
* Set correct Vcs-Git field for experimental branch
* Standards-Version: 4.6.1 (no changes required)
-- Simon McVittie <smcv@debian.org> Fri, 05 Aug 2022 10:06:16 +0100
flatpak (1.13.3-1) experimental; urgency=medium
* New upstream development release
* Drop workaround for #1006684
* Continue to use libsoup http backend for now
* d/libflatpak0.symbols: Update
-- Simon McVittie <smcv@debian.org> Fri, 17 Jun 2022 17:32:52 +0100
flatpak (1.13.2-1) experimental; urgency=medium
* New upstream development release
* d/p/tests-Don-t-install-tap-driver.sh-in-the-installed-tests.patch:
Drop patch that was applied upstream
-- Simon McVittie <smcv@debian.org> Mon, 14 Mar 2022 15:37:10 +0000
flatpak (1.13.1-1) experimental; urgency=medium
* New upstream development release
* Build-depend on libappstream-dev instead of libappstream-glib-dev
* Increase dependency on bubblewrap
* Install fish profile snippet
* Add patch to work around #1006684 in libappstream
* Update symbols file
* Add patch to avoid unnecessarily installing tap-driver.sh.
As well as being unnecessary, this file triggers some Lintian
false-positives.
-- Simon McVittie <smcv@debian.org> Wed, 02 Mar 2022 13:27:15 +0000
flatpak (1.12.7-1) unstable; urgency=medium
* New upstream stable release
- Pass through a remote X11 display if the app has --share=network
- Pass through a remote PulseAudio server if the app has --share=network
- WAYLAND_DISPLAY can be an absolute path
- Accept /app/share/metainfo/*.xml exports from apps that were built
with Flatpak 1.13.x
- Automatically set up /var/lib/flatpak/repo if required
- Work around a bug in libostree < 2021.6 when used with GLib >= 2.71
- Fix some memory leaks in GVariant data processing
* d/gbp.conf: Use upstream/1.12.x branch for upstream imports
* d/watch: Only watch for upstream stable releases
-- Simon McVittie <smcv@debian.org> Mon, 14 Mar 2022 17:37:10 +0000
flatpak (1.12.6-1) unstable; urgency=medium
* New upstream stable release
- Better robustness against downloads being interrupted or cancelled
- Detect the GTK theme more reliably
- Fix history command unit test when not using persistent systemd journal
- Translation update: pt_BR
-- Simon McVittie <smcv@debian.org> Tue, 22 Feb 2022 10:58:48 +0000
flatpak (1.12.5-1) unstable; urgency=medium
* New upstream stable release
- Don't propagate GStreamer-related environment variables into sandbox
- Fix regressions in `flatpak history` since 1.9.1
- Remove temporary files from /var/lib/flatpak/appstream
* Stop installing flatpak-bisect and flatpak-coredumpctl as examples.
Since 1.8.1-2 they're installed into PATH, in libflatpak-dev.
* d/flatpak.docs: Use debhelper 11 dh_installdoc instead of dh-exec
-- Simon McVittie <smcv@debian.org> Fri, 11 Feb 2022 17:16:22 +0000
flatpak (1.12.4-1) unstable; urgency=medium
* New upstream stable release
* Alter the solution to CVE-2022-21682 to avoid regressions:
- Revert semantics of --nofilesystem=host to be the same as 1.12.2
- Revert semantics of --nofilesystem=home to be the same as 1.12.2
- Add --nofilesystem=host:reset which means the same thing that
--nofilesystem=host did in 1.12.3
- Users of flatpak-builder should update it to 1.2.2 to resolve
CVE-2022-21682
* Other bug fixes:
- Clarify documentation related to CVE-2022-21682
- Improve test coverage related to CVE-2022-21682
- Restore compatibility with older appstream-glib versions, for backports
* Set high urgency to resolve regressions in 1.12.3
-- Simon McVittie <smcv@debian.org> Tue, 18 Jan 2022 18:01:05 +0000
flatpak (1.12.3-1) unstable; urgency=high
* New upstream stable release
* Security fixes:
- Prevent a malicious repository from arranging for permissions to be
granted without being correctly displayed during installation
(CVE-2021-43860, GHSA-qpjc-vq3c-572j)
- Prevent a malicious build in flatpak-builder creating directories
outside the build directory (CVE-2022-21682, GHSA-8ch7-5j3h-g4fx)
* Behaviour changes, as a result of how CVE-2022-21682 was fixed:
- --nofilesystem=host is now special-cased to negate all --filesystem
permissions. Previously, it would cancel out --filesystem=host but
not --filesystem=/some/dir.
- --nofilesystem=home is now special-cased to negate several
home-directory-related filesystem permssions such as
--filesystem=xdg-config/foo, not just --filesystem=host.
* Other bug fixes:
- Extra-data downloading now properly handles compressed
content-encodings, which fixes checksum verification
- Avoid unnecessary polkit prompt due to auto-pinning when installing
runtimes
- Better handling of updates of extensions that exist in multiple
repositories
- Fixed (initial) installation of apps with renamed app-IDs
- Support more pulseaudio configuration, including the one used in WSL2
- Fixed regression in updates from no-enumerate remotes
- We now verify checksums of summary caches, to better handle local file
corruption
- Improved CLI output for non-terminal targets
- Flatpak run --session-bus now works
- Fix build with PyParsing >= 3.0.4
- bash auto completion now doesn't complete on command name aliases
- Minor improvements to the search command
- Minor improvements to the list command
- Minor improvements to the repair command
- Add more tests
- Updated translations and docs
* d/copyright: Update
-- Simon McVittie <smcv@debian.org> Wed, 12 Jan 2022 13:33:12 +0000
flatpak (1.12.2-2) unstable; urgency=medium
* flatpak Recommends xdg-user-dirs.
If we don't have this, the XDG special directories for documents, music,
downloads etc. will not be listed in ~/.config/user-dirs.dirs unless
configured manually; this means that app permissions that would normally
share those directories with the host, such as --filesystem=xdg-download,
will have no practical effect. (Closes: #1000609)
* Build/test-depend on dbus-daemon.
We don't necessarily need a full implementation for the unit tests, but
we do need to be able to run dbus-daemon --session.
* Depend on default-dbus-system-bus | dbus-system-bus instead of dbus.
Any implementation of the system bus will do.
* Adjust Lintian overrides for current Lintian
-- Simon McVittie <smcv@debian.org> Mon, 13 Dec 2021 13:22:23 +0000
flatpak (1.12.2-1) unstable; urgency=medium
* New upstream stable release
- Better diagnostic messages if libseccomp calls fail
- Install translations referenced by LANG, LANGUAGE or LC_ALL,
fixing test failures in 1.12.0+ on older distributions
- Update Polish translation
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Drop patch, applied upstream
-- Simon McVittie <smcv@debian.org> Tue, 12 Oct 2021 11:54:06 +0100
flatpak (1.12.1-1) unstable; urgency=medium
* New upstream stable release
- Fix regressions in 1.12.0 with extra data or --allow=multiarch
* Depend on libseccomp 2.5.2 so that CVE-2021-41133 is still fully
prevented. Resolving this with older libseccomp versions will require
further development.
* Add CVE-2021-41133 reference in previous changelog entry
* Standards-Version: 4.6.0 (no changes required)
* Update Lintian overrides
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Fix error handling for syscalls that are only allowed with --devel
-- Simon McVittie <smcv@debian.org> Fri, 08 Oct 2021 21:24:55 +0100
flatpak (1.12.0-1) unstable; urgency=high
* New upstream stable release
- Don't allow VFS manipulation which could be used to trick portals
into allowing unintended access to host
(Closes: #995935, CVE-2021-41133, GHSA-67h7-w3jq-vh4q)
- Fix misleading progress output in `flatpak repair`
- Fix parental controls check when installing system-wide as non-root
- Cope with /var/tmp being a symlink
- Improve handling of separate locale environment variables such as
LC_COLLATE
- Share host's /etc/gai.conf with apps that have Internet access
- Test-suite fixes (previously applied in 1.11.3-2)
* Drop both patches from 1.11.3-2, applied upstream
* d/control: Add Recommends on ca-certificates.
Most Flatpak users will likely want to install from https servers.
-- Simon McVittie <smcv@debian.org> Fri, 08 Oct 2021 12:58:34 +0100
flatpak (1.11.3-2) unstable; urgency=medium
* d/p/libtest-Make-sure-ldconfig-and-capsh-are-in-the-PATH.patch:
Add patch from upstream git to improve autopkgtest coverage
* d/p/tests-Don-t-reset-XDG_RUNTIME_DIR-locally.patch:
Add patch from upstream git to prevent an autopkgtest failure under qemu
* d/rules: Remove all .la files, not just the one for libflatpak
* Generalize Lintian overrides to be independent of systemd unit location
-- Simon McVittie <smcv@debian.org> Fri, 27 Aug 2021 14:59:25 +0100
flatpak (1.11.3-1) unstable; urgency=medium
* New upstream development release
* Move to debhelper compat level 13
- Drop dh_missing override, --fail-missing is now the default
* d/rules: Normalize permissions of installed-tests
* Release to unstable to get wider testing.
We're early in the Debian release cycle, and this release is basically
a release-candidate for a new 1.12.x stable branch.
-- Simon McVittie <smcv@debian.org> Wed, 25 Aug 2021 12:45:23 +0100
flatpak (1.11.2-1) experimental; urgency=medium
* New upstream development release
- Don't leak a file descriptor each time flatpak-spawn --env=... is used
(Closes: #989934)
- When an app uses flatpak-spawn --env=... --forward-fd=..., ensure
that the file descriptors do not collide, which could result in the
subsandbox failing to launch or being launched with wrong environment
variables. (Closes: #989935)
- Various other bug fixes
-- Simon McVittie <smcv@debian.org> Thu, 17 Jun 2021 18:07:22 +0100
flatpak (1.11.1-1) experimental; urgency=medium
* New upstream development release
-- Simon McVittie <smcv@debian.org> Mon, 26 Apr 2021 12:53:06 +0100
flatpak (1.11~git20210416.1-1) experimental; urgency=medium
* New upstream snapshot
-- Simon McVittie <smcv@debian.org> Fri, 16 Apr 2021 14:40:26 +0100
flatpak (1.11~git20210413-1) experimental; urgency=medium
* New upstream snapshot
- Drop remaining patch, applied upstream
- Update symbols file
-- Simon McVittie <smcv@debian.org> Wed, 14 Apr 2021 12:33:30 +0100
flatpak (1.10.2-3) unstable; urgency=medium
* d/patches: Align with upstream flatpak-1.10.x branch, making this
effectively a release candidate for upstream stable release 1.10.3
- d/patches: Update metadata to reflect upstream flatpak-1.10.x branch.
All the patches we apply in Debian are expected to be released in
1.10.3 upstream, but not all were annotated to reflect this.
- d/p/system-helper-Fix-deploys-of-local-remotes.patch:
Fix some failures to update in GNOME Software and the unit tests.
This change was previously applied in Ubuntu's flatpak_1.10.2-1ubuntu1
to fix a unit test failure, possibly triggered by a newer version of
GLib. It has also been reported to fix a failure to upgrade Flatpak
apps using GNOME Software, this time in Fedora.
- d/p/create-usb-Skip-copying-extra-data-flatpaks.patch:
Skip flatpaks with "extra-data" when using `flatpak create-usb`.
This command is intended to create USB drives that can be
used to install Flatpak apps and/or runtimes while offline,
but the "extra-data" feature downloads extra content for an app
or runtime at install time, as a way to automate installation of
data that can be re-downloaded by end users but is not licensed
for redistribution by Flatpak repositories. Such apps and runtimes
would fail to install while offline.
- d/p/series: Re-order patches to match upstream flatpak-1.10.x branch
-- Simon McVittie <smcv@debian.org> Sun, 25 Jul 2021 20:44:58 +0100
flatpak (1.10.2-2) unstable; urgency=medium
* Backport changes from upstream git to fix regressions when apps invoke
flatpak-spawn --env=... to launch a subsandbox.
- d/p/Fix-several-memory-leaks.patch:
Fix minor memory leaks so that subsequent backports apply cleanly
- d/p/portal-Don-t-leak-fd-used-for-serialized-environment.patch:
Don't leak a file descriptor each time flatpak-spawn --env=... is used
(Closes: #989934)
- d/p/portal-Use-a-GArray-to-store-fds.patch,
d/p/portal-Remap-env-fd-into-child-process-s-fd-space.patch:
When an app uses flatpak-spawn --env=... --forward-fd=..., ensure
that the file descriptors do not collide, which could result in the
subsandbox failing to launch or being launched with wrong environment
variables. (Closes: #989935)
-- Simon McVittie <smcv@debian.org> Tue, 22 Jun 2021 10:10:38 +0100
flatpak (1.10.2-1) unstable; urgency=medium
* New upstream stable release
- Make --filesystem, --nofilesystem accept non-ASCII filenames more
reliably
- Improve solution for #984859 so it refuses to install apps that
appear to be trying to exploit the vulnerability
- Fix a memory leak
- Improve compatibility with openSUSE's X authentication setup
- Use a single version of Docbook for all documentation
- This release also incorporates the fixes that were applied in
1.10.1-2 and 1.10.1-3, and part of 1.10.1-4
* Drop patches that were applied upstream
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Mark the remaining patch as applied upstream for 1.11.0
* Add reference to #984859 in previous changelog entry
-- Simon McVittie <smcv@debian.org> Wed, 10 Mar 2021 10:58:32 +0000
flatpak (1.10.1-4) unstable; urgency=high
* d/p/Disallow-and-u-usage-in-desktop-files.patch:
Add proposed patch to fix a sandbox escape via crafted .desktop
files (flatpak#4146, Closes: #984859). Thanks, Ryan Gonzalez
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Add proposed patch to fix some tests on non-x86_64 machines.
The affected tests were already skipped in schroot/lxc for other
reasons, but would be run (and fail) on autopkgtest testbeds with
isolation-machine and working FUSE.
-- Simon McVittie <smcv@debian.org> Fri, 05 Mar 2021 10:21:35 +0000
flatpak (1.10.1-3) unstable; urgency=medium
* Mark patch as applied upstream
* Add bugfixes from upstream flatpak-1.10.x branch
- Add extern "C" guards to header files, fixing compilation of C++ code
such as plasma-discover against GLib 2.67.x
- Fix memory leaks in the unit tests
-- Simon McVittie <smcv@debian.org> Wed, 24 Feb 2021 13:59:56 +0000
flatpak (1.10.1-2) unstable; urgency=medium
* d/patches: Disable FUSE-based revokefs if any of several factors fail.
This fixes FTBFS in pbuilder, and hopefully also on Launchpad
autobuilders.
-- Simon McVittie <smcv@debian.org> Thu, 28 Jan 2021 22:24:20 +0000
flatpak (1.10.1-1) unstable; urgency=medium
* New upstream release
- Fix a regression in 'flatpak build' after fixing CVE-2021-21261
(Closes: #980323)
-- Simon McVittie <smcv@debian.org> Thu, 21 Jan 2021 14:12:22 +0000
flatpak (1.10.0-2) unstable; urgency=medium
* Upload 1.10.x branch to unstable
* Add CVE-2021-21261 reference to 1.8.5-1 changelog entry
-- Simon McVittie <smcv@debian.org> Sun, 17 Jan 2021 11:51:16 +0000
flatpak (1.10.0-1) experimental; urgency=medium
* d/control: Fix branch in Vcs-Git for experimental
* Merge packaging from unstable
* New upstream release, starting the 1.10.x branch
* Drop patches, applied upstream
* d/flatpak.install: Install new systemd environment generator
* d/tests: Mark update portal test as flaky due to
https://github.com/flatpak/flatpak/issues/4065
-- Simon McVittie <smcv@debian.org> Thu, 14 Jan 2021 12:35:25 +0000
flatpak (1.8.5-1) unstable; urgency=high
* New upstream release fixing a sandbox escape vulnerability
(GHSA-4ppf-fxf6-vxg2, CVE-2021-21261)
* Mark patch for #975710 as having been applied upstream
-- Simon McVittie <smcv@debian.org> Thu, 14 Jan 2021 09:34:09 +0000
flatpak (1.8.4-2) unstable; urgency=medium
* Mark patch for #972138 as having been applied upstream
* Add patch to avoid gvfs-daemon being started when logging in as root.
Thanks to Mourad De Clerck (Closes: #975710)
* Add package-specific info from bubblewrap to bug reports.
In particular, this will tell us whether it's setuid.
-- Simon McVittie <smcv@debian.org> Sun, 03 Jan 2021 15:37:04 +0000
flatpak (1.9.3-2) experimental; urgency=medium
* Add patch to avoid gvfs-daemon being started when logging in as root.
Thanks to Mourad De Clerck (Closes: #975710)
* Add package-specific info from bubblewrap to bug reports.
In particular, this will tell us whether it's setuid.
-- Simon McVittie <smcv@debian.org> Sun, 03 Jan 2021 15:37:18 +0000
flatpak (1.9.3-1) experimental; urgency=medium
* Merge packaging changes from unstable
* New upstream release
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Drop patch, which should be unnecessary with the new version
* Mark remaining patch as forwarded
-- Simon McVittie <smcv@debian.org> Sun, 27 Dec 2020 14:12:59 +0000
flatpak (1.8.4-1) unstable; urgency=medium
* debian/o.fd.Flatpak.pkla: sync with rules provided by upstream
* Use debian/unstable branch for packaging
* New upstream release
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Drop patch, which should be unnecessary with the new version
-- Simon McVittie <smcv@debian.org> Thu, 24 Dec 2020 10:58:59 +0000
flatpak (1.8.3-2) unstable; urgency=medium
* Preferentially build-depend on libgdk-pixbuf-2.0-dev.
We don't need the deprecated Xlib integration that is also pulled in
by the older libgdk-pixbuf2.0-dev package (see #974870).
* Standards-Version: 4.5.1 (no changes required)
-- Simon McVittie <smcv@debian.org> Tue, 24 Nov 2020 12:01:18 +0000
flatpak (1.9.2-1) experimental; urgency=medium
* Branch for experimental
* New upstream development release
* Update ostree build-dependency
* Use upstream's autogen.sh now that it's shipped
* d/copyright: Update
* d/p/Skip-parental-controls-checks-on-ServiceUnknown-or-NameHa.patch:
Drop patch that was applied upstream
* d/p/Skip-a-test-case-if-etc-mtab-doesn-t-exist.patch:
Work around a test failure that can happen in sbuild
* Update symbols file.
Ignore removal of flatpak_http_error_quark (aka FLATPAK_HTTP_ERROR),
which is not in any public headers and is not referenced by any
other Debian package.
-- Simon McVittie <smcv@debian.org> Fri, 20 Nov 2020 17:30:05 +0000
flatpak (1.8.3-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <smcv@debian.org> Thu, 19 Nov 2020 14:51:15 +0000
flatpak (1.8.2-3) unstable; urgency=medium
* d/p/Skip-parental-controls-checks-on-ServiceUnknown-or-NameHa.patch:
Add proposed patch to skip parental controls if accountsservice is not
installed.
The malcontent package (which activates parental controls support)
depends on accountsservice, but the libmalcontent-0-0 client library
does not, so we need to cope gracefully with the case where
neither malcontent nor accountsservice is installed. Presumably, in such
installations the sysadmin did not want the parental controls feature.
Ideally libmalcontent would do this itself (#972145). (Closes: #972138)
* Add Depends on dbus, for the well-known system bus service.
Now that the parental controls feature is enabled, Flatpak will refuse
to run apps if the D-Bus system bus is unavailable. Previously, it would
have partially worked (but with severely reduced functionality, in
particular only --user installations).
* d/control: Canonicalize case of Multi-Arch
* Update lintian overrides to silence some false-positives
-- Simon McVittie <smcv@debian.org> Thu, 15 Oct 2020 09:47:28 +0100
flatpak (1.8.2-2) unstable; urgency=medium
[ Laurent Bigonville ]
* debian/control: Add libmalcontent-0-dev to the build-dependencies.
This provides optional parental controls for app installation and
launching.
[ Simon McVittie ]
* Add Suggests on malcontent-gui
-- Simon McVittie <smcv@debian.org> Sat, 10 Oct 2020 20:10:55 +0100
flatpak (1.8.2-1) unstable; urgency=medium
* New upstream release
- Drop patch for #964541, applied upstream
-- Simon McVittie <smcv@debian.org> Tue, 25 Aug 2020 15:57:31 +0100
flatpak (1.8.1-2) unstable; urgency=medium
* Include flatpak-bisect and flatpak-coredumpctl in libflatpak-dev
- Depends: python3, to be able to run the scripts themselves
- Recommends: flatpak, for both scripts
- Suggests: gdb and systemd-coredump, for flatpak-coredumpctl
- Suggests: python3-gi and ostree, for flatpak-bisect
* d/p/Fix-argument-order-of-clone-for-s390x-in-seccomp-filter.patch:
Add proposed patch to fix seccomp filtering on s390x.
Thanks to Julian Andres Klode. (Closes: #964541, LP: #1886814)
-- Simon McVittie <smcv@debian.org> Thu, 06 Aug 2020 22:45:21 +0100
flatpak (1.8.1-1) unstable; urgency=medium
* New upstream stable release
-- Simon McVittie <smcv@debian.org> Sat, 04 Jul 2020 15:24:14 +0100
flatpak (1.8.0-1) unstable; urgency=medium
* New upstream stable release
- Update configure options
- Install gdm env.d fragment, but only as an example file.
It is harmful on systems where environment.d(5) works (in particular
systems using systemd), because it overwrites additions to the
XDG_DATA_DIRS coming from other app frameworks like Snap.
However, using either this fragment or manual configuration might
be necessary on non-systemd systems. See
/usr/share/doc/flatpak/README.Debian for more details.
- d/flatpak.README.Debian: Add
-- Simon McVittie <smcv@debian.org> Thu, 25 Jun 2020 12:26:28 +0100
flatpak (1.7.3-1) experimental; urgency=medium
* New upstream development release
* Install new fish completions
* Enable new libzstd support
* Install new sysusers.d fragment
* d/libflatpak0.symbols: Update.
Ignore deletion of flatpak_oci_error_quark(), which was not public API.
-- Simon McVittie <smcv@debian.org> Wed, 10 Jun 2020 19:49:14 +0100
flatpak (1.7.1-1) experimental; urgency=medium
* New upstream development release
- Sideloading apps now works differently.
Flatpak no longer supports installing from local network peers, and
sideloading from a local USB drive is no longer automatic.
Instead of being configured via `flatpak config sideload-repos`,
enabling sideloading is now done by creating a symbolic link in
/var/lib/flatpak/sideload-repos or /run/flatpak/sideload-repos.
-- Simon McVittie <smcv@debian.org> Tue, 31 Mar 2020 14:46:05 +0100
flatpak (1.6.3-1) unstable; urgency=medium
* New upstream stable release
-- Simon McVittie <smcv@debian.org> Tue, 31 Mar 2020 11:56:06 +0100
flatpak (1.7.0~git20200330-1) experimental; urgency=medium
* New upstream snapshot
- d/copyright: Update
- Drop all patches, applied upstream
* Revert "d/control: Add spurious Build-Conflicts on elogind packages".
experimental buildds now use aptitude rather than aspcud, so this
particular workaround shouldn't be necessary, even in experimental.
* Explicitly build-depend on python3-pyparsing.
This is required to generate the variant schema compiler.
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Disable optimized calculation of offset size.
This doesn't seem to be completely portable, and it isn't clear why not,
so disable it until we have more answers.
-- Simon McVittie <smcv@debian.org> Mon, 30 Mar 2020 09:59:00 +0100
flatpak (1.7.0~git20200325-1) experimental; urgency=medium
* Branch for 1.7.x and Debian experimental
- d/control, d/gbp.conf: Use debian/experimental packaging branch
- d/gbp.conf: Use upstream/latest branch
- d/watch: Watch for development releases
* New upstream snapshot
* Build-depend on python3 even when not running tests, for
variant-schema-compiler
* Update symbols file
* d/patches: Add patches proposed upstream to formalize deprecations
and fix rebuild of generated files
* d/control: Add spurious Build-Conflicts on elogind packages.
As in 1.5.0-1, this works around a build-dependency resolver failure
when using the same aspcud resolution behaviour as official Debian
experimental buildds, and can safely be reverted in distributions
that only have elogind, such as Devuan.
-- Simon McVittie <smcv@debian.org> Wed, 25 Mar 2020 13:44:31 +0000
flatpak (1.6.2-1) unstable; urgency=medium
* New upstream stable release
-- Simon McVittie <smcv@debian.org> Thu, 13 Feb 2020 16:42:14 +0000
flatpak (1.6.1-1) unstable; urgency=medium
* New upstream stable release
* Use secure URI in Homepage field.
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
-- Simon McVittie <smcv@debian.org> Thu, 23 Jan 2020 17:53:52 +0000
flatpak (1.6.0-1) unstable; urgency=medium
* New upstream stable release
- d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
Drop workaround, the leaks that broke this test have been fixed
- Drop other patches, applied upstream
- Bump xdg-desktop-portal dependency to 1.6.x.
That version has new API which Flatpak apps might rely on, so the
corresponding versions should be tested and backported together.
* d/watch: Only watch for stable releases
* Set upstream branch to upstream/1.6.x
* Drop xdg-desktop-portal from Depends to Recommends.
Installing xdg-desktop-portal 1.6.x is strongly recommended, but
strictly speaking it is not required: some of the simpler Flatpak
apps can work without it. (Closes: #947022)
* tests: Depend on fuse and policykit-1
* Revert Build-Conflicts on elogind to be nice to non-systemd derivatives.
This was a workaround for the build-dependency resolver used in
experimental, and is unnecessary now that I'm targeting unstable.
-- Simon McVittie <smcv@debian.org> Tue, 24 Dec 2019 16:11:00 +0000
flatpak (1.5.2-1) experimental; urgency=medium
* New upstream development release
- d/copyright: Update
- d/control: Depend on bubblewrap 0.4.0
- Update d/libflatpak0.symbols
* d/tests/build: Use correct compiler for proposed autopkgtest
cross-architecture testing support
* Make autopkgtests shellcheck-clean
* d/p/debian/Use-Python-3-for-test-web-server.patch:
Drop patch, no longer needed.
The tests now require Python 3 upstream, and no longer support
Python 2.
* Depend on xdg-desktop-portal 1.5.4.
This is probably not strictly required, but they are likely to be
released together and some features will need it.
* d/tests/build: Use correct compiler for proposed autopkgtest
cross-architecture testing support
* Make autopkgtests shellcheck-clean
* d/patches:
Add proposed patches from upstream PR 3307 to fix memory and fd leaks
* d/patches:
Add proposed patches from upstream PR 3310, 3311, 3312 to fix some
minor memory leaks
* d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
Remove problematic assertions while the failure is investigated
-- Simon McVittie <smcv@debian.org> Tue, 17 Dec 2019 11:34:34 +0000
flatpak (1.5.0-1) experimental; urgency=medium
* New upstream development release
- Update d/libflatpak0.symbols
* Standards-Version: 4.4.1 (no changes required)
* Set packaging branch to debian/experimental
* tests: Depend on socat
* d/control: Add spurious Build-Conflicts on elogind packages.
This works around a build-dependency resolver failure when using
the same aspcud resolution behaviour as official Debian experimental
buildds, which for some reason tries to co-install systemd and elogind,
causing failure to install build-dependencies.
(This can safely be reverted in distributions that only have elogind,
such as Devuan.)
-- Simon McVittie <smcv@debian.org> Mon, 21 Oct 2019 13:14:19 +0100
flatpak (1.4.3-1) unstable; urgency=medium
* New upstream stable release
- d/p/Don-t-register-polkit-agent-if-we-cannot-connect-to-syste.patch,
d/p/tests-Skip-tests-that-use-system-helper-if-uid-or-gid-is-.patch:
drop patches, applied upstream
* Remove redundant --libexecdir, no longer needed with compat level 12
-- Simon McVittie <smcv@debian.org> Thu, 19 Sep 2019 16:13:57 +0100
flatpak (1.4.2-2) unstable; urgency=medium
* Upload to unstable
* d/gbp.conf: Return to debian/master branch
* Use debhelper-compat 12
* Standards-Version: 4.4.0 (no changes required)
-- Simon McVittie <smcv@debian.org> Tue, 09 Jul 2019 17:59:57 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libflatpak0`.
Generated by dwww version 1.15 on Sun Jun 23 03:57:19 CEST 2024.