Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package flatpak for openSUSE:Factory checked in at 2026-04-14 17:48:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/flatpak (Old) and /work/SRC/openSUSE:Factory/.flatpak.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "flatpak" Tue Apr 14 17:48:45 2026 rev:100 rq:1346811 version:1.16.6 Changes: -------- --- /work/SRC/openSUSE:Factory/flatpak/flatpak.changes 2026-03-27 16:48:34.937105049 +0100 +++ /work/SRC/openSUSE:Factory/.flatpak.new.21863/flatpak.changes 2026-04-14 17:49:06.469494705 +0200 @@ -1,0 +2,56 @@ +Tue Apr 14 07:53:35 UTC 2026 - Cathy Hu <[email protected]> + +- Install flatpak-selinux.if in distributed instead of contrib + to avoid clashing with the interfaces from the main selinux-policy + package (bsc#1262051) + - Add 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch + - Can be dropped when this comes back from upstream: + https://github.com/flatpak/flatpak/pull/6622 + +------------------------------------------------------------------- +Fri Apr 10 17:49:03 UTC 2026 - Bjørn Lie <[email protected]> + +- Update to version 1.16.6: + + Bug fixes: + - Fix the remaining regression for Chromium based browsers by + not leaking file descriptors down to wrapped command + - Fix a regression when installing extra-data without a + runtime, which is the case for openh264 + - Fix the remaining regression for Epiphany by ignoring + unusable sandbox-expose paths for sub-sandboxes in the portal + - Fix the installed tests by allowing to add a new ref to an + existing temporary ostree repo + - Avoid closing fds 0/1/2 when they are used as a bad argument + to flatpak-run, and reduce duplication in handling file + descriptor arguments + +------------------------------------------------------------------- +Thu Apr 9 13:51:26 UTC 2026 - Bjørn Lie <[email protected]> + +- Update to version 1.16.5: + + Bug fixes: Fix regressions caused by the sandbox escape + security fix, which impact some browsers, browser-based apps + and Steam + + Enhancements: Expand test coverage of flatpak-run features used + by flatpak-portal + +------------------------------------------------------------------- +Wed Apr 8 05:57:36 UTC 2026 - Bjørn Lie <[email protected]> + +- Update to version 1.16.4: + + Security fixes: + - Fix a complete sandbox escape which leads to host file access + and code execution in the host context (CVE-2026-34078) + - Prevent arbitrary file deletion on the host filesystem + (CVE-2026-34079) + - Prevent arbitrary read-access to files in the system-helper + context (GHSA-2fxp-43j9-pwvc) + - Prevent orphaning cross-user pull operations + (GHSA-89xm-3m96-w3jg) + +------------------------------------------------------------------- +Mon Apr 6 03:23:08 UTC 2026 - Federico Mena Quintero <[email protected]> + +- Update suse_version macro for 1610 (jsc#PED-15828) + +------------------------------------------------------------------- Old: ---- flatpak-1.16.3.tar.xz New: ---- 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch flatpak-1.16.6.tar.xz ----------(New B)---------- New: package (bsc#1262051) - Add 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch - Can be dropped when this comes back from upstream: ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ flatpak.spec ++++++ --- /var/tmp/diff_new_pack.9nCdUM/_old 2026-04-14 17:49:07.329530254 +0200 +++ /var/tmp/diff_new_pack.9nCdUM/_new 2026-04-14 17:49:07.333530420 +0200 @@ -30,7 +30,7 @@ %define support_environment_generators 1 %endif Name: flatpak -Version: 1.16.3 +Version: 1.16.6 Release: 0 Summary: OSTree based application bundles management License: LGPL-2.1-or-later @@ -44,6 +44,8 @@ Source5: https://flathub.org/repo/flathub.flatpakrepo # PATCH-FEATURE-OPENSUSE polkit_rules_usability.patch -- Make the rules comply with openSUSE expectations Patch0: polkit_rules_usability.patch +# PATCH-FIX-UPSTREAM flatpak-selinux needs to be in in distributed instead of contrib bsc#1262051 +Patch1: 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch BuildRequires: bison BuildRequires: bubblewrap >= %{bubblewrap_version} @@ -164,7 +166,7 @@ Requires: flatpak Requires(postun): flatpak Requires(postun): sed -%if 0%{?suse_version} > 1600 +%if 0%{?suse_version} >= 1699 Supplements: flatpak %endif BuildArch: noarch @@ -395,6 +397,6 @@ %config %{_sysconfdir}/flatpak/remotes.d/flathub.flatpakrepo %files selinux -%{_datadir}/selinux/devel/include/contrib/flatpak.if +%{_datadir}/selinux/devel/include/distributed/flatpak.if %{_datadir}/selinux/packages/flatpak.pp.bz2 ++++++ 1262051-selinux-flatpak.if-should-be-installed-in-distribute.patch ++++++ >From 495dd5cdb09085b224d2ad33af54d6e4e4b86ae6 Mon Sep 17 00:00:00 2001 From: Cathy Hu <[email protected]> Date: Tue, 14 Apr 2026 09:37:27 +0200 Subject: [PATCH] selinux: flatpak.if should be installed in `distributed` (bsc#1262051) instead of `contrib`. Otherwise interfaces might clash with the interfaces from the main policy on fedora and openSUSE. See the independent policy guideline: https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Using_custom_interfaces And: https://bugzilla.opensuse.org/show_bug.cgi?id=1262051 --- selinux/meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/selinux/meson.build b/selinux/meson.build index 238a46f1..cf499615 100644 --- a/selinux/meson.build +++ b/selinux/meson.build @@ -17,5 +17,5 @@ custom_target( install_data( 'flatpak.if', - install_dir : get_option('datadir') / 'selinux' / 'devel' / 'include' / 'contrib', + install_dir : get_option('datadir') / 'selinux' / 'devel' / 'include' / 'distributed', ) -- 2.53.0 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.9nCdUM/_old 2026-04-14 17:49:07.389532734 +0200 +++ /var/tmp/diff_new_pack.9nCdUM/_new 2026-04-14 17:49:07.393532900 +0200 @@ -1,6 +1,6 @@ -mtime: 1774254530 -commit: fd01b78d88dfd775c64f7a024df3098d28198690189175ef3a394cd853823bd4 +mtime: 1776153351 +commit: 3e64856c4fa07287706e2dfc6285b0cad864b12fc519b97d0d6a324b56b336d3 url: https://src.opensuse.org/GNOME/flatpak -revision: fd01b78d88dfd775c64f7a024df3098d28198690189175ef3a394cd853823bd4 +revision: 3e64856c4fa07287706e2dfc6285b0cad864b12fc519b97d0d6a324b56b336d3 projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9nCdUM/_old 2026-04-14 17:49:07.413533727 +0200 +++ /var/tmp/diff_new_pack.9nCdUM/_new 2026-04-14 17:49:07.413533727 +0200 @@ -3,7 +3,7 @@ <service name="obs_scm" mode="manual"> <param name="scm">git</param> <param name="url">https://github.com/flatpak/flatpak.git</param> - <param name="revision">1.16.3</param> + <param name="revision">1.16.6</param> <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param> <param name="versionrewrite-pattern">(.*)\+0</param> <param name="versionrewrite-replacement">\1</param> ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-14 11:16:48.000000000 +0200 @@ -0,0 +1,5 @@ +*.obscpio +*.osc +_build.* +.pbuild +osc-collab.* ++++++ flatpak-1.16.3.tar.xz -> flatpak-1.16.6.tar.xz ++++++ ++++ 38798 lines of diff (skipped) ++++++ flatpak.obsinfo ++++++ --- /var/tmp/diff_new_pack.9nCdUM/_old 2026-04-14 17:49:08.377573575 +0200 +++ /var/tmp/diff_new_pack.9nCdUM/_new 2026-04-14 17:49:08.381573740 +0200 @@ -1,5 +1,5 @@ name: flatpak -version: 1.16.3 -mtime: 1768994398 -commit: b76f2533c72d65e20bfbc6ef0fb2f6ae9939013d +version: 1.16.6 +mtime: 1775842122 +commit: e761a8885453c217a931281092a641ebbdd0a0c6
