Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package otpclient for openSUSE:Factory checked in at 2026-05-13 21:00:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/otpclient (Old) and /work/SRC/openSUSE:Factory/.otpclient.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "otpclient" Wed May 13 21:00:10 2026 rev:46 rq:1353044 version:5.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/otpclient/otpclient.changes 2026-04-23 17:13:41.135078643 +0200 +++ /work/SRC/openSUSE:Factory/.otpclient.new.1966/otpclient.changes 2026-05-13 21:00:11.559254814 +0200 @@ -1,0 +2,111 @@ +Wed May 13 08:18:33 UTC 2026 - Paolo Stivanin <[email protected]> + +- Update to 5.0.1: + * QR import (file picker and webcam) no longer duplicates pre- + existing tokens (#435). Root cause: data_to_add was not cleared + after update_db, so subsequent imports re-merged the entire + list. + * Set Group / Remove from Group / New Group act on the right + token when a group filter or column sort is active (#437). + * Token actions — delete, edit, show QR, move to database, HOTP + increment — act on the right token when a filter or column sort + is active. Same root cause as #437: bare selection position was + used as a JSON index, ignoring the filter+sort offset. + * Clicking a database row in the sidebar now actually loads that + database (#436). The selection callback was an empty stub left + over from the AdwOverlaySplitView refactor. + * The sidebar now distinguishes the default database (loaded on + startup, marked with a star) from the currently open database + (shown in bold). + * Creating or opening an additional database no longer overrides + which one loads on startup — that's now controlled exclusively + by right-click → Set as Primary. Previously, every new or + opened database silently became the default. + * Set as Primary now persists across restarts. The startup + sidebar repopulation was clobbering the saved choice with + whichever database happened to be added to the list first. + +------------------------------------------------------------------- +Fri May 8 12:23:26 UTC 2026 - Paolo Stivanin <[email protected]> + +- Update to 5.0.0: + First stable release of the GTK4 / libadwaita rewrite, with + multi-database support, token grouping, an opt-in trigger + keyword for the desktop search provider, and a sweeping + crypto and import-path hardening pass. Existing v2 databases + unlock and migrate automatically. + + Features + * Complete GUI rewrite on GTK4 + libadwaita. + * Persistent multi-database support with sidebar and + right-click "Move to..." between databases. + * Token grouping with header-bar dropdown and "group:" / + "#" search prefix; groups round-trip through Aegis, + AuthPro and 2FAS. + * Cross-database search with auto-select-and-copy on a + single result. + * Hidden-by-default OTPs with click-to-reveal and + auto-hide. + * Async unlock with KDF spinner. + * Search-provider trigger keyword (default "otp"); + KRunner subtitle no longer leaks live codes; activation + copies the OTP. + * Settings -> Backup is the unified entry point for + native (encrypted) backup and restore; format-specific + export becomes migration-only with a plaintext warning. + * Settings import/export, Welcome and What's New + dialogs, KDF presets, paste-to-fill otpauth:// URI, + backup-age banner, lock-time clipboard wipe. + * Scriptable CLI output (--output=table|json|csv), + translated CLI strings, --list-databases, HOTP counter + in CSV, bash/zsh/fish completions. + * Native StatusNotifierItem tray + (libayatana-appindicator dependency removed). + + Security + * Argon2id header validation refuses out-of-bounds + parameters on unlock. + * KDF byte-length fix: gcry_kdf_* was passed character + count instead of byte count, weakening keys for + non-ASCII passwords; transparent retry plus + opportunistic re-encryption on the next write. + * O_NOFOLLOW + fstat S_ISREG on every importer and + database read site, closing the symlink-swap TOCTOU + window. + * 0600 mode on backup files; PR_SET_DUMPABLE=0 + + RLIMIT_CORE=0 to suppress core dumps. + * AEAD validation tightened across decrypt paths; 2FAS + no longer accepts plaintext on tag mismatch. + * Search provider refuses every D-Bus method when the + keyword is empty (closes arbitrary local enumeration + of accounts). + * otpauth:// URI capped at 4 KB, HOTP counter capped at + 2^48, PNG QR capped at 4096x4096, settings import + capped at 1 MiB. + * Signal-safe clipboard wipe on SIGINT/SIGTERM/SIGHUP; + CLI --password-file refuses group/world-readable + files; secret service disabled by default. + * HOTP counter increment is transactional (rolled back + if save fails). + + Fixes + * NULL-deref crashes across Aegis, AuthPro, 2FAS, + FreeOTP+ and otpauth importers on malformed input. + * Use-after-free in async secret lookup; double-free of + filter_model in window dispose; DBus assertion on + exit. + * Notification spam during store rebuilds and search-bar + close. + * Window size and group dropdown restored across + sessions; schema and icon cache updated on install. + + Performance + * KDF-derived key cache, lazy cross-DB OTP, deferred + HOTP writes, pre-folded labels in search provider. + + Breaking + * GTK 4.18+ and libadwaita 1.5+ required; configuration + migrated to GSettings (GKeyFile not migrated + automatically). + +------------------------------------------------------------------- Old: ---- v4.5.0.tar.gz v4.5.0.tar.gz.asc New: ---- v5.0.1.tar.gz v5.0.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ otpclient.spec ++++++ --- /var/tmp/diff_new_pack.RbWchZ/_old 2026-05-13 21:00:14.263366307 +0200 +++ /var/tmp/diff_new_pack.RbWchZ/_new 2026-05-13 21:00:14.275366802 +0200 @@ -18,7 +18,7 @@ %define uclname OTPClient Name: otpclient -Version: 4.5.0 +Version: 5.0.1 Release: 0 Summary: Simple GTK+ client for managing TOTP and HOTP License: GPL-3.0-or-later @@ -30,65 +30,142 @@ BuildRequires: cmake BuildRequires: gcc BuildRequires: gcc-c++ -BuildRequires: libayatana-appindicator3-devel -BuildRequires: libcotp-devel >= 4.0.0 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(glib-2.0) >= 2.68 +BuildRequires: pkgconfig(gtk4) >= 4.10.0 BuildRequires: libgcrypt-devel >= 1.10.1 -BuildRequires: libjansson-devel >= 2.12.0 -BuildRequires: libpng16-devel >= 1.6.30 -BuildRequires: libprotobuf-c-devel >= 1.3.0 -BuildRequires: libsecret-devel >= 0.20 +BuildRequires: libcotp-devel >= 4.0.0 BuildRequires: libuuid-devel >= 2.34.0 -BuildRequires: libzbar-devel >= 0.20.0 -BuildRequires: pkgconfig +BuildRequires: libsecret-devel >= 0.20 BuildRequires: protobuf-devel >= 3.6.0 BuildRequires: qrencode-devel >= 4.0.2 -BuildRequires: pkgconfig(glib-2.0) >= 2.68 -BuildRequires: pkgconfig(gtk+-3.0) >= 3.24 +BuildRequires: libadwaita-devel >= 1.5.0 +BuildRequires: libprotobuf-c-devel >= 1.3.0 +BuildRequires: libpng16-devel >= 1.6.30 +BuildRequires: libzbar-devel >= 0.20.0 +BuildRequires: libjansson-devel >= 2.12.0 %description Highly secure and easy to use GTK+ software for two-factor authentication that supports both Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). +%package bash-completion +Summary: Bash completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +Bash command line completion support for %{name}. + +%package zsh-completion +Summary: Zsh completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: zsh +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +Zsh command line completion support for %{name}. + +%package fish-completion +Summary: Fish completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: fish +Supplements: (%{name} and fish) +BuildArch: noarch + +%description fish-completion +Fish command line completion support for %{name}. + +%package gnome-search-provider +Summary: GNOME Shell search provider for %{name} +Group: Productivity/Security +Requires: %{name} = %{version} +Requires: gnome-shell +Supplements: (%{name} and gnome-shell) +BuildArch: noarch + +%description gnome-search-provider +GNOME Shell search provider integration for %{name}, allowing OTP +codes to be looked up directly from the Activities overview. + +%package krunner +Summary: KRunner plugin for %{name} +Group: Productivity/Security +Requires: %{name} = %{version} +Requires: kf6-krunner +Supplements: (%{name} and kf6-krunner) +BuildArch: noarch + +%description krunner +KRunner integration for %{name}, allowing OTP codes to be looked up +directly from KRunner. + %prep %autosetup -p1 -n %{uclname}-%{version} %build %cmake \ -DCMAKE_INSTALL_PREFIX=%{_prefix} \ + -DBUILD_GUI=ON \ + -DBUILD_CLI=ON \ -DENABLE_MINIMIZE_TO_TRAY=ON %cmake_build %install %cmake_install +# Drop generated caches owned by glib2-tools / hicolor-icon-theme; +# they are regenerated by file triggers on install. +rm -f %{buildroot}%{_datadir}/glib-2.0/schemas/gschemas.compiled +rm -f %{buildroot}%{_datadir}/icons/hicolor/icon-theme.cache %files +%license LICENSE +%doc README.md %dir %{_datadir}/%{name} %{_bindir}/%{name} %{_bindir}/%{name}-cli %{_bindir}/otpclient-search-provider -%{_datadir}/%{name}/otpclient.ui -%{_datadir}/%{name}/add_popover.ui -%{_datadir}/%{name}/settings_popover.ui -%{_datadir}/%{name}/shortcuts.ui -%{_datadir}/%{name}/security_settings.ui %{_datadir}/applications/com.github.paolostivanin.%{uclname}.desktop %{_datadir}/metainfo/com.github.paolostivanin.%{uclname}.appdata.xml -%{_mandir}/man1/otpclient-cli.1.gz -%{_mandir}/man1/otpclient.1.gz +%{_mandir}/man1/otpclient-cli.1%{?ext_man} +%{_mandir}/man1/otpclient.1%{?ext_man} %{_datadir}/icons/hicolor/scalable/apps/com.github.paolostivanin.OTPClient-symbolic.svg %{_datadir}/icons/hicolor/scalable/apps/com.github.paolostivanin.OTPClient.svg +%{_datadir}/glib-2.0/schemas/com.github.paolostivanin.OTPClient.gschema.xml +%{_datadir}/otpclient/window.ui + +%files bash-completion +%{_datadir}/bash-completion/completions/otpclient-cli + +%files zsh-completion +%{_datadir}/zsh/site-functions/_otpclient-cli + +%files fish-completion +%dir %{_datadir}/fish +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/otpclient-cli.fish + +%files gnome-search-provider %dir %{_datadir}/gnome-shell %dir %{_datadir}/gnome-shell/search-providers +%{_datadir}/dbus-1/services/com.github.paolostivanin.OTPClient.SearchProvider.service +%{_datadir}/gnome-shell/search-providers/com.github.paolostivanin.OTPClient.SearchProvider.ini + +%files krunner %dir %{_datadir}/krunner %dir %{_datadir}/krunner/dbusplugins %{_datadir}/dbus-1/services/com.github.paolostivanin.OTPClient.KRunner.service -%{_datadir}/dbus-1/services/com.github.paolostivanin.OTPClient.SearchProvider.service -%{_datadir}/gnome-shell/search-providers/com.github.paolostivanin.OTPClient.SearchProvider.ini %{_datadir}/krunner/dbusplugins/com.github.paolostivanin.OTPClient.KRunner.desktop ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.RbWchZ/_old 2026-05-13 21:00:14.603380326 +0200 +++ /var/tmp/diff_new_pack.RbWchZ/_new 2026-05-13 21:00:14.627381316 +0200 @@ -1,5 +1,5 @@ -mtime: 1776869666 -commit: ef53c8887d69f22f7e9817b852da52ae692f250789ff09723f92e44aa68c34b2 +mtime: 1778662114 +commit: bbdd286af85cf7f1df67285cb9144e579c64b7798d63f49ae645111ea1e99e87 url: https://src.opensuse.org/GNOME/otpclient revision: factory ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-13 10:48:34.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ v4.5.0.tar.gz -> v5.0.1.tar.gz ++++++ ++++ 41109 lines of diff (skipped)
