Package: release.debian.org Severity: normal Tags: trixie security X-Debbugs-Cc: [email protected] Control: affects -1 + src:errands User: [email protected] Usertags: pu
ABOUT MY ROLE: I'm not a member of the GNOME Team and don't have uploading rights for this package. In spite of that I've offered to prepare this upload because I am closely involved with the issue. I assume the GNOME Team members are busy but will sign off on the package when you give the go-ahead. Errands is a new-ish task manager and to-do list application that was first included in Trixie. It's not from the GNOME Project but is part of the GNOME Circle ecosystem and is designed to work well there. This is the current upstream release imported from unstable/testing as-is because its changes from the current Trixie version are minimal. (This is because the upstream folks have been busy working on a rewrite, switching from Python to C, and not had any other showstoppers in this Python version.) [ Reason ] Back in August 2025 a person filed https://github.com/mrvladus/Errands/issues/401 "Is there a reason TLS certificate verification is disabled by default?" which accurately summarizes the situation. CalDAV is a flavor of HTTP used to access calendar servers which can also store non-event-related task lists and notes on the server. Typically HTTP Basic authentication is used to access a CalDAV server using a username and password. If the GNOME Online Accounts subsystem already has CalDAV account credentials stored for a user, Errands can discover those automagically, or else credentials can be given in Errands directly. HTTP Basic authentication sends passwords "in the clear" from HTTP's point of view, relying solely on TLS to maintain confidentiality of both credentials and user data. Errands doesn't implement CalDAV itself but uses the third-party python3-caldav library to do this. For reasons the author can't quite remember (as a debugging aid with a test server?), Errands has been passing an 'ssl_verify_cert=False' parameter into the python3-caldav routines to access these remote servers. This means TLS certificates are always accepted as valid even without inspection, so security of CalDAV is compromised here, and the user is not notified that Errands continues to function without confidentiality protection. At my request, the upstream author promptly released 46.2.10 with this explicitly-passed parameter removed. Now python3-caldav is free to check the certificate. Moritz from the Debian Security Team arranged for CVE-2025-71063 to be assigned to this issue but agreed in https://bugs.debian.org/1123738#37 that this isn't urgent and doesn't need a formal security upload ("no-DSA"). [ Impact ] Confidentiality of task and calendar data for users is no longer protected by TLS; any attacker that can tamper with the traffic between the client and the server, or redirect a user to a malicious phony server (for example, by forging DNS answers for a client on a non-trustworthy LAN), can see task and calendar data. Unlike most groupware, the user base and use case that Errands serves makes it probable that very personal information (such as "notes to self") will be exchanged. As TLS is also relied upon to securely perform username and password authentication via HTTP Basic, credential theft can also be a problem. Those same credentials are often used to access assorted services of a webmail provider. Errands often runs in the background or starts when a user logs into a session, in which case these risks are exposed without user interaction. Errands caters to mobile devices especially, so roaming to a public wireless LAN can greatly increase these hazards with "captive portal" technology. [ Changes ] Development of this Python version of Errands slowed a while ago to the most important fixes. The current version in Trixie is 46.2.8 and I am proposing to upload 46.2.10 from unstable/Forky as-is, because the circumstances are favorable on this occasion. The difference between these revisions is totally and completely described by these four changes: • translation updates which make the vast majority (about 80%) of the code difference • removal of the ssl_verify_cert=False parameter in Errands, letting python3-caldav use its sane default of performing TLS checks • a fix for a toolbar widget issue that I am not familiar with but which works okay applied https://github.com/mrvladus/Errands/commit/529550d36e31a3a5619cf40c8938be8865eb0b8d • changes to unused Flatpak-building metadata that does not concern Debian nor the conventional build system, but which hints at using a newer (to them) version of libadwaita which is satisfied in Trixie anyway • typo corrections [ Tests ] I have manually tested that this version of Errands works without any meaningful difference, except the appearance of the toolbar may be subtly different to correspond to the change there. Errands authenticates to my CalDAV server (provided by posteo.de) with no reconfiguration necessary. I have not functionally verified that Errands now rejects CalDAV servers with bogus TLS certificates, but with the removal of the ssl_verify_cert=False flag, this job is handed off to the python3-caldav library which should require a TLS certificate then. (The author's report that ssl_verify_cert=False did indeed make Errands more permissive of what it would connect to, strongly suggests the default is not so excessively permissive.) Automatic tests would be nice, but as new development on this Python version of Errands is mostly stopped, as-installed (autopkgtest-style) tests would most likely be welcome upstream but should go to the C rewrite. [ Risks ] There is a chance that a server could be rejected with TLS validation performed when it would appear to work prior, but this would most likely be a major configuration. In particular the author of Errands doesn't recall why validation was disabled originally but one can expect it was probably for use in a testbed that hadn't exposed problems to other clients before. This is much less likely if a user put their credentials in GNOME Online Accounts, as that suite would've checked TLS correctly when the account was first set up. This TLS validation has not been reported to be a problem for anyone and it's unlikely to. Other GNOME applications (including the GNOME Circle ecosystem, the Dino XMPP client in particular) prescribe in their human interface guidelines that users shouldn't be asked difficult trust questions like what browsers have been known for ("Continue to insecure site", etc.), and the lack of an override would likely be considered a feature, not a bug. Of course trust management via ca-certificates and friends is the right way to solve that issue system-wide. This TLS change is expected to go unnoticed even in the most esoteric setups; a NEWS entry would not be appropriate. The toolbar change is mainly aesthetic and part of making an adaptive user interface to work on workstations and mobile devices alike, to add proper spacing around the widgets. That code change looks trivial but I don't know much about Python, GNOME, or libadwaita to really say. Nevertheless it is sound and works correctly, almost surely the same or better than before. [ Checklist ] ☑ *all* changes are documented in the d/changelog ☑ I reviewed all changes and I approve them ◦ This should be understood bearing in mind that I won't be uploading this on my own but only after a GNOME team member gives the final say. ☑ attach debdiff against the package in (old)stable ◦ Changes to translation files matching '*.po' are omitted, as they would otherwise be about 80% of the lines. Links to get the full source package are below. ☑ the issue is verified as fixed in unstable [ Other info ] A totally complete debdiff is at https://salsa.debian.org/gnome-team/errands/-/merge_requests/1.diff The translations really are massive, but the debdiff with "--exclude '*.po'" is attached. The Git history there includes all of the upstream commits; the Salsa web interface may be helpful. Source and binary packages signed by me are also at https://johnscott.me/errands/ such as https://johnscott.me/errands/errands_46.2.10-1~deb13u1.dsc Thanks
diffstat for errands-46.2.8 errands-46.2.10
.gitignore | 2
README.md | 2
build-aux/python3-caldav.json | 75 +++++++++++-------------
build-aux/regenerate-translations.sh | 2
build-aux/requirements.txt | 27 ++++----
build-aux/run.sh | 51 ----------------
build-aux/update_python_deps.sh | 2
data/io.github.mrvladus.List.metainfo.xml.in.in | 11 +++
debian/changelog | 26 ++++++++
debian/control | 6 -
debian/gbp.conf | 2
debian/upstream/metadata | 1
debian/watch | 5 -
errands/lib/sync/providers/caldav.py | 5 -
errands/widgets/shared/task_toolbar/toolbar.py | 9 +-
io.github.mrvladus.List.Devel.json | 38 ++++++------
meson.build | 2
po/LINGUAS | 1
po/errands.pot | 16 -----
19 files changed, 125 insertions(+), 158 deletions(-)
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/python3-caldav.json errands-46.2.10/build-aux/python3-caldav.json
--- errands-46.2.8/build-aux/python3-caldav.json 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/python3-caldav.json 2025-12-22 06:40:17.000000000 -0500
@@ -2,93 +2,92 @@
"name": "python3-caldav",
"buildsystem": "simple",
"build-commands": [
- "pip3 install --verbose --exists-action=i --no-index --ignore-installed --find-links=\"file://${PWD}\" --prefix=${FLATPAK_DEST} --no-build-isolation caldav certifi charset-normalizer icalendar idna lxml python-dateutil pytz recurring-ical-events requests six tzlocal urllib3 vobject x-wr-timezone"
+ "pip3 install --verbose --exists-action=i --no-index --find-links=\"file://${PWD}\" --prefix=${FLATPAK_DEST} --no-build-isolation caldav certifi charset-normalizer click icalendar idna lxml python-dateutil recurring-ical-events requests six tzdata urllib3 x-wr-timezone"
],
"sources": [
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/77/86/c8fff55bd0ab9410cca9dbfa92e91ebcf3cc1a7266e33888364e7aaa1222/caldav-1.4.0-py3-none-any.whl";,
- "sha256": "e75e84824092e33a9e03ac693de3d01133a3e044fd50a1c542c7f78d1aff0cb2"
+ "url": "https://files.pythonhosted.org/packages/c9/fd/dc7e9760ba647eb619267ece751d1a9220fd79743d3bbc654a61f9151182/caldav-2.0.1-py2.py3-none-any.whl";,
+ "sha256": "86ef0e308ce75745e04805aaede76b3c182b91b5d1a6862ed53dcf48dc56538b"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ba/06/a07f096c664aeb9f01624f858c3add0a4e913d6c96257acb4fce61e7de14/certifi-2024.2.2-py3-none-any.whl";,
- "sha256": "dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"
+ "url": "https://files.pythonhosted.org/packages/e4/37/af0d2ef3967ac0d6113837b44a4f0bfe1328c2b9763bd5b1744520e5cfed/certifi-2025.10.5-py3-none-any.whl";,
+ "sha256": "0f212c2744a9bb6de0c56639a6f68afe01ecd92d91f14ae897c4fe7bbeeef0de"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/99/b0/9c365f6d79a9f0f3c379ddb40a256a67aa69c59609608fe7feb6235896e1/charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl";,
- "sha256": "8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"
+ "url": "https://files.pythonhosted.org/packages/71/11/98a04c3c97dd34e49c7d247083af03645ca3730809a5509443f3c37f7c99/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl";,
+ "sha256": "41d1fc408ff5fdfb910200ec0e74abc40387bccb3252f3f27c0676731df2b2c8",
+ "only-arches": ["aarch64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ee/fb/14d30eb4956408ee3ae09ad34299131fb383c47df355ddb428a7331cfa1e/charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl";,
- "sha256": "90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"
+ "url": "https://files.pythonhosted.org/packages/7e/95/42aa2156235cbc8fa61208aded06ef46111c4d3f0de233107b3f38631803/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl";,
+ "sha256": "416175faf02e4b0810f1f38bcb54682878a4af94059a1cd63b8747244420801f",
+ "only-arches": ["x86_64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/fb/89/badc6427111cffabb6a462bf447cfff5e9e4c856527ddc030c11020b6cc5/icalendar-5.0.12-py3-none-any.whl";,
- "sha256": "d873bb859df9c6d0e597b16d247436e0f83f7ac1b90a06429b8393fe8afeba40"
+ "url": "https://files.pythonhosted.org/packages/db/d3/9dcc0f5797f070ec8edf30fbadfb200e71d9db6b84d211e3b2085a7589a0/click-8.3.0-py3-none-any.whl";,
+ "sha256": "9b9f285302c6e3064f4330c05f05b81945b2a39544279343e6e7c5f27a9baddc"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/e5/3e/741d8c82801c347547f8a2a06aa57dbb1992be9e948df2ea0eda2c8b79e8/idna-3.7-py3-none-any.whl";,
- "sha256": "82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"
+ "url": "https://files.pythonhosted.org/packages/6c/25/b5fc00e85d2dfaf5c806ac8b5f1de072fa11630c5b15b4ae5bbc228abd51/icalendar-6.3.1-py3-none-any.whl";,
+ "sha256": "7ea1d1b212df685353f74cdc6ec9646bf42fa557d1746ea645ce8779fdfbecdd"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/d0/f1/3a0bd5064c764966e5d1dd0e75048960a7f38c833422ff5e10c8f4ad8363/lxml-5.2.1-cp312-cp312-manylinux_2_28_aarch64.whl";,
- "sha256": "f9737bf36262046213a28e789cc82d82c6ef19c85a0cf05e75c670a33342ac2c"
+ "url": "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl";,
+ "sha256": "946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ac/9b/f97fac2e2bacbc91d1a15f24e3bdbb52e418591109393144a943bd502d2c/lxml-5.2.1-cp312-cp312-manylinux_2_28_x86_64.whl";,
- "sha256": "f0a1bc63a465b6d72569a9bba9f2ef0334c4e03958e043da1920299100bc7c08"
+ "url": "https://files.pythonhosted.org/packages/81/76/99de58d81fa702cc0ea7edae4f4640416c2062813a00ff24bd70ac1d9c9b/lxml-6.0.2-cp313-cp313-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl";,
+ "sha256": "eb2a12d704f180a902d7fa778c6d71f36ceb7b0d317f34cdc76a5d05aa1dd1df",
+ "only-arches": ["aarch64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl";,
- "sha256": "a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
+ "url": "https://files.pythonhosted.org/packages/d0/34/9e591954939276bb679b73773836c6684c22e56d05980e31d52a9a8deb18/lxml-6.0.2-cp313-cp313-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl";,
+ "sha256": "ef9266d2aa545d7374938fb5c484531ef5a2ec7f2d573e62f8ce722c735685fd",
+ "only-arches": ["x86_64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/9c/3d/a121f284241f08268b21359bd425f7d4825cffc5ac5cd0e1b3d82ffd2b10/pytz-2024.1-py2.py3-none-any.whl";,
- "sha256": "328171f4e3623139da4983451950b28e95ac706e13f3f2630a879749e7a8b319"
- },
- {
- "type": "file",
- "url": "https://files.pythonhosted.org/packages/8a/3c/c1e8d2fb47dfb091d2552ca8bee98aefa7593db3bc713a2d40826547f6ef/recurring_ical_events-2.2.1-py3-none-any.whl";,
- "sha256": "9e8e0390e7cfe2e7425690e6b858eed635bf7560b44cb52260cd3466fec9cec5"
+ "url": "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl";,
+ "sha256": "a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl";,
- "sha256": "58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"
+ "url": "https://files.pythonhosted.org/packages/36/25/88a4218cccae06ce6b15e41d2f263dd4a73e8e8cbe41537cd7784a17479b/recurring_ical_events-3.8.0-py3-none-any.whl";,
+ "sha256": "cf958eb17c92d4dca5c621e44c2b3fffd4ba700dca0db66287c5dc11438f63ba"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl";,
- "sha256": "8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
+ "url": "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl";,
+ "sha256": "2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/97/3f/c4c51c55ff8487f2e6d0e618dba917e3c3ee2caae6cf0fbb59c9b1876f2e/tzlocal-5.2-py3-none-any.whl";,
- "sha256": "49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"
+ "url": "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl";,
+ "sha256": "4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/a2/73/a68704750a7679d0b6d3ad7aa8d4da8e14e151ae82e6fee774e6e0d05ec8/urllib3-2.2.1-py3-none-any.whl";,
- "sha256": "450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d"
+ "url": "https://files.pythonhosted.org/packages/5c/23/c7abc0ca0a1526a0774eca151daeb8de62ec457e77262b66b359c3c7679e/tzdata-2025.2-py2.py3-none-any.whl";,
+ "sha256": "1a403fada01ff9221ca8044d701868fa132215d84beb92242d9acd2147f667a8"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/a2/f2/ea094c009f962bd2fda9851bd54cd32b20721c9228842df2eefc1122aa40/vobject-0.9.7-py2.py3-none-any.whl";,
- "sha256": "67ebec81ee39fc60b7355ce077f850d5f13d99d08b110fa1abcfdbb516205e20"
+ "url": "https://files.pythonhosted.org/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl";,
+ "sha256": "e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/9d/c6/53227e391c641b891e173b0454f137a21cb969dd58b5171e487e4da7e87e/x_wr_timezone-0.0.7-py3-none-any.whl";,
- "sha256": "0b5e16f677c8f51ce41087a0b3d4f786c5fdcf78af4f8a75d4d960107dcb6d3a"
+ "url": "https://files.pythonhosted.org/packages/0f/b7/4bac35b4079b76c07d8faddf89467e9891b1610cfe8d03b0ebb5610e4423/x_wr_timezone-2.0.1-py3-none-any.whl";,
+ "sha256": "e74a53b9f4f7def8138455c240e65e47c224778bce3c024fcd6da2cbe91ca038"
}
]
}
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/regenerate-translations.sh errands-46.2.10/build-aux/regenerate-translations.sh
--- errands-46.2.8/build-aux/regenerate-translations.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/regenerate-translations.sh 2025-12-22 06:40:17.000000000 -0500
@@ -1,5 +1,5 @@
#!/usr/bin/bash
-flatpak run --filesystem=home org.gnome.Sdk//47 <<EOF
+flatpak run --filesystem=home org.gnome.Sdk//49 <<EOF
echo -e "\n\033[32;1m---------- UPDATING TRANSLATIONS ----------\033[0m\n"
meson setup _build
cd _build
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/requirements.txt errands-46.2.10/build-aux/requirements.txt
--- errands-46.2.8/build-aux/requirements.txt 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/requirements.txt 2025-12-22 06:40:17.000000000 -0500
@@ -1,15 +1,14 @@
-caldav==1.4.0
-certifi==2024.2.2
-charset-normalizer==3.3.2
-icalendar==5.0.12
-idna==3.7
-lxml==5.2.1
+caldav==2.0.1
+certifi==2025.10.5
+charset-normalizer==3.4.3
+click==8.3.0
+icalendar==6.3.1
+idna==3.10
+lxml==6.0.2
python-dateutil==2.9.0.post0
-pytz==2024.1
-recurring-ical-events==2.2.1
-requests==2.31.0
-six==1.16.0
-tzlocal==5.2
-urllib3==2.2.1
-vobject==0.9.7
-x-wr-timezone==0.0.7
+recurring-ical-events==3.8.0
+requests==2.32.5
+six==1.17.0
+tzdata==2025.2
+urllib3==2.5.0
+x-wr-timezone==2.0.1
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/run.sh errands-46.2.10/build-aux/run.sh
--- errands-46.2.8/build-aux/run.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/run.sh 1969-12-31 19:00:00.000000000 -0500
@@ -1,51 +0,0 @@
-#!/usr/bin/bash
-
-SDK_VER=47
-APP_ID=io.github.mrvladus.List.Devel
-BIN_NAME=errands
-CWD=$(pwd)
-REPO_DIR=$CWD/.flatpak/repo
-FLATPAK_BUILDER_DIR=$CWD/.flatpak/flatpak-builder
-MANIFEST_JSON=$CWD/io.github.mrvladus.List.Devel.json
-
-
-build() {
- echo "====== INIT REPO ======"
- flatpak build-init $REPO_DIR $APP_ID org.gnome.Sdk org.gnome.Platform $SDK_VER
-
- echo "====== BUILD 1 ======"
- flatpak run org.flatpak.Builder --ccache --force-clean --disable-updates --build-only --state-dir=$FLATPAK_BUILDER_DIR --stop-at=$BIN_NAME $REPO_DIR $MANIFEST_JSON --disable-rofiles-fuse
-
- echo "====== BUILD 2 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR meson --prefix /app _build -Dprofile=development
-}
-
-run() {
- echo "====== RUN 1 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR ninja -C _build
-
- echo "====== RUN 2 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR meson install -C _build
-
- echo "====== RUN 3 ======"
- flatpak build --with-appdir --allow=devel --bind-mount=/run/user/$UID/doc=/run/user/$UID/doc/by-app/$APP_ID --device=dri --socket=wayland --socket=fallback-x11 --share=ipc --share=network --talk-name=org.freedesktop.secrets --talk-name=org.gnome.OnlineAccounts --talk-name=org.freedesktop.portal.* --talk-name=org.a11y.Bus --bind-mount=/run/flatpak/at-spi-bus=/run/user/$UID/at-spi/bus --env=AT_SPI_BUS_ADDRESS=unix:path=/run/flatpak/at-spi-bus --env=DESKTOP_SESSION=$DESKTOP_SESSION --env=LANG=$LANG --env=WAYLAND_DISPLAY=wayland-0 --env=XDG_CURRENT_DESKTOP=$XDG_CURRENT_DESKTOP --env=XDG_SESSION_DESKTOP=$XDG_SESSION_DESKTOP --env=XDG_SESSION_TYPE=$XDG_SESSION_TYPE --bind-mount=/run/host/fonts=/usr/share/fonts --bind-mount=/run/host/fonts-cache=/usr/lib/fontconfig/cache --filesystem=$HOME/.local/share/fonts:ro --filesystem=$HOME/.cache/fontconfig:ro --bind-mount=/run/host/user-fonts-cache=$HOME/.cache/fontconfig --bind-mount=/run/host/font-dirs.xml=$HOME/.cache/font-dirs.xml $REPO_DIR $BIN_NAME
-}
-
-rebuild() {
- echo "====== RE-BUILDING ======"
- rm -rf .flatpak _build
- build
- run
-}
-
-# Check if the first argument is "rebuild"
-if [ "$1" = "rebuild" ]; then
- rebuild
-else
- if [ -d "$REPO_DIR" ]; then
- run
- else
- build
- run
- fi
-fi
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/update_python_deps.sh errands-46.2.10/build-aux/update_python_deps.sh
--- errands-46.2.8/build-aux/update_python_deps.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/update_python_deps.sh 2025-12-22 06:40:17.000000000 -0500
@@ -1,3 +1,3 @@
#!/usr/bin/bash
-./req2flatpak.py --requirements-file requirements.txt --target-platforms '312-x86_64' '312-aarch64' > manifest.json
+./req2flatpak.py --requirements-file requirements.txt --target-platforms '313-x86_64' '313-aarch64' > python3-caldav.json
diff -Nru --exclude '*.po' errands-46.2.8/data/io.github.mrvladus.List.metainfo.xml.in.in errands-46.2.10/data/io.github.mrvladus.List.metainfo.xml.in.in
--- errands-46.2.8/data/io.github.mrvladus.List.metainfo.xml.in.in 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/data/io.github.mrvladus.List.metainfo.xml.in.in 2025-12-22 06:40:17.000000000 -0500
@@ -57,6 +57,17 @@
</requires>
<releases>
+ <release version="46.2.10" date="2025-12-22">
+ <description translate="no">
+ <p>Enable SSL certificate verification</p>
+ <p>Update translations</p>
+ </description>
+ </release>
+ <release version="46.2.9" date="2025-10-11">
+ <description translate="no">
+ <p>Update runtime to version 49</p>
+ </description>
+ </release>
<release version="46.2.8" date="2025-03-15">
<description translate="no">
<p>Fix autostart</p>
diff -Nru --exclude '*.po' errands-46.2.8/debian/changelog errands-46.2.10/debian/changelog
--- errands-46.2.8/debian/changelog 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/changelog 2026-01-14 16:55:19.000000000 -0500
@@ -1,3 +1,29 @@
+errands (46.2.10-1~deb13u1) trixie; urgency=medium
+
+ [ John Scott ]
+ * New upstream release for Debian Trixie
+ * Fixes the use of unverified TLS certificates when connecting to CalDAV servers
+ (CVE-2025-71063) (Closes: #1123738)
+
+ -- Debian GNOME Maintainers <[email protected]> Wed, 14 Jan 2026 21:55:19 +0000
+
+errands (46.2.10-1) unstable; urgency=medium
+
+ * Team upload
+ * New upstream release
+ * d/control: Bump S-V to 4.7.3; drop priority: optional
+
+ -- Matthias Geiger <[email protected]> Mon, 29 Dec 2025 13:38:38 +0100
+
+errands (46.2.9-1) unstable; urgency=medium
+
+ * New upstream release
+ * d/watch: Remove debian/watch because it is no longer necessary
+ * d/upstream/metadata: Add Archive: GitHub for uscan
+ * d/control: Fix Lintian report redundant-rules-requires-root-no-field
+
+ -- Leandro Cunha <[email protected]> Tue, 18 Nov 2025 22:51:47 -0300
+
errands (46.2.8-1) unstable; urgency=medium
* New upstream release
diff -Nru --exclude '*.po' errands-46.2.8/debian/control errands-46.2.10/debian/control
--- errands-46.2.8/debian/control 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/control 2026-01-05 13:21:49.000000000 -0500
@@ -1,6 +1,5 @@
Source: errands
Section: gnome
-Priority: optional
Maintainer: Debian GNOME Maintainers <[email protected]>
Uploaders: Jeremy BÃcha <[email protected]>, Leandro Cunha <[email protected]>
Build-Depends:
@@ -18,11 +17,10 @@
libxml2-utils,
meson,
python-gi-dev
-Standards-Version: 4.7.2
-Rules-Requires-Root: no
+Standards-Version: 4.7.3
Homepage: https://apps.gnome.org/List/
Vcs-Browser: https://salsa.debian.org/gnome-team/errands
-Vcs-Git: https://salsa.debian.org/gnome-team/errands.git
+Vcs-Git: https://salsa.debian.org/gnome-team/errands.git -b debian/trixie
Package: errands
Architecture: all
diff -Nru --exclude '*.po' errands-46.2.8/debian/gbp.conf errands-46.2.10/debian/gbp.conf
--- errands-46.2.8/debian/gbp.conf 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/gbp.conf 2026-01-05 13:19:27.000000000 -0500
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/latest
+debian-branch = debian/trixie
upstream-branch = upstream/latest
[buildpackage]
diff -Nru --exclude '*.po' errands-46.2.8/debian/upstream/metadata errands-46.2.10/debian/upstream/metadata
--- errands-46.2.8/debian/upstream/metadata 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/upstream/metadata 2026-01-05 13:14:43.000000000 -0500
@@ -1,4 +1,5 @@
---
+Archive: GitHub
Bug-Database: https://github.com/mrvladus/Errands/issues
Bug-Submit: https://github.com/mrvladus/Errands/issues/new
Repository-Browse: https://github.com/mrvladus/Errands
diff -Nru --exclude '*.po' errands-46.2.8/debian/watch errands-46.2.10/debian/watch
--- errands-46.2.8/debian/watch 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/watch 1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-version=4
-opts="searchmode=plain,\
-filenamemangle=s%@ANY_VERSION@%$1.tar.gz%" \
-https://api.github.com/repos/mrvladus/@PACKAGE@/releases?per_page=50 \
-https://api.github.com/repos/[^/]+/[^/]+/tarball/@ANY_VERSION@
diff -Nru --exclude '*.po' errands-46.2.8/errands/lib/sync/providers/caldav.py errands-46.2.10/errands/lib/sync/providers/caldav.py
--- errands-46.2.8/errands/lib/sync/providers/caldav.py 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/errands/lib/sync/providers/caldav.py 2025-12-22 06:40:17.000000000 -0500
@@ -1,14 +1,14 @@
# Copyright 2023-2024 Vlad Krupinskii <[email protected]>
# SPDX-License-Identifier: MIT
-from copy import deepcopy
import datetime
import time
+from copy import deepcopy
from dataclasses import asdict, dataclass, field
from typing import Any
-import urllib3
import caldav
+import urllib3
from caldav import Calendar, DAVClient, Principal, Todo
from caldav.elements import dav, ical
@@ -86,7 +86,6 @@
url=self.url,
username=self.username,
password=self.password,
- ssl_verify_cert=False,
) as client:
try:
self.principal: Principal = client.principal()
diff -Nru --exclude '*.po' errands-46.2.8/errands/widgets/shared/task_toolbar/toolbar.py errands-46.2.10/errands/widgets/shared/task_toolbar/toolbar.py
--- errands-46.2.8/errands/widgets/shared/task_toolbar/toolbar.py 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/errands/widgets/shared/task_toolbar/toolbar.py 2025-12-22 06:40:17.000000000 -0500
@@ -23,18 +23,17 @@
from errands.widgets.task import Task
-class ErrandsTaskToolbar(Gtk.FlowBox):
+class ErrandsTaskToolbar(Adw.WrapBox):
def __init__(self, task: Task) -> None:
super().__init__()
self.task: Task = task
self.__build_ui()
def __build_ui(self) -> None:
- self.set_margin_bottom(2)
+ self.set_margin_bottom(6)
self.set_margin_start(9)
self.set_margin_end(9)
- self.set_max_children_per_line(2)
- self.set_selection_mode(Gtk.SelectionMode.NONE)
+ self.set_line_spacing(6)
# Date and Time button
self.date_time_btn: ErrandsButton = ErrandsButton(
@@ -259,7 +258,7 @@
elif priority == 9:
self.priority_btn.add_css_class("accent")
self.priority_btn.set_icon_name(
- f"errands-priority{'-set' if priority>0 else ''}-symbolic"
+ f"errands-priority{'-set' if priority > 0 else ''}-symbolic"
)
# Update attachments button css
diff -Nru --exclude '*.po' errands-46.2.8/.gitignore errands-46.2.10/.gitignore
--- errands-46.2.8/.gitignore 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/.gitignore 2025-12-22 06:40:17.000000000 -0500
@@ -7,3 +7,5 @@
.ruff_cache/
*.flatpak
.idea/
+pug
+build/
diff -Nru --exclude '*.po' errands-46.2.8/io.github.mrvladus.List.Devel.json errands-46.2.10/io.github.mrvladus.List.Devel.json
--- errands-46.2.8/io.github.mrvladus.List.Devel.json 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/io.github.mrvladus.List.Devel.json 2025-12-22 06:40:17.000000000 -0500
@@ -1,7 +1,7 @@
{
"id": "io.github.mrvladus.List.Devel",
"runtime": "org.gnome.Platform",
- "runtime-version": "47",
+ "runtime-version": "49",
"sdk": "org.gnome.Sdk",
"command": "errands",
"finish-args": [
@@ -28,6 +28,23 @@
],
"modules": [
{
+ "name": "libportal",
+ "buildsystem": "meson",
+ "config-opts": [
+ "-Dbackend-gtk4=enabled",
+ "-Dvapi=false",
+ "-Ddocs=false",
+ "-Dtests=false"
+ ],
+ "sources": [
+ {
+ "type": "git",
+ "url": "https://github.com/flatpak/libportal.git";,
+ "tag": "0.9.1"
+ }
+ ]
+ },
+ {
"name": "gnome-online-accounts",
"buildsystem": "meson",
"config-opts": [
@@ -37,7 +54,6 @@
"-Dimap_smtp=false",
"-Dwebdav=false",
"-Dkerberos=false",
- "-Dwindows_live=false",
"-Dms_graph=false",
"-Dvapi=false"
],
@@ -49,23 +65,7 @@
}
]
},
- {
- "name": "libportal",
- "buildsystem": "meson",
- "config-opts": [
- "-Dbackend-gtk4=enabled",
- "-Dvapi=false",
- "-Ddocs=false",
- "-Dtests=false"
- ],
- "sources": [
- {
- "type": "git",
- "url": "https://github.com/flatpak/libportal.git";,
- "tag": "0.7.1"
- }
- ]
- },
+
"build-aux/python3-caldav.json",
{
"name": "errands",
diff -Nru --exclude '*.po' errands-46.2.8/meson.build errands-46.2.10/meson.build
--- errands-46.2.8/meson.build 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/meson.build 2025-12-22 06:40:17.000000000 -0500
@@ -1,6 +1,6 @@
project(
'errands',
- version: '46.2.8',
+ version: '46.2.10',
meson_version: '>= 0.62.0',
)
diff -Nru --exclude '*.po' errands-46.2.8/po/errands.pot errands-46.2.10/po/errands.pot
--- errands-46.2.8/po/errands.pot 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/po/errands.pot 2025-12-22 06:40:17.000000000 -0500
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: errands\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-10 12:25+0300\n"
+"POT-Creation-Date: 2025-05-16 13:01+0300\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <[email protected]>\n"
@@ -577,19 +577,7 @@
msgid "Task is Due"
msgstr ""
-#: errands/application.py:78
-msgid "Errands was updated"
-msgstr ""
-
-#: errands/application.py:79
-msgid "Restart is required"
-msgstr ""
-
-#: errands/application.py:82
-msgid "Restart"
-msgstr ""
-
-#: errands/application.py:111
+#: errands/application.py:41
msgid "Errands need to run in the background for notifications"
msgstr ""
diff -Nru --exclude '*.po' errands-46.2.8/po/LINGUAS errands-46.2.10/po/LINGUAS
--- errands-46.2.8/po/LINGUAS 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/po/LINGUAS 2025-12-22 06:40:17.000000000 -0500
@@ -14,6 +14,7 @@
hu
it
ja
+ko
nb
nl
oc
diff -Nru --exclude '*.po' errands-46.2.8/README.md errands-46.2.10/README.md
--- errands-46.2.8/README.md 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/README.md 2025-12-22 06:40:17.000000000 -0500
@@ -35,7 +35,7 @@
<a href="https://flathub.org/apps/details/io.github.mrvladus.List";><img alt='Download on Flathub' src='https://flathub.org/api/badge?svg&locale=en'/></a>
-It's the **only** supported verion.
+It's the **only** supported version.
### Build flatpak using GNOME Builder
1. Install [GNOME Builder](https://flathub.org/apps/org.gnome.Builder).
signature.asc
Description: This is a digitally signed message part
