--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:errands
User: [email protected]
Usertags: pu
ABOUT MY ROLE: I'm not a member of the GNOME Team and don't have uploading
rights for this package. In spite of that I've offered to prepare this upload
because I am closely involved with the issue. I assume the GNOME Team members
are busy but will sign off on the package when you give the go-ahead.
Errands is a new-ish task manager and to-do list application that was first
included in Trixie. It's not from the GNOME Project but is part of the GNOME
Circle ecosystem and is designed to work well there. This is the current
upstream release imported from unstable/testing as-is because its changes from
the current Trixie version are minimal. (This is because the upstream folks
have been busy working on a rewrite, switching from Python to C, and not had
any other showstoppers in this Python version.)
[ Reason ]
Back in August 2025 a person filed
https://github.com/mrvladus/Errands/issues/401 "Is there a reason TLS
certificate verification is disabled by default?" which accurately summarizes
the situation. CalDAV is a flavor of HTTP used to access calendar servers which
can also store non-event-related task lists and notes on the server. Typically
HTTP Basic authentication is used to access a CalDAV server using a username
and password. If the GNOME Online Accounts subsystem already has CalDAV account
credentials stored for a user, Errands can discover those automagically, or
else credentials can be given in Errands directly. HTTP Basic authentication
sends passwords "in the clear" from HTTP's point of view, relying solely on TLS
to maintain confidentiality of both credentials and user data.
Errands doesn't implement CalDAV itself but uses the third-party python3-caldav
library to do this. For reasons the author can't quite remember (as a debugging
aid with a test server?), Errands has been passing an 'ssl_verify_cert=False'
parameter into the python3-caldav routines to access these remote servers. This
means TLS certificates are always accepted as valid even without inspection, so
security of CalDAV is compromised here, and the user is not notified that
Errands continues to function without confidentiality protection. At my
request, the upstream author promptly released 46.2.10 with this
explicitly-passed parameter removed. Now python3-caldav is free to check the
certificate. Moritz from the Debian Security Team arranged for CVE-2025-71063
to be assigned to this issue but agreed in https://bugs.debian.org/1123738#37
that this isn't urgent and doesn't need a formal security upload ("no-DSA").
[ Impact ]
Confidentiality of task and calendar data for users is no longer protected by
TLS; any attacker that can tamper with the traffic between the client and the
server, or redirect a user to a malicious phony server (for example, by forging
DNS answers for a client on a non-trustworthy LAN), can see task and calendar
data. Unlike most groupware, the user base and use case that Errands serves
makes it probable that very personal information (such as "notes to self") will
be exchanged. As TLS is also relied upon to securely perform username and
password authentication via HTTP Basic, credential theft can also be a problem.
Those same credentials are often used to access assorted services of a webmail
provider.
Errands often runs in the background or starts when a user logs into a session,
in which case these risks are exposed without user interaction. Errands caters
to mobile devices especially, so roaming to a public wireless LAN can greatly
increase these hazards with "captive portal" technology.
[ Changes ]
Development of this Python version of Errands slowed a while ago to the most
important fixes. The current version in Trixie is 46.2.8 and I am proposing to
upload 46.2.10 from unstable/Forky as-is, because the circumstances are
favorable on this occasion. The difference between these revisions is totally
and completely described by these four changes:
• translation updates which make the vast majority (about 80%) of the code
difference
• removal of the ssl_verify_cert=False parameter in Errands, letting
python3-caldav use its sane default of performing TLS checks
• a fix for a toolbar widget issue that I am not familiar with but which works
okay applied
https://github.com/mrvladus/Errands/commit/529550d36e31a3a5619cf40c8938be8865eb0b8d
• changes to unused Flatpak-building metadata that does not concern Debian nor
the conventional build system, but which hints at using a newer (to them)
version of libadwaita which is satisfied in Trixie anyway
• typo corrections
[ Tests ]
I have manually tested that this version of Errands works without any
meaningful difference, except the appearance of the toolbar may be subtly
different to correspond to the change there. Errands authenticates to my CalDAV
server (provided by posteo.de) with no reconfiguration necessary. I have not
functionally verified that Errands now rejects CalDAV servers with bogus TLS
certificates, but with the removal of the ssl_verify_cert=False flag, this job
is handed off to the python3-caldav library which should require a TLS
certificate then. (The author's report that ssl_verify_cert=False did indeed
make Errands more permissive of what it would connect to, strongly suggests the
default is not so excessively permissive.)
Automatic tests would be nice, but as new development on this Python version of
Errands is mostly stopped, as-installed (autopkgtest-style) tests would most
likely be welcome upstream but should go to the C rewrite.
[ Risks ]
There is a chance that a server could be rejected with TLS validation performed
when it would appear to work prior, but this would most likely be a major
configuration. In particular the author of Errands doesn't recall why
validation was disabled originally but one can expect it was probably for use
in a testbed that hadn't exposed problems to other clients before. This is much
less likely if a user put their credentials in GNOME Online Accounts, as that
suite would've checked TLS correctly when the account was first set up.
This TLS validation has not been reported to be a problem for anyone and it's
unlikely to. Other GNOME applications (including the GNOME Circle ecosystem,
the Dino XMPP client in particular) prescribe in their human interface
guidelines that users shouldn't be asked difficult trust questions like what
browsers have been known for ("Continue to insecure site", etc.), and the lack
of an override would likely be considered a feature, not a bug. Of course trust
management via ca-certificates and friends is the right way to solve that issue
system-wide.
This TLS change is expected to go unnoticed even in the most esoteric setups; a
NEWS entry would not be appropriate.
The toolbar change is mainly aesthetic and part of making an adaptive user
interface to work on workstations and mobile devices alike, to add proper
spacing around the widgets. That code change looks trivial but I don't know
much about Python, GNOME, or libadwaita to really say. Nevertheless it is sound
and works correctly, almost surely the same or better than before.
[ Checklist ]
☑ *all* changes are documented in the d/changelog
☑ I reviewed all changes and I approve them
◦ This should be understood bearing in mind that I won't be uploading
this on my own but only after a GNOME team member gives the final say.
☑ attach debdiff against the package in (old)stable
◦ Changes to translation files matching '*.po' are omitted, as they
would otherwise be about 80% of the lines. Links to get the full source package
are below.
☑ the issue is verified as fixed in unstable
[ Other info ]
A totally complete debdiff is at
https://salsa.debian.org/gnome-team/errands/-/merge_requests/1.diff The
translations really are massive, but the debdiff with "--exclude '*.po'" is
attached. The Git history there includes all of the upstream commits; the Salsa
web interface may be helpful.
Source and binary packages signed by me are also at
https://johnscott.me/errands/ such as
https://johnscott.me/errands/errands_46.2.10-1~deb13u1.dsc
Thanks
diffstat for errands-46.2.8 errands-46.2.10
.gitignore | 2
README.md | 2
build-aux/python3-caldav.json | 75 +++++++++++-------------
build-aux/regenerate-translations.sh | 2
build-aux/requirements.txt | 27 ++++----
build-aux/run.sh | 51 ----------------
build-aux/update_python_deps.sh | 2
data/io.github.mrvladus.List.metainfo.xml.in.in | 11 +++
debian/changelog | 26 ++++++++
debian/control | 6 -
debian/gbp.conf | 2
debian/upstream/metadata | 1
debian/watch | 5 -
errands/lib/sync/providers/caldav.py | 5 -
errands/widgets/shared/task_toolbar/toolbar.py | 9 +-
io.github.mrvladus.List.Devel.json | 38 ++++++------
meson.build | 2
po/LINGUAS | 1
po/errands.pot | 16 -----
19 files changed, 125 insertions(+), 158 deletions(-)
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/python3-caldav.json errands-46.2.10/build-aux/python3-caldav.json
--- errands-46.2.8/build-aux/python3-caldav.json 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/python3-caldav.json 2025-12-22 06:40:17.000000000 -0500
@@ -2,93 +2,92 @@
"name": "python3-caldav",
"buildsystem": "simple",
"build-commands": [
- "pip3 install --verbose --exists-action=i --no-index --ignore-installed --find-links=\"file://${PWD}\" --prefix=${FLATPAK_DEST} --no-build-isolation caldav certifi charset-normalizer icalendar idna lxml python-dateutil pytz recurring-ical-events requests six tzlocal urllib3 vobject x-wr-timezone"
+ "pip3 install --verbose --exists-action=i --no-index --find-links=\"file://${PWD}\" --prefix=${FLATPAK_DEST} --no-build-isolation caldav certifi charset-normalizer click icalendar idna lxml python-dateutil recurring-ical-events requests six tzdata urllib3 x-wr-timezone"
],
"sources": [
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/77/86/c8fff55bd0ab9410cca9dbfa92e91ebcf3cc1a7266e33888364e7aaa1222/caldav-1.4.0-py3-none-any.whl";,
- "sha256": "e75e84824092e33a9e03ac693de3d01133a3e044fd50a1c542c7f78d1aff0cb2"
+ "url": "https://files.pythonhosted.org/packages/c9/fd/dc7e9760ba647eb619267ece751d1a9220fd79743d3bbc654a61f9151182/caldav-2.0.1-py2.py3-none-any.whl";,
+ "sha256": "86ef0e308ce75745e04805aaede76b3c182b91b5d1a6862ed53dcf48dc56538b"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ba/06/a07f096c664aeb9f01624f858c3add0a4e913d6c96257acb4fce61e7de14/certifi-2024.2.2-py3-none-any.whl";,
- "sha256": "dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"
+ "url": "https://files.pythonhosted.org/packages/e4/37/af0d2ef3967ac0d6113837b44a4f0bfe1328c2b9763bd5b1744520e5cfed/certifi-2025.10.5-py3-none-any.whl";,
+ "sha256": "0f212c2744a9bb6de0c56639a6f68afe01ecd92d91f14ae897c4fe7bbeeef0de"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/99/b0/9c365f6d79a9f0f3c379ddb40a256a67aa69c59609608fe7feb6235896e1/charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl";,
- "sha256": "8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"
+ "url": "https://files.pythonhosted.org/packages/71/11/98a04c3c97dd34e49c7d247083af03645ca3730809a5509443f3c37f7c99/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl";,
+ "sha256": "41d1fc408ff5fdfb910200ec0e74abc40387bccb3252f3f27c0676731df2b2c8",
+ "only-arches": ["aarch64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ee/fb/14d30eb4956408ee3ae09ad34299131fb383c47df355ddb428a7331cfa1e/charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl";,
- "sha256": "90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"
+ "url": "https://files.pythonhosted.org/packages/7e/95/42aa2156235cbc8fa61208aded06ef46111c4d3f0de233107b3f38631803/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl";,
+ "sha256": "416175faf02e4b0810f1f38bcb54682878a4af94059a1cd63b8747244420801f",
+ "only-arches": ["x86_64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/fb/89/badc6427111cffabb6a462bf447cfff5e9e4c856527ddc030c11020b6cc5/icalendar-5.0.12-py3-none-any.whl";,
- "sha256": "d873bb859df9c6d0e597b16d247436e0f83f7ac1b90a06429b8393fe8afeba40"
+ "url": "https://files.pythonhosted.org/packages/db/d3/9dcc0f5797f070ec8edf30fbadfb200e71d9db6b84d211e3b2085a7589a0/click-8.3.0-py3-none-any.whl";,
+ "sha256": "9b9f285302c6e3064f4330c05f05b81945b2a39544279343e6e7c5f27a9baddc"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/e5/3e/741d8c82801c347547f8a2a06aa57dbb1992be9e948df2ea0eda2c8b79e8/idna-3.7-py3-none-any.whl";,
- "sha256": "82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"
+ "url": "https://files.pythonhosted.org/packages/6c/25/b5fc00e85d2dfaf5c806ac8b5f1de072fa11630c5b15b4ae5bbc228abd51/icalendar-6.3.1-py3-none-any.whl";,
+ "sha256": "7ea1d1b212df685353f74cdc6ec9646bf42fa557d1746ea645ce8779fdfbecdd"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/d0/f1/3a0bd5064c764966e5d1dd0e75048960a7f38c833422ff5e10c8f4ad8363/lxml-5.2.1-cp312-cp312-manylinux_2_28_aarch64.whl";,
- "sha256": "f9737bf36262046213a28e789cc82d82c6ef19c85a0cf05e75c670a33342ac2c"
+ "url": "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl";,
+ "sha256": "946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ac/9b/f97fac2e2bacbc91d1a15f24e3bdbb52e418591109393144a943bd502d2c/lxml-5.2.1-cp312-cp312-manylinux_2_28_x86_64.whl";,
- "sha256": "f0a1bc63a465b6d72569a9bba9f2ef0334c4e03958e043da1920299100bc7c08"
+ "url": "https://files.pythonhosted.org/packages/81/76/99de58d81fa702cc0ea7edae4f4640416c2062813a00ff24bd70ac1d9c9b/lxml-6.0.2-cp313-cp313-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl";,
+ "sha256": "eb2a12d704f180a902d7fa778c6d71f36ceb7b0d317f34cdc76a5d05aa1dd1df",
+ "only-arches": ["aarch64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl";,
- "sha256": "a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
+ "url": "https://files.pythonhosted.org/packages/d0/34/9e591954939276bb679b73773836c6684c22e56d05980e31d52a9a8deb18/lxml-6.0.2-cp313-cp313-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl";,
+ "sha256": "ef9266d2aa545d7374938fb5c484531ef5a2ec7f2d573e62f8ce722c735685fd",
+ "only-arches": ["x86_64"]
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/9c/3d/a121f284241f08268b21359bd425f7d4825cffc5ac5cd0e1b3d82ffd2b10/pytz-2024.1-py2.py3-none-any.whl";,
- "sha256": "328171f4e3623139da4983451950b28e95ac706e13f3f2630a879749e7a8b319"
- },
- {
- "type": "file",
- "url": "https://files.pythonhosted.org/packages/8a/3c/c1e8d2fb47dfb091d2552ca8bee98aefa7593db3bc713a2d40826547f6ef/recurring_ical_events-2.2.1-py3-none-any.whl";,
- "sha256": "9e8e0390e7cfe2e7425690e6b858eed635bf7560b44cb52260cd3466fec9cec5"
+ "url": "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl";,
+ "sha256": "a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl";,
- "sha256": "58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"
+ "url": "https://files.pythonhosted.org/packages/36/25/88a4218cccae06ce6b15e41d2f263dd4a73e8e8cbe41537cd7784a17479b/recurring_ical_events-3.8.0-py3-none-any.whl";,
+ "sha256": "cf958eb17c92d4dca5c621e44c2b3fffd4ba700dca0db66287c5dc11438f63ba"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl";,
- "sha256": "8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
+ "url": "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl";,
+ "sha256": "2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/97/3f/c4c51c55ff8487f2e6d0e618dba917e3c3ee2caae6cf0fbb59c9b1876f2e/tzlocal-5.2-py3-none-any.whl";,
- "sha256": "49816ef2fe65ea8ac19d19aa7a1ae0551c834303d5014c6d5a62e4cbda8047b8"
+ "url": "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl";,
+ "sha256": "4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/a2/73/a68704750a7679d0b6d3ad7aa8d4da8e14e151ae82e6fee774e6e0d05ec8/urllib3-2.2.1-py3-none-any.whl";,
- "sha256": "450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d"
+ "url": "https://files.pythonhosted.org/packages/5c/23/c7abc0ca0a1526a0774eca151daeb8de62ec457e77262b66b359c3c7679e/tzdata-2025.2-py2.py3-none-any.whl";,
+ "sha256": "1a403fada01ff9221ca8044d701868fa132215d84beb92242d9acd2147f667a8"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/a2/f2/ea094c009f962bd2fda9851bd54cd32b20721c9228842df2eefc1122aa40/vobject-0.9.7-py2.py3-none-any.whl";,
- "sha256": "67ebec81ee39fc60b7355ce077f850d5f13d99d08b110fa1abcfdbb516205e20"
+ "url": "https://files.pythonhosted.org/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl";,
+ "sha256": "e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc"
},
{
"type": "file",
- "url": "https://files.pythonhosted.org/packages/9d/c6/53227e391c641b891e173b0454f137a21cb969dd58b5171e487e4da7e87e/x_wr_timezone-0.0.7-py3-none-any.whl";,
- "sha256": "0b5e16f677c8f51ce41087a0b3d4f786c5fdcf78af4f8a75d4d960107dcb6d3a"
+ "url": "https://files.pythonhosted.org/packages/0f/b7/4bac35b4079b76c07d8faddf89467e9891b1610cfe8d03b0ebb5610e4423/x_wr_timezone-2.0.1-py3-none-any.whl";,
+ "sha256": "e74a53b9f4f7def8138455c240e65e47c224778bce3c024fcd6da2cbe91ca038"
}
]
}
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/regenerate-translations.sh errands-46.2.10/build-aux/regenerate-translations.sh
--- errands-46.2.8/build-aux/regenerate-translations.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/regenerate-translations.sh 2025-12-22 06:40:17.000000000 -0500
@@ -1,5 +1,5 @@
#!/usr/bin/bash
-flatpak run --filesystem=home org.gnome.Sdk//47 <<EOF
+flatpak run --filesystem=home org.gnome.Sdk//49 <<EOF
echo -e "\n\033[32;1m---------- UPDATING TRANSLATIONS ----------\033[0m\n"
meson setup _build
cd _build
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/requirements.txt errands-46.2.10/build-aux/requirements.txt
--- errands-46.2.8/build-aux/requirements.txt 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/requirements.txt 2025-12-22 06:40:17.000000000 -0500
@@ -1,15 +1,14 @@
-caldav==1.4.0
-certifi==2024.2.2
-charset-normalizer==3.3.2
-icalendar==5.0.12
-idna==3.7
-lxml==5.2.1
+caldav==2.0.1
+certifi==2025.10.5
+charset-normalizer==3.4.3
+click==8.3.0
+icalendar==6.3.1
+idna==3.10
+lxml==6.0.2
python-dateutil==2.9.0.post0
-pytz==2024.1
-recurring-ical-events==2.2.1
-requests==2.31.0
-six==1.16.0
-tzlocal==5.2
-urllib3==2.2.1
-vobject==0.9.7
-x-wr-timezone==0.0.7
+recurring-ical-events==3.8.0
+requests==2.32.5
+six==1.17.0
+tzdata==2025.2
+urllib3==2.5.0
+x-wr-timezone==2.0.1
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/run.sh errands-46.2.10/build-aux/run.sh
--- errands-46.2.8/build-aux/run.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/run.sh 1969-12-31 19:00:00.000000000 -0500
@@ -1,51 +0,0 @@
-#!/usr/bin/bash
-
-SDK_VER=47
-APP_ID=io.github.mrvladus.List.Devel
-BIN_NAME=errands
-CWD=$(pwd)
-REPO_DIR=$CWD/.flatpak/repo
-FLATPAK_BUILDER_DIR=$CWD/.flatpak/flatpak-builder
-MANIFEST_JSON=$CWD/io.github.mrvladus.List.Devel.json
-
-
-build() {
- echo "====== INIT REPO ======"
- flatpak build-init $REPO_DIR $APP_ID org.gnome.Sdk org.gnome.Platform $SDK_VER
-
- echo "====== BUILD 1 ======"
- flatpak run org.flatpak.Builder --ccache --force-clean --disable-updates --build-only --state-dir=$FLATPAK_BUILDER_DIR --stop-at=$BIN_NAME $REPO_DIR $MANIFEST_JSON --disable-rofiles-fuse
-
- echo "====== BUILD 2 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR meson --prefix /app _build -Dprofile=development
-}
-
-run() {
- echo "====== RUN 1 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR ninja -C _build
-
- echo "====== RUN 2 ======"
- flatpak build --share=network --filesystem=$CWD --filesystem=$REPO_DIR --env=PATH=$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/app/bin:/usr/bin --env=LD_LIBRARY_PATH=/app/lib --env=PKG_CONFIG_PATH=/app/lib/pkgconfig:/app/share/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig --filesystem=$CWD/_build $REPO_DIR meson install -C _build
-
- echo "====== RUN 3 ======"
- flatpak build --with-appdir --allow=devel --bind-mount=/run/user/$UID/doc=/run/user/$UID/doc/by-app/$APP_ID --device=dri --socket=wayland --socket=fallback-x11 --share=ipc --share=network --talk-name=org.freedesktop.secrets --talk-name=org.gnome.OnlineAccounts --talk-name=org.freedesktop.portal.* --talk-name=org.a11y.Bus --bind-mount=/run/flatpak/at-spi-bus=/run/user/$UID/at-spi/bus --env=AT_SPI_BUS_ADDRESS=unix:path=/run/flatpak/at-spi-bus --env=DESKTOP_SESSION=$DESKTOP_SESSION --env=LANG=$LANG --env=WAYLAND_DISPLAY=wayland-0 --env=XDG_CURRENT_DESKTOP=$XDG_CURRENT_DESKTOP --env=XDG_SESSION_DESKTOP=$XDG_SESSION_DESKTOP --env=XDG_SESSION_TYPE=$XDG_SESSION_TYPE --bind-mount=/run/host/fonts=/usr/share/fonts --bind-mount=/run/host/fonts-cache=/usr/lib/fontconfig/cache --filesystem=$HOME/.local/share/fonts:ro --filesystem=$HOME/.cache/fontconfig:ro --bind-mount=/run/host/user-fonts-cache=$HOME/.cache/fontconfig --bind-mount=/run/host/font-dirs.xml=$HOME/.cache/font-dirs.xml $REPO_DIR $BIN_NAME
-}
-
-rebuild() {
- echo "====== RE-BUILDING ======"
- rm -rf .flatpak _build
- build
- run
-}
-
-# Check if the first argument is "rebuild"
-if [ "$1" = "rebuild" ]; then
- rebuild
-else
- if [ -d "$REPO_DIR" ]; then
- run
- else
- build
- run
- fi
-fi
diff -Nru --exclude '*.po' errands-46.2.8/build-aux/update_python_deps.sh errands-46.2.10/build-aux/update_python_deps.sh
--- errands-46.2.8/build-aux/update_python_deps.sh 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/build-aux/update_python_deps.sh 2025-12-22 06:40:17.000000000 -0500
@@ -1,3 +1,3 @@
#!/usr/bin/bash
-./req2flatpak.py --requirements-file requirements.txt --target-platforms '312-x86_64' '312-aarch64' > manifest.json
+./req2flatpak.py --requirements-file requirements.txt --target-platforms '313-x86_64' '313-aarch64' > python3-caldav.json
diff -Nru --exclude '*.po' errands-46.2.8/data/io.github.mrvladus.List.metainfo.xml.in.in errands-46.2.10/data/io.github.mrvladus.List.metainfo.xml.in.in
--- errands-46.2.8/data/io.github.mrvladus.List.metainfo.xml.in.in 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/data/io.github.mrvladus.List.metainfo.xml.in.in 2025-12-22 06:40:17.000000000 -0500
@@ -57,6 +57,17 @@
</requires>
<releases>
+ <release version="46.2.10" date="2025-12-22">
+ <description translate="no">
+ <p>Enable SSL certificate verification</p>
+ <p>Update translations</p>
+ </description>
+ </release>
+ <release version="46.2.9" date="2025-10-11">
+ <description translate="no">
+ <p>Update runtime to version 49</p>
+ </description>
+ </release>
<release version="46.2.8" date="2025-03-15">
<description translate="no">
<p>Fix autostart</p>
diff -Nru --exclude '*.po' errands-46.2.8/debian/changelog errands-46.2.10/debian/changelog
--- errands-46.2.8/debian/changelog 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/changelog 2026-01-14 16:55:19.000000000 -0500
@@ -1,3 +1,29 @@
+errands (46.2.10-1~deb13u1) trixie; urgency=medium
+
+ [ John Scott ]
+ * New upstream release for Debian Trixie
+ * Fixes the use of unverified TLS certificates when connecting to CalDAV servers
+ (CVE-2025-71063) (Closes: #1123738)
+
+ -- Debian GNOME Maintainers <[email protected]> Wed, 14 Jan 2026 21:55:19 +0000
+
+errands (46.2.10-1) unstable; urgency=medium
+
+ * Team upload
+ * New upstream release
+ * d/control: Bump S-V to 4.7.3; drop priority: optional
+
+ -- Matthias Geiger <[email protected]> Mon, 29 Dec 2025 13:38:38 +0100
+
+errands (46.2.9-1) unstable; urgency=medium
+
+ * New upstream release
+ * d/watch: Remove debian/watch because it is no longer necessary
+ * d/upstream/metadata: Add Archive: GitHub for uscan
+ * d/control: Fix Lintian report redundant-rules-requires-root-no-field
+
+ -- Leandro Cunha <[email protected]> Tue, 18 Nov 2025 22:51:47 -0300
+
errands (46.2.8-1) unstable; urgency=medium
* New upstream release
diff -Nru --exclude '*.po' errands-46.2.8/debian/control errands-46.2.10/debian/control
--- errands-46.2.8/debian/control 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/control 2026-01-05 13:21:49.000000000 -0500
@@ -1,6 +1,5 @@
Source: errands
Section: gnome
-Priority: optional
Maintainer: Debian GNOME Maintainers <[email protected]>
Uploaders: Jeremy BÃcha <[email protected]>, Leandro Cunha <[email protected]>
Build-Depends:
@@ -18,11 +17,10 @@
libxml2-utils,
meson,
python-gi-dev
-Standards-Version: 4.7.2
-Rules-Requires-Root: no
+Standards-Version: 4.7.3
Homepage: https://apps.gnome.org/List/
Vcs-Browser: https://salsa.debian.org/gnome-team/errands
-Vcs-Git: https://salsa.debian.org/gnome-team/errands.git
+Vcs-Git: https://salsa.debian.org/gnome-team/errands.git -b debian/trixie
Package: errands
Architecture: all
diff -Nru --exclude '*.po' errands-46.2.8/debian/gbp.conf errands-46.2.10/debian/gbp.conf
--- errands-46.2.8/debian/gbp.conf 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/gbp.conf 2026-01-05 13:19:27.000000000 -0500
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/latest
+debian-branch = debian/trixie
upstream-branch = upstream/latest
[buildpackage]
diff -Nru --exclude '*.po' errands-46.2.8/debian/upstream/metadata errands-46.2.10/debian/upstream/metadata
--- errands-46.2.8/debian/upstream/metadata 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/upstream/metadata 2026-01-05 13:14:43.000000000 -0500
@@ -1,4 +1,5 @@
---
+Archive: GitHub
Bug-Database: https://github.com/mrvladus/Errands/issues
Bug-Submit: https://github.com/mrvladus/Errands/issues/new
Repository-Browse: https://github.com/mrvladus/Errands
diff -Nru --exclude '*.po' errands-46.2.8/debian/watch errands-46.2.10/debian/watch
--- errands-46.2.8/debian/watch 2025-03-21 00:01:57.000000000 -0400
+++ errands-46.2.10/debian/watch 1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-version=4
-opts="searchmode=plain,\
-filenamemangle=s%@ANY_VERSION@%$1.tar.gz%" \
-https://api.github.com/repos/mrvladus/@PACKAGE@/releases?per_page=50 \
-https://api.github.com/repos/[^/]+/[^/]+/tarball/@ANY_VERSION@
diff -Nru --exclude '*.po' errands-46.2.8/errands/lib/sync/providers/caldav.py errands-46.2.10/errands/lib/sync/providers/caldav.py
--- errands-46.2.8/errands/lib/sync/providers/caldav.py 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/errands/lib/sync/providers/caldav.py 2025-12-22 06:40:17.000000000 -0500
@@ -1,14 +1,14 @@
# Copyright 2023-2024 Vlad Krupinskii <[email protected]>
# SPDX-License-Identifier: MIT
-from copy import deepcopy
import datetime
import time
+from copy import deepcopy
from dataclasses import asdict, dataclass, field
from typing import Any
-import urllib3
import caldav
+import urllib3
from caldav import Calendar, DAVClient, Principal, Todo
from caldav.elements import dav, ical
@@ -86,7 +86,6 @@
url=self.url,
username=self.username,
password=self.password,
- ssl_verify_cert=False,
) as client:
try:
self.principal: Principal = client.principal()
diff -Nru --exclude '*.po' errands-46.2.8/errands/widgets/shared/task_toolbar/toolbar.py errands-46.2.10/errands/widgets/shared/task_toolbar/toolbar.py
--- errands-46.2.8/errands/widgets/shared/task_toolbar/toolbar.py 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/errands/widgets/shared/task_toolbar/toolbar.py 2025-12-22 06:40:17.000000000 -0500
@@ -23,18 +23,17 @@
from errands.widgets.task import Task
-class ErrandsTaskToolbar(Gtk.FlowBox):
+class ErrandsTaskToolbar(Adw.WrapBox):
def __init__(self, task: Task) -> None:
super().__init__()
self.task: Task = task
self.__build_ui()
def __build_ui(self) -> None:
- self.set_margin_bottom(2)
+ self.set_margin_bottom(6)
self.set_margin_start(9)
self.set_margin_end(9)
- self.set_max_children_per_line(2)
- self.set_selection_mode(Gtk.SelectionMode.NONE)
+ self.set_line_spacing(6)
# Date and Time button
self.date_time_btn: ErrandsButton = ErrandsButton(
@@ -259,7 +258,7 @@
elif priority == 9:
self.priority_btn.add_css_class("accent")
self.priority_btn.set_icon_name(
- f"errands-priority{'-set' if priority>0 else ''}-symbolic"
+ f"errands-priority{'-set' if priority > 0 else ''}-symbolic"
)
# Update attachments button css
diff -Nru --exclude '*.po' errands-46.2.8/.gitignore errands-46.2.10/.gitignore
--- errands-46.2.8/.gitignore 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/.gitignore 2025-12-22 06:40:17.000000000 -0500
@@ -7,3 +7,5 @@
.ruff_cache/
*.flatpak
.idea/
+pug
+build/
diff -Nru --exclude '*.po' errands-46.2.8/io.github.mrvladus.List.Devel.json errands-46.2.10/io.github.mrvladus.List.Devel.json
--- errands-46.2.8/io.github.mrvladus.List.Devel.json 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/io.github.mrvladus.List.Devel.json 2025-12-22 06:40:17.000000000 -0500
@@ -1,7 +1,7 @@
{
"id": "io.github.mrvladus.List.Devel",
"runtime": "org.gnome.Platform",
- "runtime-version": "47",
+ "runtime-version": "49",
"sdk": "org.gnome.Sdk",
"command": "errands",
"finish-args": [
@@ -28,6 +28,23 @@
],
"modules": [
{
+ "name": "libportal",
+ "buildsystem": "meson",
+ "config-opts": [
+ "-Dbackend-gtk4=enabled",
+ "-Dvapi=false",
+ "-Ddocs=false",
+ "-Dtests=false"
+ ],
+ "sources": [
+ {
+ "type": "git",
+ "url": "https://github.com/flatpak/libportal.git";,
+ "tag": "0.9.1"
+ }
+ ]
+ },
+ {
"name": "gnome-online-accounts",
"buildsystem": "meson",
"config-opts": [
@@ -37,7 +54,6 @@
"-Dimap_smtp=false",
"-Dwebdav=false",
"-Dkerberos=false",
- "-Dwindows_live=false",
"-Dms_graph=false",
"-Dvapi=false"
],
@@ -49,23 +65,7 @@
}
]
},
- {
- "name": "libportal",
- "buildsystem": "meson",
- "config-opts": [
- "-Dbackend-gtk4=enabled",
- "-Dvapi=false",
- "-Ddocs=false",
- "-Dtests=false"
- ],
- "sources": [
- {
- "type": "git",
- "url": "https://github.com/flatpak/libportal.git";,
- "tag": "0.7.1"
- }
- ]
- },
+
"build-aux/python3-caldav.json",
{
"name": "errands",
diff -Nru --exclude '*.po' errands-46.2.8/meson.build errands-46.2.10/meson.build
--- errands-46.2.8/meson.build 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/meson.build 2025-12-22 06:40:17.000000000 -0500
@@ -1,6 +1,6 @@
project(
'errands',
- version: '46.2.8',
+ version: '46.2.10',
meson_version: '>= 0.62.0',
)
diff -Nru --exclude '*.po' errands-46.2.8/po/errands.pot errands-46.2.10/po/errands.pot
--- errands-46.2.8/po/errands.pot 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/po/errands.pot 2025-12-22 06:40:17.000000000 -0500
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: errands\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-10-10 12:25+0300\n"
+"POT-Creation-Date: 2025-05-16 13:01+0300\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <[email protected]>\n"
@@ -577,19 +577,7 @@
msgid "Task is Due"
msgstr ""
-#: errands/application.py:78
-msgid "Errands was updated"
-msgstr ""
-
-#: errands/application.py:79
-msgid "Restart is required"
-msgstr ""
-
-#: errands/application.py:82
-msgid "Restart"
-msgstr ""
-
-#: errands/application.py:111
+#: errands/application.py:41
msgid "Errands need to run in the background for notifications"
msgstr ""
diff -Nru --exclude '*.po' errands-46.2.8/po/LINGUAS errands-46.2.10/po/LINGUAS
--- errands-46.2.8/po/LINGUAS 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/po/LINGUAS 2025-12-22 06:40:17.000000000 -0500
@@ -14,6 +14,7 @@
hu
it
ja
+ko
nb
nl
oc
diff -Nru --exclude '*.po' errands-46.2.8/README.md errands-46.2.10/README.md
--- errands-46.2.8/README.md 2025-03-15 11:38:33.000000000 -0400
+++ errands-46.2.10/README.md 2025-12-22 06:40:17.000000000 -0500
@@ -35,7 +35,7 @@
<a href="https://flathub.org/apps/details/io.github.mrvladus.List";><img alt='Download on Flathub' src='https://flathub.org/api/badge?svg&locale=en'/></a>
-It's the **only** supported verion.
+It's the **only** supported version.
### Build flatpak using GNOME Builder
1. Install [GNOME Builder](https://flathub.org/apps/org.gnome.Builder).
signature.asc
Description: This is a digitally signed message part
--- End Message ---
