Hello community, here is the log from the commit of package libostree for openSUSE:Factory checked in at 2017-08-18 14:59:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libostree (Old) and /work/SRC/openSUSE:Factory/.libostree.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libostree" Fri Aug 18 14:59:53 2017 rev:3 rq:516875 version:2017.9 Changes: -------- --- /work/SRC/openSUSE:Factory/libostree/libostree.changes 2017-08-10 13:43:47.959535178 +0200 +++ /work/SRC/openSUSE:Factory/.libostree.new/libostree.changes 2017-08-18 14:59:57.071766323 +0200 @@ -1,0 +2,25 @@ +Sun Aug 13 22:08:40 UTC 2017 - [email protected] + +- Update to version 2017.9: + + A notable new feature in this release is that the pull + machinery now interprets two new metadata keys: + ostree.ref-binding and ostree.collection-binding. + This allows closing a longstanding class of "sidegrade" attacks + that Florian Weimer identified when performing a security audit + of libostree years ago (bgo#724873). + There was a more recent discussion on this topic on the list: + https://mail.gnome.org/archives/ostree-list/2017-May/msg00013.html + + For the ostree-as-host case, this only matters if you offer + multiple refs. For flatpak, it's more important as a MITM + attacker could actually switch applications; that's why flatpak + implemented this a while ago as xa.ref. + + I'll note here that it's recommended for content providers to + make use of ostree's support for tls-ca-path to implement TLS + CA pinning, which protects all metadata and content in a strong + fashion; in this scenario the GPG signatures act as a secondary + layer of defense and make offline verification easier (for e.g. + mirroring). + + Otherwise, there's some performance enhancements for local + pulls, and a variety of bugfixes. + +------------------------------------------------------------------- Old: ---- libostree-2017.8.tar.xz New: ---- libostree-2017.9.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libostree.spec ++++++ --- /var/tmp/diff_new_pack.SIJptn/_old 2017-08-18 14:59:58.031631200 +0200 +++ /var/tmp/diff_new_pack.SIJptn/_new 2017-08-18 14:59:58.035630637 +0200 @@ -17,7 +17,7 @@ Name: libostree -Version: 2017.8 +Version: 2017.9 Release: 0 Summary: Git for operating system binaries License: LGPL-2.0+ ++++++ _service ++++++ --- /var/tmp/diff_new_pack.SIJptn/_old 2017-08-18 14:59:58.071625570 +0200 +++ /var/tmp/diff_new_pack.SIJptn/_new 2017-08-18 14:59:58.071625570 +0200 @@ -2,10 +2,10 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/ostreedev/ostree.git</param> <param name="scm">git</param> - <param name="versionformat">2017.8</param> + <param name="versionformat">2017.9</param> <param name="filename">libostree</param> <param name="changesgenerate">enable</param> - <param name="revision">refs/tags/v2017.8</param> + <param name="revision">refs/tags/v2017.9</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.SIJptn/_old 2017-08-18 14:59:58.091622755 +0200 +++ /var/tmp/diff_new_pack.SIJptn/_new 2017-08-18 14:59:58.091622755 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/ostreedev/ostree.git</param> - <param name="changesrevision">5a5e465492aca13937dab7a2df39f25da94e6e36</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">fa3e07e5d716d0ab5477d3f93e7a6d2b1fa56d61</param></service></servicedata> \ No newline at end of file ++++++ libostree-2017.8.tar.xz -> libostree-2017.9.tar.xz ++++++ ++++ 5171 lines of diff (skipped)
