Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Simon McVittie]

On Wed, 14 Feb 2018 at 21:11:01 +, Adam D. Barratt wrote:
> On Sat, 2018-01-13 at 16:53 +, Simon McVittie wrote:
> > On Sat, 13 Jan 2018 at 17:51:04 +0100, Julien Cristau wrote:
> > > On Mon, Dec  4, 2017 at 15:45:40 +, Simon McVittie wrote:
> > > > The upstream maintainer of Flatpak has made a 0.8.8 release
> > > > 
> > > 
> > > Assuming this has been tested on stretch, please go ahead.
> > 
> > Thanks, uploaded.
> 
> (Somewhat belatedly) flagged for acceptance.

Thanks, I'll upload the corresponding version to jessie-backports shortly.

There is another proposed update for Flatpak on #888958, bringing it up
to 0.8.9, the latest version from this branch.

smcv

Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2018-01-13 at 16:53 +, Simon McVittie wrote:
> On Sat, 13 Jan 2018 at 17:51:04 +0100, Julien Cristau wrote:
> > On Mon, Dec  4, 2017 at 15:45:40 +, Simon McVittie wrote:
> > > The upstream maintainer of Flatpak has made a 0.8.8 release
> > > 
> > 
> > Assuming this has been tested on stretch, please go ahead.
> 
> Thanks, uploaded.

(Somewhat belatedly) flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #883483 [release.debian.org] stretch-pu: package flatpak/0.8.8-0+deb9u1
Added tag(s) pending.

-- 
883483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Simon McVittie]

On Sat, 13 Jan 2018 at 17:51:04 +0100, Julien Cristau wrote:
> On Mon, Dec  4, 2017 at 15:45:40 +, Simon McVittie wrote:
> > The upstream maintainer of Flatpak has made a 0.8.8 release
> > 
> Assuming this has been tested on stretch, please go ahead.

Thanks, uploaded.

smcv

Processed: Re: Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #883483 [release.debian.org] stretch-pu: package flatpak/0.8.8-0+deb9u1
Added tag(s) confirmed.

-- 
883483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Julien Cristau]

Control: tag -1 confirmed

On Mon, Dec  4, 2017 at 15:45:40 +, Simon McVittie wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> The upstream maintainer of Flatpak has made a 0.8.8 release, which
> collects the patches we apply to 0.8.7 in stretch, together with some
> more fixes backported from the 0.10.x branch. I would like to update
> stretch to this release.
> 
Assuming this has been tested on stretch, please go ahead.

Cheers,
Julien

Bug#883483: stretch-pu: package flatpak/0.8.8-0+deb9u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The upstream maintainer of Flatpak has made a 0.8.8 release, which
collects the patches we apply to 0.8.7 in stretch, together with some
more fixes backported from the 0.10.x branch. I would like to update
stretch to this release.

Because we already apply a bunch of patches, the attached diff was made
by unpacking the 0.8.7 and 0.8.8 packages, comparing the two patched
trees, and ignoring the actual patches (together with Autotools noise,
documentation noise and translation updates):

dpkg-source -x flatpak_0.8.7-2~deb9u1.dsc
dpkg-source -x flatpak_0.8.8-0+deb9u1.dsc
diff -Nru flatpak-0.8.7 flatpak-0.8.8 | \
filterdiff -p1 --exclude=.pc/\* --exclude=debian/patches/0.8.8/\* \
--exclude=po/\*.po --exclude=po/\*.pot --exclude=py-compile \
--exclude=INSTALL --exclude=gtk-doc.make --exclude=Makefile.in \
--exclude=doc/reference/Makefile.in --exclude=doc/reference/html/\*.html \
--exclude configure | \
pee diffstat sponge > flatpak_0.8.8-0+deb9u1.diff

Full source debdiff without those filters available here:
https://people.debian.org/~smcv/flatpak_0.8.8-0+deb9u1_full.diff.gz

Annotated changelog below. As usual, please let me know if there is
anything that I should query or get reverted. Debian is the main consumer
of the 0.8.x branch, so if it isn't useful to us, it isn't useful.

Thanks,
smcv



> Add compatibility with ostree ≥ 2017.7 (in Debian, the same
> changes were already in 0.8.7-2)
>
> d/p/0.8.8/: Drop patches that added compatibility with
> ostree ≥ 2017.7, no longer necessary

(debian/patches/series is the only sign of this in the diff)

No practical effect.

> Security: Do not allow legacy eavesdropping on the D-Bus
> session bus (Closes: #880451)

(dbus-proxy/flatpak-proxy.c lines >= 1358)

Sandboxed applications with filtered/proxied access to the D-Bus session
bus could have used this to spy on other applications. Florian Weimer
has indicated that the security team do not consider this DSA-worthy.

> Ensure that LD_LIBRARY_PATH is in the correct order, respecting
> extensions' priorities
> Ensure that extensions are mounted in the correct order even if
> they have differing priorities, fixing Steam

(common/flatpak-run.c, lines < 2500)

Extensions are a way to provide extra "plugins" for an app or runtime.
One of the things they can do is to prepend library directories (for
example the proprietary NVIDIA graphics driver or a newer version of
Mesa) to LD_LIBRARY_PATH, with a concept of priority to determine which
extension "wins". In some cases they were applied in the wrong order,
causing an unintended library to be used.

> Remove PYTHONPATH, PERLLIB, PERL5LIB, XCURSOR_PATH from the
> environment given to sandboxed apps

(common/flatpak-run.c @@ -2894,6 +2936,13 @@)

Host-side search paths are rarely right for the sandboxed app,
because they contain entries that have a different meaning inside the
sandbox. Flatpak now scrubs a few more of these from the environment.

> Give each app a persistent cache directory for fontconfig

(common/flatpak-run.c lines >= 3000)

Apps with different runtimes or options might see different fonts, so
they would do the wrong thing if they shared a cache. We need to write
each app's font cache to a different place.

> Make /usr/share/icons available in the sandbox so that sandboxed
> apps can use the host's icon theme

(common/flatpak-run.c lines >= 3000)

If the user has chosen a non-standard theme that isn't present in the
container runtime, we want their chosen icon style to show up.

> Disable debug-level FUSE logging for the document portal

(document-portal/xdp-fuse.c)

This was presumably left over from debugging some issue. It shouldn't
have been enabled in production unless specifically requested.

> Make the * wildcard at the end of a D-Bus filtering rule match
> zero or more components, so --talk="com.example.Foo.*" behaves
> the same as D-Bus' arg0namespace="com.example.Foo". Previously,
> it would only match exactly one component. This matches a proposed
> design for integrating equivalent filtering into future dbus
> versions.

(dbus-proxy/flatpak-proxy.c lines < 1358)

dbus-daemon already has features that match messages with a particular
subset of bus names, and so did Flatpak's D-Bus proxy, but their
behaviour didn't match. Now they do. This makes the D-Bus proxy slightly
more lenient, but is unlikely to have any significant practical effect.


 NEWS |   18 
 common/flatpak-run.c |   89 +--
 configure.ac |4 -
 dbus-proxy/flatpak-proxy.c   |   60 +++-
 debian/changelog |   30 ++
 debian/patches/series|4 -
 debian/watch |2 
 document-portal/xdp-dbus.c   |2 
 document-portal/xdp-dbus.h   |2 
 document-portal/xdp-fuse.c