Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
The upstream maintainer of Flatpak has made a 0.8.8 release, which
collects the patches we apply to 0.8.7 in stretch, together with some
more fixes backported from the 0.10.x branch. I would like to update
stretch to this release.
Because we already apply a bunch of patches, the attached diff was made
by unpacking the 0.8.7 and 0.8.8 packages, comparing the two patched
trees, and ignoring the actual patches (together with Autotools noise,
documentation noise and translation updates):
dpkg-source -x flatpak_0.8.7-2~deb9u1.dsc
dpkg-source -x flatpak_0.8.8-0+deb9u1.dsc
diff -Nru flatpak-0.8.7 flatpak-0.8.8 | \
filterdiff -p1 --exclude=.pc/\* --exclude=debian/patches/0.8.8/\* \
--exclude=po/\*.po --exclude=po/\*.pot --exclude=py-compile \
--exclude=INSTALL --exclude=gtk-doc.make --exclude=Makefile.in \
--exclude=doc/reference/Makefile.in --exclude=doc/reference/html/\*.html \
--exclude configure | \
pee diffstat sponge > flatpak_0.8.8-0+deb9u1.diff
Full source debdiff without those filters available here:
https://people.debian.org/~smcv/flatpak_0.8.8-0+deb9u1_full.diff.gz
Annotated changelog below. As usual, please let me know if there is
anything that I should query or get reverted. Debian is the main consumer
of the 0.8.x branch, so if it isn't useful to us, it isn't useful.
Thanks,
smcv
> Add compatibility with ostree ≥ 2017.7 (in Debian, the same
> changes were already in 0.8.7-2)
>
> d/p/0.8.8/: Drop patches that added compatibility with
> ostree ≥ 2017.7, no longer necessary
(debian/patches/series is the only sign of this in the diff)
No practical effect.
> Security: Do not allow legacy eavesdropping on the D-Bus
> session bus (Closes: #880451)
(dbus-proxy/flatpak-proxy.c lines >= 1358)
Sandboxed applications with filtered/proxied access to the D-Bus session
bus could have used this to spy on other applications. Florian Weimer
has indicated that the security team do not consider this DSA-worthy.
> Ensure that LD_LIBRARY_PATH is in the correct order, respecting
> extensions' priorities
> Ensure that extensions are mounted in the correct order even if
> they have differing priorities, fixing Steam
(common/flatpak-run.c, lines < 2500)
Extensions are a way to provide extra "plugins" for an app or runtime.
One of the things they can do is to prepend library directories (for
example the proprietary NVIDIA graphics driver or a newer version of
Mesa) to LD_LIBRARY_PATH, with a concept of priority to determine which
extension "wins". In some cases they were applied in the wrong order,
causing an unintended library to be used.
> Remove PYTHONPATH, PERLLIB, PERL5LIB, XCURSOR_PATH from the
> environment given to sandboxed apps
(common/flatpak-run.c @@ -2894,6 +2936,13 @@)
Host-side search paths are rarely right for the sandboxed app,
because they contain entries that have a different meaning inside the
sandbox. Flatpak now scrubs a few more of these from the environment.
> Give each app a persistent cache directory for fontconfig
(common/flatpak-run.c lines >= 3000)
Apps with different runtimes or options might see different fonts, so
they would do the wrong thing if they shared a cache. We need to write
each app's font cache to a different place.
> Make /usr/share/icons available in the sandbox so that sandboxed
> apps can use the host's icon theme
(common/flatpak-run.c lines >= 3000)
If the user has chosen a non-standard theme that isn't present in the
container runtime, we want their chosen icon style to show up.
> Disable debug-level FUSE logging for the document portal
(document-portal/xdp-fuse.c)
This was presumably left over from debugging some issue. It shouldn't
have been enabled in production unless specifically requested.
> Make the * wildcard at the end of a D-Bus filtering rule match
> zero or more components, so --talk="com.example.Foo.*" behaves
> the same as D-Bus' arg0namespace="com.example.Foo". Previously,
> it would only match exactly one component. This matches a proposed
> design for integrating equivalent filtering into future dbus
> versions.
(dbus-proxy/flatpak-proxy.c lines < 1358)
dbus-daemon already has features that match messages with a particular
subset of bus names, and so did Flatpak's D-Bus proxy, but their
behaviour didn't match. Now they do. This makes the D-Bus proxy slightly
more lenient, but is unlikely to have any significant practical effect.
NEWS | 18
common/flatpak-run.c | 89 +--
configure.ac |4 -
dbus-proxy/flatpak-proxy.c | 60 +++-
debian/changelog | 30 ++
debian/patches/series|4 -
debian/watch |2
document-portal/xdp-dbus.c |2
document-portal/xdp-dbus.h |2
document-portal/xdp-fuse.c