| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
- flatpak-spawn now supports --sandbox-a11y-own-name (if supported by portal)
- flatpak-spawn prints a useful error when --host isn't permitted
- fixed minor leak in flatpak-spawn
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This commit removes the need to fix polkit permissions:
https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=d5e90541f8e35916abc930b2da6de037b23d51a1
That allows to do some cleanup
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dependencies:
In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.10.0 is required.
This version adds a new feature which is required by the security fix in this release.
Security fixes:
Don't follow symbolic links when mounting persistent directories (--persist option). This prevents a sandbox escape where a malicious or compromised app could edit the symlink to point to a directory that the app should not have been allowed to read or write. (CVE-2024-42472, GHSA-7hgv-f2j8-xw87)
Documentation:
Mark the 1.12.x and 1.10.x branches as end-of-life (#5352)
Other bug fixes:
Fix several memory leaks (#5883, #5884)
Internal changes:
Record a log file when running build-time tests with AddressSanitizer (#5884)
Add initial suppressions file for AddressSanitizer (#5884)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- flatpak now uses wrap files instead of git submodules to fetch bwrap and xdg-dbus-proxy
For reproducibility reasons, this cannot be done. Add external binaries and configure like
recommended below:
Dependencies:
bubblewrap and xdg-dbus-proxy are now provided by Meson wrap files instead of being directly vendored via git submodule. If downloading external software during build is not allowed in your environment, please install suitable versions of bubblewrap and xdg-dbus-proxy separately, then configure Flatpak with options similar to -Dsystem_bubblewrap=bwrap -Dsystem_dbus_proxy=xdg-dbus-proxy (most major distributions package it like this already).
Enhancements:
If xdg-dbus-proxy is new enough (0.1.6 or later, not yet released), allow two broadcast signals from AT-SPI by default, allowing bus traffic to be reduced. If xdg-dbus-proxy is older, this change will have no practical effect but is harmless. (#5828)
Install csh profile snippet (#5753)
Bug fixes:
Expand the list of environment variables that Flatpak apps do not inherit from the host system (#5765, #5785)
Take time zone information from $TZDIR if set (#5850)
Fix a memory leak since 1.15.7 when reloading D-Bus configuration (#5856)
Fix a memory leak when running flatpak permissions (#5844)
Fix memory leaks in flatpak update (#5816)
Fix memory leaks when installing packages (#5811)
Use more similar translatable strings for some error messages (#5748)
Document flatpak config --set languages '*all*' correctly: it is really *all* (or equivalently *), not just all (#5836)
Fix a misleading comment in the test for CVE-2024-32462 (#5779)
Fix a copy/paste error in the 1.15.7 release notes
On systems where subdirectories of /sys have been made inaccessible, continue without them (#5138)
Make tests more compatible with non-GNU shell utilities (#5812)
Translation updates: ka (#5873), hi (#5838), pt_BR (#5877), zh_CN (#5843)
Internal changes:
libglnx and variant-schema-compiler are now managed as git subtree instead of git submodule. Maintainers and contributors, please see subprojects/README.md for details of how to interact with these. In particular this means that submodules no longer need to be set up before working on a git clone. (#5800, #5845)
Split library code into more, smaller translation units, reducing internal circular dependencies (#5409, #5801, #5803)
Add some convenience macros in the test suite (#5693)
Minor internal robustness improvement (#5833)
Add configuration for Github Codespaces (#5767)
Improve CI configuration (#5791)
Work around infrastructure issues in third-party apt repositories used by default in Github Workflows (#5786)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Disable by default to avoid a requirement for meta-gnome
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- remove included patches
- set path for fusermount3 to avoid requirement for fuse3-native. This is needed since:
https://github.com/flatpak/flatpak/commit/2cb17b4eb82ecedaa98b5b7f954cf3e52fa95682
Changes in 1.15.8
~~~~~~~~~~~~~~~~~
Security fixes:
* Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
Other bug fixes:
* Pass the -export-dynamic linker option as -Wl,-export-dynamic,
fixing build failures with clang 18 and lld 18 (#5760)
* Fix a double-free when installation is cancelled (#5763)
* Fix installed-tests failure with "FUSERMOUNT: unbound variable"
(#5751)
* Translation updates: pt_BR (#5762), tr (#5761)
Changes in 1.15.7
~~~~~~~~~~~~~~~~~
Released: 2024-03-27
Dependencies:
* The Meson build system is now required.
Compiling with Autotools is no longer possible.
* In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
executable, version 0.9.0 is recommended. Several of the bug fixes listed
below will not be active if an older version is used.
* In distributions that compile Flatpak to use a separate xdg-dbus-proxy
executable, version 0.1.5 is recommended.
* If libmalcontent (parental controls) is enabled, it must be version 0.5.0
or later.
New features:
* Automatically remove obsolete driver versions and other autopruned refs
(#5632)
* `--socket=inherit-wayland-socket` (#5614)
* Automatically reload D-Bus session bus configuration after installing
or upgrading apps, to pick up any exported D-Bus services (#3342)
Bug fixes:
* Update included copy of bubblewrap to version 0.9.0:
* `--symlink` is now idempotent, meaning it succeeds if the
symlink already exists and already has the desired target
(#2387, #3477, #5255)
* Report a better error message if `mount(2)` fails with `ENOSPC`
* Fix a double-close on error reading from `--args`, `--seccomp` or
`--add-seccomp-fd` argument
* Improve memory allocation behaviour
* Silence various compiler warnings
* Update included copy of bubblewrap to version 0.1.5:
* Fix handling of long object paths
* Don't parse `<developer><name/></developer>` as the application name
(#5700)
* Don't refuse to start apps when there is no D-Bus system bus available
(#5076)
* Don't try to repeat migration of apps whose data was migrated to a new
name and then deleted (#5668)
* Improve handling of mixed locales on systems with systemd-localed (#5497)
* Improve display of ellipsized columns in wide terminals (#5722)
* Make `flatpak info -e` look for extensions in all installations (#5670)
* Fix warnings from newer GLib versions (#5660, #5737)
* Always set the `container` environment variable (#5610)
* Always let the app inherit redirected file descriptors (#5626)
* In `flatpak ps`, add xdg-desktop-portal-gnome to the list of backends
we'll use to learn which apps are running in the background (#5729)
* Don't use `WAYLAND_SOCKET` unless given `--socket=inherit-wayland-socket`
(#5614)
* Use `fusermount3` if compiled with FUSE 3, overridable with
`-Dsystem_fusermount` compile-time option (#5104)
* Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into
the shell environment (#5574)
* Improve async-signal safety (#5687)
* Fix various memory leaks (#5683, #5690, #5691)
* Avoid undefined behaviour of signed left-shift when storing object IDs
in a hash table (#5738)
* Detect the correct gtk-doc when cross-compiling (#5650)
* Detect the correct wayland-scanner when cross-compiling (#5596)
* Documentation improvements (#5659, #5677, #5682, #5664, #5719)
* Skip more tests when FUSE isn't available (#5611)
* Translation updates (#5602, #5707)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The build has been modified to use internal copies of bubblewrap and xdg-dbus-proxy.
https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=9c68079a26b64b836bc6a28e422a1099f48726d2
We can additionally remove the RDEPENDS for these tools, since flatpak now creates
its own copies of the files in /usr/libexec.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
this fixes:
| Run-time dependency gtk-doc found: NO (tried pkgconfig)
|
| ../git/meson.build:206:13: ERROR: Dependency "gtk-doc" not found, tried pkgconfig
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is not how yocto builds work: any needed executables
should come from the build itself, with limited exceptions
listed in HOSTTOOLS. flatpak is entirely capable of building
without requiring them upfront.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add a patch to fix build for the newly added wayland_security_context feature
- build wayland_security_context according to wayland distro_feature
- add GIR_MESON_OPTION
- add packageconfigs for selinux and http_backend
Dependencies:
In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
executable, version 0.8.0 is now required.
Enabling the optional Wayland security context feature requires
libwayland-client, wayland-scanner >= 1.15 and wayland-protocols >= 1.32.
Ubuntu 18.04 is no longer routinely tested. Support for dependency
versions included in Ubuntu 18.04 should be considered "at risk".
Features:
Add --device=input, for access to evdev devices in /dev/input (#5481)
Update bundled copy of bubblewrap to version 0.8.0, and rely on its
features:
Improve error message if seccomp is disabled in kernel config
Security hardening: set user namespace limit to 0, to prevent creation
of nested user namespaces in a more robust way (#5084)
For subsandboxes started by flatpak-portal, inherit environment
variables from the flatpak run that started the original instance
rather than from flatpak-portal, fixing behaviour of FLATPAK_GL_DRIVERS
and similar features (#5278)
Stop http transfers if a download in progress becomes very slow (#5519)
Make it easier to configure extra languages, by picking them up from
AccountsService if configured there (#5006)
Add new flatpak_transaction_add_rebase_and_uninstall() API,
allowing end-of-life apps to be replaced by their intended replacement
more reliably (#3991)
Create a private Wayland socket with the "security context" extension
if available, allowing the compositor to identify connections from
sandboxed apps as belonging to the sandbox (#4920, #5507, #5558)
Update libglnx to 2023-08-29
Use features of newer GLib versions if available
Turn off system-level crash reporting infrastructure during
some unit tests that involve intentional assertion failures
Add anchors to link to sections of flatpak-metadata documentation (#5582)
New translations: ka, nl.
Bug fixes:
Avoid warnings processing symbolic links with GLib >= 2.77.0, and
with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings)
Bypass page cache for backend requests in revokefs, fixing installation
errors with libostree 2023.4 (#5452)
Show AppStream metadata in flatpak remote-info as intended
(#5523; regression in 1.9.1)
Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES
from the host system, which would be wrong for the sandbox (#5553)
Fix build failure with prereleases of libappstream 0.17.x (#5472)
Forward-compatibility with libappstream 1.0 (#5563)
Fix installation with Meson if configured with -Dauto_sideloading=true
(#5495)
Fix a memory leak (#5329)
Fix compiler warnings (#5362, #5366)
Make the tests fail more comprehensibly if a required tool is missing
(#5020)
Clean up /var/tmp/flatpak-cache-* directories on boot (#1119)
Don't force GIO_USE_VFS=local for programs launched via flatpak-spawn
(#5567)
Clarify documentation for D-Bus name ownership (#5582)
Translation updates: id, tr, zh_CN
(#5332, #5565)
Internal changes:
Split up large source files into smaller modules, reducing internal
circular dependencies (#5410, #5411, #5415, #5419, #5416, #5414)
Re-synchronize code backported from GLib with the version in GLib
(#5410)
Make the flags used to apply "extra data" clearer (#5466)
Use glnx_opendirat() where possible (#5527)
CI improvements (#5374, #5381)
(There was never a 1.15.5 release, I got our versioning convention mixed up and
thought we avoided releasing odd micro versions.)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The usage of nobranch=1 in SRC_URI allows using unprotected branches.
This change updates the real branch name in place of nobranch=1 for these components.
Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
- use system bubblewrap and xdg-dbus-proxy instead of building subprojects
- fix seccomp PACKAGECONFIG
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_L_K@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.15.3
Released: 2023-02-21
Build system:
Building this version of Flatpak with Meson is recommended. The source release flatpak-1.15.3.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh. Future versions are likely to remove the Autotools build system.
Bug fixes:
When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172)
Fix a crash when --socket=gpg-agent is used (#5095)
Fix a crash when listing apps if one of them is broken or misconfigured (#5293)
If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293)
Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (#5303)
Fix a deprecation warning when compiled with curl >= 7.85 (#5284)
Translation updates: es, ru (#5266, #5312, #5313)
Internal changes:
Better diagnostic messages for why runtimes are or are not considered unused (#5237)
1.15.2
Released: 2023-02-06
Bug fixes:
Never try to export a parent of reserved directories as a --filesystem,
for example /run, which would prevent the app from starting (#5205, #5207)
Never try to export a --filesystem below /run/flatpak or /run/host,
which could similarly prevent the app from starting
The above change also fixes apps not starting if a --filesystem is a
symlink to the root directory (#1357)
Show a warning when the --filesystem exists but cannot be shared with
the sandbox (#1357, #5035, #5205, #5207)
Display the intended messages for flatpak repair (#5204)
Exporting an app to an existing repository on a CIFS filesystem
now works as intended (#5257)
Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib
apps when set to a path on the host (#5206)
Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps
under Wayland when this variable is set to a path not available in the
sandbox (#5194)
When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the
profile script is sourced more than once (#5198)
Update included copy of bubblewrap to 0.7.0 for better error messages
Install SELinux files correctly when building with Meson
Translation updates: ru, tr (#5256, #5262)
Internal changes:
Update included copy of libglnx
flatpak -v now uses the INFO log level, and flatpak -vv uses the
DEBUG log level in the flatpak log domain. Previously, the extra
messages that were logged by flatpak -vv were in a separate "flatpak2"
log domain. G_MESSAGES_DEBUG=flatpak previously had an effect similar to
flatpak -v, and is now more similar to flatpak -vv.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Helper tools for sandboxed applications
Provides support for thumbnailing, email and xdg-open
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
