import flatpak-builder-1.2.2-1.el9

.flatpak-builder.metadata

@@ -1 +1 @@
-e201b45463be6dda24bcc38cd52abe537190a0ec SOURCES/flatpak-builder-1.0.14.tar.xz
+59c5dcd6363c3b6bdc0be773d41d1038a92a80d1 SOURCES/flatpak-builder-1.2.2.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/flatpak-builder-1.0.14.tar.xz
+SOURCES/flatpak-builder-1.2.2.tar.xz

SOURCES/flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch

@@ -0,0 +1,77 @@
+From dfcc0717abaf30d1c0ac76becbe7e334b6a31a3e Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 31 Jan 2022 15:16:12 +0100
+Subject: [PATCH] source-archive, source-file: Deprecate MD5 and SHA1 hashes
+
+... because of their weaknesses, and show a warning suggesting SHA256
+instead.
+
+The new test cases were removed from this commit to simplify the
+downstream build.
+
+https://github.com/flatpak/flatpak-builder/pull/459
+https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+---
+ src/builder-source-archive.c | 12 ++++++++++++
+ src/builder-source-file.c    | 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/builder-source-archive.c b/src/builder-source-archive.c
+index c93f84efc84c..04eafe44cd01 100644
+--- a/src/builder-source-archive.c
++++ b/src/builder-source-archive.c
+@@ -230,11 +230,23 @@ builder_source_archive_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+diff --git a/src/builder-source-file.c b/src/builder-source-file.c
+index 715803d510bb..8a4077246cda 100644
+--- a/src/builder-source-file.c
++++ b/src/builder-source-file.c
+@@ -154,11 +154,23 @@ builder_source_file_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+-- 
+2.34.1
+

SPECS/flatpak-builder.spec

@@ -1,9 +1,10 @@
+%global debugedit_version 5.0
 %global glib2_version 2.44
 %global ostree_version 2017.14
 %global flatpak_version 0.99.1
 
 Name:           flatpak-builder
-Version:        1.0.14
+Version:        1.2.2
 Release:        1%{?dist}
 Summary:        Tool to build flatpaks from source
 
@@ -13,12 +14,15 @@ License:        LGPLv2+ and GPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+Patch0:         flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch
+
 BuildRequires:  gettext
+BuildRequires:  debugedit >= %{debugedit_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  flatpak >= %{flatpak_version}
 BuildRequires:  libcap-devel
-BuildRequires:  elfutils-devel
 BuildRequires:  make
 BuildRequires:  pkgconfig(glib-2.0) >= %{glib2_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0)
@@ -31,6 +35,7 @@ BuildRequires:  pkgconfig(yaml-0.1)
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 
+Requires:       debugedit >= %{debugedit_version}
 Requires:       flatpak%{?_isa} >= %{flatpak_version}
 Requires:       glib2%{?_isa} >= %{glib2_version}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
@@ -44,6 +49,7 @@ Recommends:     /usr/bin/patch
 Recommends:     /usr/bin/strip
 Recommends:     /usr/bin/tar
 Recommends:     /usr/bin/unzip
+Recommends:     /usr/bin/zstd
 Recommends:     ccache
 
 # Uncommon enough that we don't want to pull them in by default
@@ -63,7 +69,9 @@ See http://flatpak.org/ for more information.
 
 %build
 %configure \
-    --enable-docbook-docs
+    --enable-docbook-docs \
+    --with-fuse=2 \
+    --with-system-debugedit
 
 %make_build V=1
 
@@ -81,6 +89,14 @@ See http://flatpak.org/ for more information.
 
 
 %changelog
+* Mon Feb 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.2.2-1
+- Rebase to 1.2.2
+Resolves: #1999742
+
+* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
+- Deprecate MD5 and SHA1 hashes
+Resolves: #1935509
+
 * Thu Sep 23 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
 - Update to 1.0.14
 Resolves: #2006557
@@ -88,7 +104,7 @@ Resolves: #2006557
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688
-
+<
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-4
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937