.flatpak-builder.metadata

@@ -0,0 +1 @@
+0fcee8a24a3980508dc67c274985d984fccb685f SOURCES/flatpak-builder-1.2.3.tar.xz

SOURCES/flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch

@@ -0,0 +1,77 @@
+From dfcc0717abaf30d1c0ac76becbe7e334b6a31a3e Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 31 Jan 2022 15:16:12 +0100
+Subject: [PATCH] source-archive, source-file: Deprecate MD5 and SHA1 hashes
+
+... because of their weaknesses, and show a warning suggesting SHA256
+instead.
+
+The new test cases were removed from this commit to simplify the
+downstream build.
+
+https://github.com/flatpak/flatpak-builder/pull/459
+https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+---
+ src/builder-source-archive.c | 12 ++++++++++++
+ src/builder-source-file.c    | 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/builder-source-archive.c b/src/builder-source-archive.c
+index c93f84efc84c..04eafe44cd01 100644
+--- a/src/builder-source-archive.c
++++ b/src/builder-source-archive.c
+@@ -230,11 +230,23 @@ builder_source_archive_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+diff --git a/src/builder-source-file.c b/src/builder-source-file.c
+index 715803d510bb..8a4077246cda 100644
+--- a/src/builder-source-file.c
++++ b/src/builder-source-file.c
+@@ -154,11 +154,23 @@ builder_source_file_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+-- 
+2.34.1
+

SPECS/flatpak-builder.spec

@@ -1,6 +1,6 @@
+%global debugedit_version 5.0
 %global elf_version 0.8.12
 %global glib2_version 2.44
-%global libdw_version 0.172
 %global ostree_version 2017.14
 %global flatpak_version 0.99.1
 
@@ -15,16 +15,20 @@ License:        LGPLv2+ and GPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+Patch0:         flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch
+
 BuildRequires:  gettext
+BuildRequires:  debugedit >= %{debugedit_version}
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
 BuildRequires:  flatpak >= %{flatpak_version}
 BuildRequires:  libcap-devel
+BuildRequires:  make
 BuildRequires:  pkgconfig(glib-2.0) >= %{glib2_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0)
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libcurl)
-BuildRequires:  pkgconfig(libdw) >= %{libdw_version}
 BuildRequires:  pkgconfig(libelf) >= %{elf_version}
 BuildRequires:  pkgconfig(libsoup-2.4)
 BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
@@ -32,25 +36,28 @@ BuildRequires:  pkgconfig(yaml-0.1)
 BuildRequires:  /usr/bin/xmlto
 BuildRequires:  /usr/bin/xsltproc
 
+Requires:       debugedit >= %{debugedit_version}
 Requires:       elfutils-libelf%{?_isa} >= %{elf_version}
-Requires:       elfutils-libs%{?_isa} >= %{libdw_version}
 Requires:       flatpak%{?_isa} >= %{flatpak_version}
 Requires:       glib2%{?_isa} >= %{glib2_version}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
-Requires:       /usr/bin/bzip2
-%if ! 0%{?rhel} > 7
-# No bzr in latest RHEL
-Recommends:     /usr/bin/bzr
-%endif
-Requires:       /usr/bin/eu-strip
-Requires:       /usr/bin/git
-Requires:       /usr/bin/patch
 Requires:       /usr/bin/rofiles-fuse
-Requires:       /usr/bin/strip
+
-Recommends:     /usr/bin/svn
+# Recommend various things that may or may not be needed depending on the code being built
-Requires:       /usr/bin/tar
+Recommends:     /usr/bin/bzip2
-Requires:       /usr/bin/unzip
+Recommends:     /usr/bin/eu-strip
+Recommends:     /usr/bin/git
+Recommends:     /usr/bin/patch
+Recommends:     /usr/bin/strip
+Recommends:     /usr/bin/tar
+Recommends:     /usr/bin/unzip
 Recommends:     /usr/bin/zstd
+Recommends:     ccache
+
+# Uncommon enough that we don't want to pull them in by default
+#Recommends:     /usr/bin/bzr
+#Recommends:     /usr/bin/lzip
+#Recommends:     /usr/bin/svn
 
 %description
 Flatpak-builder is a tool for building flatpaks from sources.
@@ -65,7 +72,8 @@ See http://flatpak.org/ for more information.
 %build
 %configure \
     --enable-docbook-docs \
-    --with-fuse=2
+    --with-fuse=2 \
+    --with-system-debugedit
 
 %make_build V=1
 
@@ -78,29 +86,89 @@ See http://flatpak.org/ for more information.
 %license COPYING
 %doc %{_pkgdocdir}
 %{_bindir}/flatpak-builder
-%{_libexecdir}/flatpak-builder-debugedit
 %{_mandir}/man1/flatpak-builder.1*
 %{_mandir}/man5/flatpak-manifest.5*
 
 
 %changelog
 * Wed Nov 08 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.2.3-1
-- Rebase to 1.2.3 (RHEL-16011)
+- Update to 1.2.3
+Resolves: RHEL-16036
 
-* Fri Apr 01 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
+* Mon Feb 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.2.2-1
-- Fix CVE-2022-21682 (#2042007)
+- Rebase to 1.2.2
+Resolves: #1999742
 
-* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
+* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
-- Update to 1.0.14 (#2047312)
+- Deprecate MD5 and SHA1 hashes
+Resolves: #1935509
 
-* Tue Feb 25 2020 David King <dking@redhat.com> - 1.0.9-3
+* Thu Sep 23 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
-- Use elfutils instead of libdwarf (#1613030)
+- Update to 1.0.14
+Resolves: #2006557
 
-* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-5
-- Drop Requires on lzip (#1748290)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+<
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.12-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Fri Nov 08 2019 David King <dking@redhat.com> - 1.0.9-1
+* Mon Mar 29 2021 Kalev Lember <klember@redhat.com> - 1.0.12-3
-- Rebase to 1.0.9 (#1748290)
+- Remove bzr, lzip and svn recommends as they are not common enough
+
+* Thu Mar 25 2021 Kalev Lember <klember@redhat.com> - 1.0.12-2
+- Recommend all the archive handlers etc, instead of hard requiring
+
+* Wed Feb 17 2021 Kalev Lember <klember@redhat.com> - 1.0.12-1
+- Update to 1.0.12
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 08 2020 Bastien Nocera <bnocera@redhat.com> - 1.0.10-3
++ flatpak-builder-1.0.10-3
+- Require ccache on Fedora where it is available
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Mar 20 2020 Kalev Lember <klember@redhat.com> - 1.0.10-1
+- Update to 1.0.10
+
+* Tue Feb 25 2020 David King <amigadave@amigadave.com> - 1.0.9-3
+- Use elfutils instead of libdwarf
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Sep 14 2019 David King <amigadave@amigadave.com> - 1.0.9-1
+- Update to 1.0.9
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 10 2019 Kalev Lember <klember@redhat.com> - 1.0.7-1
+- Update to 1.0.7
+
+* Fri Feb 08 2019 Kalev Lember <klember@redhat.com> - 1.0.5-1
+- Update to 1.0.5
+
+* Tue Feb 05 2019 Kalev Lember <klember@redhat.com> - 1.0.4-1
+- Update to 1.0.4
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 30 2019 David King <amigadave@amigadave.com> - 1.0.3-2
+- Add dependency on lzip
+
+* Mon Jan 28 2019 David King <amigadave@amigadave.com> - 1.0.3-1
+- Update to 1.0.3
+
+* Tue Jan 15 2019 Kalev Lember <klember@redhat.com> - 1.0.2-1
+- Update to 1.0.2
+- Change bzr requires to recommends
 
 * Tue Oct 16 2018 Kalev Lember <klember@redhat.com> - 1.0.1-2
 - Change svn requires to recommends (#1639355)
@@ -111,8 +179,65 @@ See http://flatpak.org/ for more information.
 * Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
 - Update to 1.0.0
 
-* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-2
+* Mon Aug 13 2018 Kalev Lember <klember@redhat.com> - 0.99.3-4
 - Update license to "LGPLv2+ and GPLv2+"
 
-* Thu Aug 02 2018 David King <dking@redhat.com> - 0.99.3-1
+* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.99.3-3
-- Import from Fedora
+- Rebuild with fixed binutils
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Kalev Lember <klember@redhat.com> - 0.99.3-1
+- Update to 0.99.3
+
+* Wed Jun 27 2018 Kalev Lember <klember@redhat.com> - 0.99.2-1
+- Update to 0.99.2
+
+* Mon Jun 25 2018 David King <amigadave@amigadave.com> - 0.99.1-1
+- Update to 0.99.1
+
+* Fri Apr 27 2018 David King <amigadave@amigadave.com> - 0.10.10-2
+- Add some extra dependencies
+
+* Thu Apr 26 2018 Kalev Lember <klember@redhat.com> - 0.10.10-1
+- Update to 0.10.10
+
+* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.10.9-1
+- Update to 0.10.9
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Dec 15 2017 Kalev Lember <klember@redhat.com> - 0.10.6-1
+- Update to 0.10.6
+
+* Tue Nov 28 2017 David King <amigadave@amigadave.com> - 0.10.5-1
+- Update to 0.10.5
+
+* Mon Nov 06 2017 Kalev Lember <klember@redhat.com> - 0.10.4-1
+- Update to 0.10.4
+
+* Tue Oct 31 2017 David King <amigadave@amigadave.com> - 0.10.3-1
+- Update to 0.10.3
+
+* Mon Oct 30 2017 David King <amigadave@amigadave.com> - 0.10.2-1
+- Update to 0.10.2
+
+* Fri Oct 27 2017 Kalev Lember <klember@redhat.com> - 0.10.1-1
+- Update to 0.10.1
+
+* Thu Oct 26 2017 Kalev Lember <klember@redhat.com> - 0.10.0-1
+- Update to 0.10.0
+
+* Mon Oct 09 2017 Kalev Lember <klember@redhat.com> - 0.9.99-1
+- Update to 0.9.99
+
+* Mon Sep 25 2017 Kalev Lember <klember@redhat.com> - 0.9.98-1
+- Update to 0.9.98
+
+* Wed Sep 13 2017 Kalev Lember <klember@redhat.com> - 0.9.11-1
+- Update to 0.9.11
+
+* Mon Sep 04 2017 Kalev Lember <klember@redhat.com> - 0.9.9-1
+- Initial flatpak-builder package