rpms/flatpak
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Update to 1.17.2

Browse Source 
Resolves: RHEL-126038
This commit is contained in:
Jan Grulich 2026-03-12 15:52:16 +01:00
parent 771ceeb7ba
commit 1e84ffa519
10 changed files with 20 additions and 10034 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -115,3 +115,4 @@
/flatpak-1.15.10.tar.xz
/flatpak-1.15.91.tar.xz
/flatpak-1.16.0.tar.xz
/flatpak-1.17.2.tar.xz

1859
flatpak-add-support-for-preinstalling-flatpaks.patch
View File

File diff suppressed because it is too large Load Diff

4160
flatpak-allow-direct-installation-from-oci-images.patch
View File

File diff suppressed because it is too large Load Diff

53
flatpak-enable-collection-ids-for-oci-remotes.patch
View File

@ -1,53 +0,0 @@
From 5c84fa21cc590811936d36dd8b122025a4340f85 Mon Sep 17 00:00:00 2001
From: "Owen W. Taylor" <otaylor@fishsoup.net>
Date: Wed, 30 Oct 2024 14:27:44 -0400
Subject: [PATCH] Enable collection IDs for OCI remotes
We want to use collection IDs to specify what remote to install from
when processing /etc/flatpak/preinstall.d; in order for this to work
for OCI remotes, we need to permit collection IDs.
- In flatpakrepo files, don't require a GPGKey for a OCI remote
with a collection - we don't have signature verification for GPG remotes.
- Don't validate that the collection ID appears in the summary -
the image index doesn't currently contain an image ID
---
common/flatpak-dir.c | 6 +++++-
common/flatpak-repo-utils.c | 5 ++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 6936d45f89..b0937eaa65 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -12995,9 +12995,13 @@ _flatpak_dir_get_remote_state (FlatpakDir *self,
return NULL;
}
+ /* For OCI remotes, the collection ID is local configuration only:
+ * In the future we could add it to the index format.
+ */
if (state->collection_id != NULL &&
state->summary != NULL &&
- !_validate_summary_for_collection_id (state->summary, state->collection_id, error))
+ !(flatpak_dir_get_remote_oci (self, state->remote_name) ||
+ _validate_summary_for_collection_id (state->summary, state->collection_id, error)))
return NULL;
if (flatpak_dir_get_remote_oci (self, remote_or_uri))
diff --git a/common/flatpak-repo-utils.c b/common/flatpak-repo-utils.c
index 63dc9981e7..52508d2df1 100644
--- a/common/flatpak-repo-utils.c
+++ b/common/flatpak-repo-utils.c
@@ -2929,7 +2929,10 @@ flatpak_parse_repofile (const char *remote_name,
FLATPAK_REPO_COLLECTION_ID_KEY);
if (collection_id != NULL)
{
- if (gpg_key == NULL)
+ /* We don't support signatures for OCI remotes, but Collection ID's are
+ * still useful for preinstallation.
+ */
+ if (gpg_key == NULL && !g_str_has_prefix (uri, "oci+"))
{
flatpak_fail_error (error, FLATPAK_ERROR_INVALID_DATA, _("Collection ID requires GPG key to be provided"));
return NULL;

2003
flatpak-implement-etc-containers-certs-for-oci-registries.patch
View File

File diff suppressed because it is too large Load Diff

152
flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch
View File

@ -1,152 +0,0 @@
From 8354ee56cfe5b77afed1a31148dc557d46ca64ac Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Thu, 30 Oct 2025 16:09:00 +0100
Subject: [PATCH] kill: Do not kill pid 0 and embrace races
There are a number of races, and failure conditions which can lead to a
pid of 0 being returned from flatpak_instance_get_child_pid. This would
lead to a whole bunch of things getting killed.
We will skip the instance in those cases now, and retry a few times. We
also notice when the instance just goes away by itself now.
This should make killing more robust, and especially not SIGKILL pid 0.
---
app/flatpak-builtins-kill.c | 90 +++++++++++++++++++++++++++++--------
1 file changed, 72 insertions(+), 18 deletions(-)
diff --git ./app/flatpak-builtins-kill.c ../app/flatpak-builtins-kill.c
index c1a1ee11..081911de 100644
--- ./app/flatpak-builtins-kill.c
+++ ../app/flatpak-builtins-kill.c
@@ -36,37 +36,91 @@
#include "flatpak-builtins.h"
#include "flatpak-instance.h"
+#define FLATPAK_BUILTIN_KILL_N_RETRIES 5
+#define FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC (G_USEC_PER_SEC / 10)
+
static GOptionEntry options[] = {
{ NULL }
};
static gboolean
-kill_instance (const char *id,
- GError **error)
+instance_equal (FlatpakInstance *a,
+ FlatpakInstance *b)
{
- g_autoptr(GPtrArray) instances = NULL;
- int j;
- int killed = 0;
+ return g_strcmp0 (flatpak_instance_get_id (a),
+ flatpak_instance_get_id (b)) == 0;
+}
- instances = flatpak_instance_get_all ();
+static GPtrArray *
+kill_instances (GPtrArray *kill_list)
+{
+ g_autoptr(GPtrArray) instances = flatpak_instance_get_all ();
+ g_autoptr(GPtrArray) remaining =
+ g_ptr_array_new_with_free_func (g_object_unref);
- for (j = 0; j < instances->len; j++)
+ for (size_t i = 0; i < kill_list->len; i++)
{
- FlatpakInstance *instance = (FlatpakInstance *) g_ptr_array_index (instances, j);
- if (g_strcmp0 (id, flatpak_instance_get_app (instance)) == 0 ||
- strcmp (id, flatpak_instance_get_id (instance)) == 0)
+ FlatpakInstance *to_kill = g_ptr_array_index (kill_list, i);
+ pid_t pid;
+
+ if (!g_ptr_array_find_with_equal_func (instances, to_kill,
+ (GEqualFunc) instance_equal,
+ NULL))
{
- pid_t pid = flatpak_instance_get_child_pid (instance);
- kill (pid, SIGKILL);
- killed++;
+ g_info ("Instance %s disappeared", flatpak_instance_get_id (to_kill));
+ continue;
}
+
+ pid = flatpak_instance_get_child_pid (to_kill);
+ if (pid != 0)
+ {
+ kill (pid, SIGKILL);
+ g_info ("Instance %s killed", flatpak_instance_get_id (to_kill));
+ continue;
+ }
+
+ g_ptr_array_add (remaining, g_object_ref (to_kill));
}
- g_info ("Killed %d instances", killed);
+ return g_steal_pointer (&remaining);
+}
- if (killed == 0)
+static gboolean
+kill_id (const char *id,
+ GError **error)
+{
+ g_autoptr(GPtrArray) instances = flatpak_instance_get_all ();
+ g_autoptr(GPtrArray) kill_list =
+ g_ptr_array_new_with_free_func (g_object_unref);
+
+ for (size_t i = 0; i < instances->len; i++)
+ {
+ FlatpakInstance *instance = g_ptr_array_index (instances, i);
+
+ if (g_strcmp0 (id, flatpak_instance_get_app (instance)) != 0 &&
+ g_strcmp0 (id, flatpak_instance_get_id (instance)) != 0)
+ continue;
+
+ g_info ("Found instance %s to kill", flatpak_instance_get_id (instance));
+
+ g_ptr_array_add (kill_list, g_object_ref (instance));
+ }
+
+ if (kill_list->len == 0)
return flatpak_fail (error, _("%s is not running"), id);
+ for (size_t i = 0; i < FLATPAK_BUILTIN_KILL_N_RETRIES && kill_list->len > 0; i++)
+ {
+ g_autoptr (GPtrArray) remaining = NULL;
+
+ if (i > 0)
+ g_usleep (FLATPAK_BUILTIN_KILL_RETRY_SLEEP_USEC);
+
+ remaining = kill_instances (kill_list);
+ g_clear_pointer (&kill_list, g_ptr_array_unref);
+ kill_list = g_steal_pointer (&remaining);
+ }
+
return TRUE;
}
@@ -77,7 +131,7 @@ flatpak_builtin_kill (int argc,
GError **error)
{
g_autoptr(GOptionContext) context = NULL;
- const char *instance;
+ const char *id;
context = g_option_context_new (_("INSTANCE - Stop a running application"));
g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
@@ -97,9 +151,9 @@ flatpak_builtin_kill (int argc,
return FALSE;
}
- instance = argv[1];
+ id = argv[1];
- return kill_instance (instance, error);
+ return kill_id (id, error);
}
gboolean
--
2.51.0

104
flatpak-pass-token-to-flatpak-image-source-new-remote.patch
View File

@ -1,104 +0,0 @@
commit f0bc60dc0b34669e64d48e723a5e84c0b90b281d
Author: Owen W. Taylor <otaylor@fishsoup.net>
Date: Wed Feb 5 12:29:43 2025 -0500
Pass token to flatpak_image_source_new_remote()
Since flatpak_image_source_new_remote() already tries to load files
from the registry, having a separate flatpak_image_source_set_token()
doesn't work - when the token is set, it's already too late to
be passed along with the initial requests.
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 26ec176f..3621dd3b 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -1225,12 +1225,10 @@ flatpak_remote_state_new_image_source (FlatpakRemoteState *self,
if (registry_uri == NULL)
return NULL;
- image_source = flatpak_image_source_new_remote (registry_uri, oci_repository, digest, NULL, error);
+ image_source = flatpak_image_source_new_remote (registry_uri, oci_repository, digest, token, NULL, error);
if (image_source == NULL)
return NULL;
- flatpak_image_source_set_token (image_source, token);
-
return g_steal_pointer (&image_source);
}
@@ -6473,6 +6471,9 @@ flatpak_dir_mirror_oci (FlatpakDir *self,
else
image_source = flatpak_remote_state_fetch_image_source (state, self, ref, opt_rev, token, cancellable, error);
+ if (!image_source)
+ return FALSE;
+
flatpak_progress_start_oci_pull (progress);
g_info ("Mirroring OCI image %s", flatpak_image_source_get_digest (image_source));
@@ -6514,6 +6515,9 @@ flatpak_dir_pull_oci (FlatpakDir *self,
else
image_source = flatpak_remote_state_fetch_image_source (state, self, ref, opt_rev, token, cancellable, error);
+ if (!image_source)
+ return FALSE;
+
oci_digest = flatpak_image_source_get_digest (image_source);
/* Short circuit if we've already got this commit */
diff --git a/common/flatpak-image-source-private.h b/common/flatpak-image-source-private.h
index 597a8174..5f9604d8 100644
--- a/common/flatpak-image-source-private.h
+++ b/common/flatpak-image-source-private.h
@@ -45,14 +45,13 @@ FlatpakImageSource *flatpak_image_source_new_local (GFile *file,
FlatpakImageSource *flatpak_image_source_new_remote (const char *uri,
const char *oci_repository,
const char *digest,
+ const char *token,
GCancellable *cancellable,
GError **error);
FlatpakImageSource *flatpak_image_source_new_for_location (const char *location,
GCancellable *cancellable,
GError **error);
-void flatpak_image_source_set_token (FlatpakImageSource *self,
- const char *token);
void flatpak_image_source_set_delta_url (FlatpakImageSource *self,
const char *delta_url);
diff --git a/common/flatpak-image-source.c b/common/flatpak-image-source.c
index a31f1084..1fc0eeb0 100644
--- a/common/flatpak-image-source.c
+++ b/common/flatpak-image-source.c
@@ -180,6 +180,7 @@ FlatpakImageSource *
flatpak_image_source_new_remote (const char *uri,
const char *oci_repository,
const char *digest,
+ const char *token,
GCancellable *cancellable,
GError **error)
{
@@ -189,6 +190,8 @@ flatpak_image_source_new_remote (const char *uri,
if (!registry)
return NULL;
+ flatpak_oci_registry_set_token (registry, token);
+
return flatpak_image_source_new (registry, oci_repository, digest, cancellable, error);
}
@@ -327,13 +330,6 @@ flatpak_image_source_new_for_location (const char *location,
}
}
-void
-flatpak_image_source_set_token (FlatpakImageSource *self,
- const char *token)
-{
- flatpak_oci_registry_set_token (self->registry, token);
-}
-
void
flatpak_image_source_set_delta_url (FlatpakImageSource *self,
const char *delta_url)

1676
flatpak-support-sideload-repositories-for-oci-remotes.patch
View File

File diff suppressed because it is too large Load Diff

44
flatpak.spec
View File

@ -6,13 +6,14 @@
%global ostree_version 2020.8
%global wayland_protocols_version 1.32
%global wayland_scanner_version 1.15
%global xdg_portal_version 1.7.0
# Disable parental control for RHEL builds
%bcond malcontent %[!0%{?rhel}]
Name: flatpak
Version: 1.16.0
Release: 9%{?dist}
Version: 1.17.2
Release: 1%{?dist}
Summary: Application deployment framework for desktop apps
License: LGPL-2.1-or-later
@ -28,29 +29,10 @@ Source1: flatpak-add-fedora-repos.service
# with the config from upstream sources.
Source2: flatpak.sysusers.conf
# Implement /etc/containers/certs.d for OCI registries
# https://github.com/flatpak/flatpak/pull/5916
Patch0: flatpak-implement-etc-containers-certs-for-oci-registries.patch
# Allow direct installation from OCI images
# https://github.com/flatpak/flatpak/pull/5972
Patch1: flatpak-allow-direct-installation-from-oci-images.patch
# Support sideload repositories for OCI remotes
# https://github.com/owtaylor/flatpak/commits/oci-sideload
Patch2: flatpak-support-sideload-repositories-for-oci-remotes.patch
# Add support for preinstalling flatpaks
# https://github.com/flatpak/flatpak/pull/6116
Patch3: flatpak-add-support-for-preinstalling-flatpaks.patch
# Enable collection IDs for OCI remotes
# https://github.com/flatpak/flatpak/pull/6083
Patch4: flatpak-enable-collection-ids-for-oci-remotes.patch
# Fix crash and installatcion of OCI images
Patch5: flatpak-pass-token-to-flatpak-image-source-new-remote.patch
# /etc/pki/entitlement
Patch6: flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch
Patch1: flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch
# Enable FIPS support
Patch7: flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
# Stop killing the session when stopping background apps
Patch9: flatpak-kill-Do-not-kill-pid-0-and-embrace-races.patch
Patch2: flatpak-run-Enable-FIPS-crypto-policy-if-it-is-enabled-on-th.patch
# ostree not on i686 for RHEL 10
# https://github.com/containers/composefs/pull/229#issuecomment-1838735764
@ -116,9 +98,9 @@ Recommends: p11-kit-server
# Make sure the document portal is installed
%if 0%{?fedora} || 0%{?rhel} > 7
Recommends: xdg-desktop-portal > 0.10
Recommends: xdg-desktop-portal >= %{xdg_portal_version}
%else
Requires: xdg-desktop-portal > 0.10
Requires: xdg-desktop-portal >= %{xdg_portal_version}
%endif
%description
@ -200,7 +182,11 @@ This package contains installed tests for %{name}.
%meson_install
install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
# The system repo is not installed by the flatpak build system.
install -d %{buildroot}%{_datadir}/%{name}/preinstall.d
install -d %{buildroot}%{_datadir}/%{name}/remotes.d
install -d %{buildroot}%{_localstatedir}/lib/flatpak
install -d %{buildroot}%{_sysconfdir}/%{name}/installations.d
install -d %{buildroot}%{_sysconfdir}/%{name}/preinstall.d
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
%if 0%{?fedora}
@ -254,6 +240,7 @@ fi
%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
%{_datadir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
%{_datadir}/fish/
%{_datadir}/%{name}
@ -274,8 +261,9 @@ fi
%{_mandir}/man5/flatpak-remote.5*
%{_mandir}/man5/flatpakref.5*
%{_mandir}/man5/flatpakrepo.5*
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
%dir %{_sysconfdir}/flatpak
%{_sysconfdir}/%{name}/installations.d
%{_sysconfdir}/%{name}/preinstall.d
%{_sysconfdir}/flatpak/remotes.d
%{_sysconfdir}/profile.d/flatpak.csh
%{_sysconfdir}/profile.d/flatpak.sh
@ -320,6 +308,10 @@ fi
%changelog
* Thu Mar 12 2026 Jan Grulich <jgrulich@redhat.com> - 1.17.2-1
- Update to 1.17.2
Resolves: RHEL-126038
* Tue Jan 13 2026 Sebastian Wick <sebastian.wick@redhat.com> - 1.16.0-9
- kill: Do not kill pid 0 and embrace races
Resolves: RHEL-140924

2
sources
View File

@ -1 +1 @@
SHA512 (flatpak-1.16.0.tar.xz) = 57a8b660193ef1f9724718533963d854fa8bb0eb823470261f3f0a685f8ddbd209d6a1ae8378411c131e9c298cba605863d394f43c8d9eccda608001aadbb68d
SHA512 (flatpak-1.17.2.tar.xz) = 70e23d10698506df1f690fa5cb46fdd06ffe94e127b207715ce7226faa8cca5adf2793fd6b2d031d42137e5e4618f371cfdc7969219ffe23fd7bc018d1a835b4