Update to 1.13.3

While Flatpak should ideally use at least appstream 0.15.3, certain
practicalities make it difficult to bump the requirement upstream:
  https://github.com/flatpak/flatpak/pull/4949

This reverts 8cbbf30854 because the
downstream patch for gssproxy support doesn't apply anymore and needs
to be rebased.  Ideally, we shouldn't be in a rush to apply unreviewed
patches to Rawhide unless there's some major ongoing crisis.

.gitignore

@@ -104,3 +104,4 @@
 /flatpak-1.12.6.tar.xz
 /flatpak-1.13.1.tar.xz
 /flatpak-1.13.2.tar.xz
+/flatpak-1.13.3.tar.xz

flatpak-1.13.2-add-gssproxy-support.patch

@@ -1,118 +0,0 @@
-From 50c12cbeea35590779098e2e01313cc781f91f31 Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Thu, 12 May 2022 12:44:59 -0500
-Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment
-
-We're using a directory rather than binding a socket directly for
-increased robustness. In theory, if gssproxy crashes on the host, a new
-socket that a new gssproxy process creates should be immediately visible
-inside the sandbox. Nifty.
-
-Previously, applications that wanted to use Kerberos authentication
-would have to punch a sandbox hole for the host's KCM socket. In
-contrast, this gssproxy socket is designed for use by sandboxed apps.
-
-See also: https://github.com/gssapi/gssproxy/issues/45
----
- common/flatpak-run.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index b91be51b..ccf9807b 100644
---- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -924,6 +924,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap         *bwrap,
-     flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL);
- }
- 
-+static void
-+flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap)
-+{
-+  /* We only expose the gssproxy user service. The gssproxy system service is
-+   * not intended to be exposed to sandboxed environments.
-+   */
-+  g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL);
-+  const char *gssproxy_sandboxed_dir = "/var/lib/gssproxy/";
-+
-+  if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS))
-+    flatpak_bwrap_add_args (bwrap, "--bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL);
-+}
-+
- static void
- flatpak_run_add_resolved_args (FlatpakBwrap *bwrap)
- {
-@@ -4561,7 +4574,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
-     }
- 
-   if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0)
--    flatpak_run_add_resolved_args (bwrap);
-+    {
-+      flatpak_run_add_gssproxy_args (bwrap);
-+      flatpak_run_add_resolved_args (bwrap);
-+    }
- 
-   flatpak_run_add_journal_args (bwrap);
-   add_font_path_args (bwrap);
--- 
-2.36.1
-
-
-From b4eb25dacbe745b10606adb8b0080c75490e9070 Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Mon, 23 May 2022 09:59:48 -0500
-Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox
-
-If this environment variable is set on the host, it's going to mess up
-authentication in the sandbox. For example, if the host has:
-
-KRB5CCNAME=KCM:
-
-then the sandboxed process will try to use the host KCM socket, which is
-not available in the sandboxed environment, rather than the gssproxy
-socket that we want it to use. We need to unset it to ensure that
-whatever configuration we ship in the runtime gets used instead. We have
-switched the GNOME runtime to use an empty krb5.conf and it works as
-long as we don't break it with this environment variable meant for the
-host.
----
- common/flatpak-run.c | 4 +++-
- doc/flatpak-run.xml  | 1 +
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index ccf9807b..b66f326c 100644
---- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -1851,7 +1851,8 @@ static const ExportData default_exports[] = {
-   {"XDG_RUNTIME_DIR", NULL},
- 
-   /* Some env vars are common enough and will affect the sandbox badly
--     if set on the host. We clear these always. */
-+     if set on the host. We clear these always. If updating this list,
-+     also update the list in flatpak-run.xml. */
-   {"PYTHONPATH", NULL},
-   {"PERLLIB", NULL},
-   {"PERL5LIB", NULL},
-@@ -1868,6 +1869,7 @@ static const ExportData default_exports[] = {
-   {"GST_PTP_HELPER", NULL},
-   {"GST_PTP_HELPER_1_0", NULL},
-   {"GST_INSTALL_PLUGINS_HELPER", NULL},
-+  {"KRB5CCNAME", NULL},
- };
- 
- static const ExportData no_ld_so_cache_exports[] = {
-diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
-index c1396b07..ca181f32 100644
---- a/doc/flatpak-run.xml
-+++ b/doc/flatpak-run.xml
-@@ -89,6 +89,7 @@
-             <member>PERLLIB</member>
-             <member>PERL5LIB</member>
-             <member>XCURSOR_PATH</member>
-+            <member>KRB5CCNAME</member>
-         </simplelist>
-         <para>
-             Flatpak also overrides the XDG environment variables to point sandboxed applications
--- 
-2.36.1
-

flatpak-selinux-permissions.patch

@@ -1,105 +0,0 @@
-From b20c074fb225ed3e54337bd50dc18452a3dc3196 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <debarshir@gnome.org>
-Date: Tue, 12 Apr 2022 20:28:29 +0200
-Subject: [PATCH 1/3] selinux: Let the system helper have read access to
- /etc/passwd
-
-The system-helper (ie., the `flatpak-system-helper` process) is
-labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
-domain, and needs to be able to read /etc/passwd.  This explicitly
-permits it to do so to avoid running into SELinux denials.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=2070350
----
- selinux/flatpak.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/selinux/flatpak.te b/selinux/flatpak.te
-index 2bcc507b725a..871ffa2906cc 100644
---- a/selinux/flatpak.te
-+++ b/selinux/flatpak.te
-@@ -12,6 +12,8 @@ type flatpak_helper_t;
- type flatpak_helper_exec_t;
- init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
- 
-+auth_read_passwd(flatpak_helper_t)
-+
- optional_policy(`
-     dbus_stub()
-     dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--- 
-2.35.1
-
-
-From d6743d58bbd0293a4f6992fee9b5e7363892ebe7 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <debarshir@gnome.org>
-Date: Tue, 12 Apr 2022 20:56:06 +0200
-Subject: [PATCH 2/3] selinux: Let the system helper watch files inside
- $libexecdir
-
-The system-helper (ie., the `flatpak-system-helper` process) is
-labelled with flatpak_helper_exec_t and runs in the flatpak_helper_t
-domain, and tries to set up an inotify(7) watch on it's own binary so
-that it can exit when the binary is replaced.  This explicitly permits
-it to do so to avoid running into SELinux denials.
-
-The corecmd_watch_bin_dirs SELinux interface is a recent addition [1],
-and is therefore used conditionally when defined.
-
-[1] https://github.com/fedora-selinux/selinux-policy/commit/88072fd293
-    https://github.com/fedora-selinux/selinux-policy/pull/1133
-
-https://bugzilla.redhat.com/show_bug.cgi?id=2053634
----
- selinux/flatpak.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/selinux/flatpak.te b/selinux/flatpak.te
-index 871ffa2906cc..0bb776314ddb 100644
---- a/selinux/flatpak.te
-+++ b/selinux/flatpak.te
-@@ -14,6 +14,10 @@ init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
- 
- auth_read_passwd(flatpak_helper_t)
- 
-+ifdef(`corecmd_watch_bin_dirs',`
-+    corecmd_watch_bin_dirs(flatpak_helper_t)
-+')
-+
- optional_policy(`
-     dbus_stub()
-     dbus_system_domain(flatpak_helper_t, flatpak_helper_exec_t)
--- 
-2.35.1
-
-
-From 04524cb3b79bb777d62f743b1fb4037816c6a3f2 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <debarshir@gnome.org>
-Date: Tue, 12 Apr 2022 22:33:11 +0200
-Subject: [PATCH 3/3] selinux: Permit read access to /var/lib/flatpak
-
-It's clearly quite important to have read access to /var/lib/flatpak
-and it's contents.  This explicitly permits that to avoid running
-into SELinux denials.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=2070741
----
- selinux/flatpak.te | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/selinux/flatpak.te b/selinux/flatpak.te
-index 0bb776314ddb..e1fd4377373f 100644
---- a/selinux/flatpak.te
-+++ b/selinux/flatpak.te
-@@ -13,6 +13,8 @@ type flatpak_helper_exec_t;
- init_daemon_domain(flatpak_helper_t, flatpak_helper_exec_t)
- 
- auth_read_passwd(flatpak_helper_t)
-+files_list_var_lib(flatpak_helper_t)
-+files_read_var_lib_files(flatpak_helper_t)
- 
- ifdef(`corecmd_watch_bin_dirs',`
-     corecmd_watch_bin_dirs(flatpak_helper_t)
--- 
-2.35.1
-

flatpak.spec

@@ -1,10 +1,12 @@
-%global appstream_version 0.14.0
+%global appstream_version 0.15.3
 %global bubblewrap_version 0.5.0
+%global glib_version 2.46.0
+%global libcurl_version 7.29.0
 %global ostree_version 2020.8
 
 Name:           flatpak
-Version:        1.13.2
+Version:        1.13.3
-Release:        4%{?dist}
+Release:        1%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -20,20 +22,16 @@ Source1:        flatpak-add-fedora-repos.service
 # with the config from upstream sources.
 Source2:        flatpak.sysusers.conf
 
-Patch0:         flatpak-selinux-permissions.patch
-# https://github.com/flatpak/flatpak/pull/4914
-Patch1:         flatpak-1.13.2-add-gssproxy-support.patch
-
 BuildRequires:  pkgconfig(appstream) >= %{appstream_version}
 BuildRequires:  pkgconfig(dconf)
 BuildRequires:  pkgconfig(fuse)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
-BuildRequires:  pkgconfig(gio-unix-2.0)
+BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
 BuildRequires:  pkgconfig(json-glib-1.0)
 BuildRequires:  pkgconfig(libarchive) >= 2.8.0
 BuildRequires:  pkgconfig(libseccomp)
-BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(libcurl) >= %{libcurl_version}
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(libxml-2.0) >= 2.4
 BuildRequires:  pkgconfig(libzstd) >= 0.8.1
@@ -57,6 +55,8 @@ BuildRequires:  /usr/bin/xsltproc
 
 Requires:       appstream%{?_isa} >= %{appstream_version}
 Requires:       bubblewrap >= %{bubblewrap_version}
+Requires:       glib2%{?_isa} >= %{glib_version}
+Requires:       libcurl%{?_isa} >= %{libcurl_version}
 Requires:       librsvg2%{?_isa}
 Requires:       ostree-libs%{?_isa} >= %{ostree_version}
 Requires:       /usr/bin/xdg-dbus-proxy
@@ -143,6 +143,7 @@ This package contains installed tests for %{name}.
             --enable-docbook-docs \
             --enable-installed-tests \
             --enable-selinux-module \
+            --with-curl \
             --with-priv-mode=none \
             --with-system-bubblewrap \
             --with-system-dbus-proxy \
@@ -270,6 +271,10 @@ fi
 
 
 %changelog
+* Fri Jun 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.13.3-1
+- Update to 1.13.3
+- Remove downstream patch for gssproxy support until it gets rebased
+
 * Tue Jun 07 2022 David King <amigadave@amigadave.com> - 1.13.2-4
 - Add gssproxy support
 

sources

@@ -1 +1 @@
-SHA512 (flatpak-1.13.2.tar.xz) = d7e1d0a9965332220f829caa5724d7547280db10f7428b4e9add87152da1d7dad97edcde85668501d5a50e6a7c1031bfd15e8f4cbc7196e1c0f7cc3d2e333fe1
+SHA512 (flatpak-1.13.3.tar.xz) = 8aeef0b0c00a958b04d3d40b9bc6fa6afd3b4875fea6aa4a64ed1fe4e5e67a6e17543fa42e20d7e0e99e22d26821fb392849206f27f1ee7c6cf4c78f8aed2cfe