import flatpak-1.6.2-3.el8_2

2020-07-21 10:14:29 -04:00 · 2020-07-21 10:14:29 -04:00 · a5b04029d8
commit a5b04029d8
5 changed files with 974 additions and 0 deletions
--- a/.flatpak.metadata
+++ b/.flatpak.metadata
@ -0,0 +1 @@
+6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/flatpak-1.6.2.tar.xz
--- a/SOURCES/flatpak-1.6.2-oci-fixes.patch
+++ b/SOURCES/flatpak-1.6.2-oci-fixes.patch
@ -0,0 +1,161 @@
+diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c
+--- flatpak-1.6.2/common/flatpak-oci-registry.c	2019-12-20 09:52:17.000000000 +0000
+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c	2020-03-20 12:01:39.923000000 +0000
+@@ -901,6 +901,7 @@
+ 
+ static char *
+ get_token_for_www_auth (FlatpakOciRegistry *self,
+                        const char    *repository,
+                         const char    *www_authenticate,
+                         const char    *auth,
+                         GCancellable  *cancellable,
+@@ -911,6 +912,7 @@
+   g_autoptr(GHashTable) params = NULL;
+   g_autoptr(GHashTable) args = NULL;
+   const char *realm, *service, *scope, *token;
+  g_autofree char *default_scope = NULL;
+   g_autoptr(SoupURI) auth_uri = NULL;
+   g_autoptr(GBytes) body = NULL;
+   g_autoptr(JsonNode) json = NULL;
+@@ -941,16 +943,21 @@
+   service = g_hash_table_lookup (params, "service");
+   if (service)
+     g_hash_table_insert (args, "service", (char *)service);
+
+   scope = g_hash_table_lookup (params, "scope");
+-  if (scope)
+-    g_hash_table_insert (args, "scope", (char *)scope);
+  if (scope == NULL)
+    scope = default_scope = g_strdup_printf("repository:%s:pull", repository);
+  g_hash_table_insert (args, "scope", (char *)scope);
+ 
+   soup_uri_set_query_from_form (auth_uri, args);
+ 
+   auth_msg = soup_message_new_from_uri ("GET", auth_uri);
+ 
+-  g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
+-  soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
+  if (auth)
+    {
+      g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
+      soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
+    }
+ 
+   auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error);
+   if (auth_stream == NULL)
+@@ -1030,7 +1037,7 @@
+       return NULL;
+     }
+ 
+-  token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error);
+  token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error);
+   if (token == NULL)
+     return NULL;
+ 
+diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c
+--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c	2019-12-19 09:33:40.000000000 +0000
+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c	2020-03-20 12:01:39.936000000 +0000
+@@ -428,10 +428,12 @@
+   g_autoptr(GError) error = NULL;
+   g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL;
+   const char *auth = NULL;
+  gboolean have_auth;
+   const char *oci_registry_uri = NULL;
+   gsize n_refs, i;
+   gboolean no_interaction = FALSE;
+   g_autoptr(FlatpakOciRegistry) registry = NULL;
+  g_autofree char *first_token = NULL;
+   GVariantBuilder tokens;
+   GVariantBuilder results;
+   g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
+@@ -439,6 +441,7 @@
+   g_debug ("handling Authenticator.RequestRefTokens");
+ 
+   g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth);
+  have_auth = auth != NULL;
+ 
+   if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri))
+     {
+@@ -476,18 +479,33 @@
+     return error_request (request, sender, error->message);
+ 
+ 
+-  if (auth == NULL)
+  /* Look up credentials in config files */
+  if (!have_auth)
+     {
+       g_debug ("Looking for %s in auth info", oci_registry_uri);
+       auth = lookup_auth_from_config (oci_registry_uri);
+      have_auth = auth != NULL;
+     }
+ 
+  /* Try to see if we can get a token without presenting credentials */
+   n_refs = g_variant_n_children (arg_refs);
+-  if (auth == NULL && n_refs > 0 &&
+  if (!have_auth && n_refs > 0)
+    {
+      g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
+
+      first_token = get_token_for_ref (registry, ref_data, NULL, &error);
+      if (first_token != NULL)
+        have_auth = TRUE;
+      else
+        g_clear_error (&error);
+    }
+
+  /* Prompt the user for credentials */
+  n_refs = g_variant_n_children (arg_refs);
+  if (!have_auth && n_refs > 0 &&
+       !no_interaction)
+     {
+       g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
+-      g_autofree char *token = NULL;
+ 
+       while (auth == NULL)
+         {
+@@ -498,13 +516,21 @@
+           if (test_auth == NULL)
+             return cancel_request (request, sender);
+ 
+-          token = get_token_for_ref (registry, ref_data, test_auth, &error);
+-          if (token != NULL)
+-            auth = g_steal_pointer (&test_auth);
+          first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
+          if (first_token != NULL)
+            {
+              auth = g_steal_pointer (&test_auth);
+              have_auth = TRUE;
+            }
+          else
+            {
+              g_debug ("Failed to get token: %s", error->message);
+              g_clear_error (&error);
+            }
+         }
+     }
+ 
+-  if (auth == NULL)
+  if (!have_auth)
+     return error_request (request, sender, "No authentication information available");
+ 
+   g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));
+@@ -515,9 +541,16 @@
+       char *for_refs_strv[2] = { NULL, NULL};
+       g_autofree char *token = NULL;
+ 
+-      token = get_token_for_ref (registry, ref_data, auth, &error);
+-      if (token == NULL)
+-        return error_request (request, sender, error->message);
+      if (i == 0 && first_token != NULL)
+        {
+          token = g_steal_pointer (&first_token);
+        }
+      else
+        {
+          token = get_token_for_ref (registry, ref_data, auth, &error);
+          if (token == NULL)
+            return error_request (request, sender, error->message);
+        }
+ 
+       g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]);
+       g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv);
--- a/SOURCES/flatpak-1.6.2-oci-fixes2.patch
+++ b/SOURCES/flatpak-1.6.2-oci-fixes2.patch
@ -0,0 +1,322 @@
+From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 4 May 2020 13:00:35 +0200
+Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when
+ authenticating
+
+Without this I got for the fedora registry:
+
+```
+getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a
+F: Anonymous authentication failed: Unexpected response status 404 from repo
+```
+
+(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054)
+---
+ common/flatpak-oci-registry.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
+index 2505771ee..ae363bc1a 100644
+--- a/common/flatpak-oci-registry.c
+++ b/common/flatpak-oci-registry.c
+@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self,
+ 
+   msg = soup_message_new_from_uri ("HEAD", uri);
+ 
+  soup_message_headers_replace (msg->request_headers, "Accept",
+                                FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2);
+
+   stream = soup_session_send (self->soup_session, msg, NULL, error);
+   if (stream == NULL)
+     return NULL;
+
+From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 4 May 2020 12:35:16 +0200
+Subject: [PATCH 2/7] By default, always try to auth to OCI remotes
+
+This makes for instance docker hub work.
+
+(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe)
+---
+ common/flatpak-auth.c | 4 ++++
+ common/flatpak-dir.c  | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c
+index 9d0f689fc..9e45da41e 100644
+--- a/common/flatpak-auth.c
+++ b/common/flatpak-auth.c
+@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir,
+       if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error))
+         return NULL;
+     }
+
+  if (name == NULL && flatpak_dir_get_remote_oci (dir, remote))
+    name = g_strdup ("org.flatpak.Authenticator.Oci");
+
+   if (name == NULL || *name == 0 /* or if no repo */)
+     {
+       flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote);
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 2c8e12eaf..19de4fd38 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir   *self,
+         }
+     }
+ 
+  if (flatpak_dir_get_remote_oci (self, remote_or_uri))
+    {
+      state->default_token_type = 1;
+    }
+
+   if (state->collection_id == NULL)
+     {
+       if (state->summary != NULL) /* In the optional case we might not have a summary */
+
+From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Fri, 8 May 2020 15:09:02 +0200
+Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local()
+
+(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637)
+---
+ common/flatpak-oci-registry-private.h | 1 +
+ common/flatpak-oci-registry.c         | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h
+index 1804e43b6..6745c5f65 100644
+--- a/common/flatpak-oci-registry-private.h
+++ b/common/flatpak-oci-registry-private.h
+@@ -62,6 +62,7 @@ FlatpakOciRegistry  *  flatpak_oci_registry_new (const char           *uri,
+                                                  GError              **error);
+ void                   flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
+                                                        const char *token);
+gboolean               flatpak_oci_registry_is_local (FlatpakOciRegistry *self);
+ const char          *  flatpak_oci_registry_get_uri (FlatpakOciRegistry *self);
+ FlatpakOciIndex     *  flatpak_oci_registry_load_index (FlatpakOciRegistry *self,
+                                                         GCancellable       *cancellable,
+diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
+index ae363bc1a..fdeee56bd 100644
+--- a/common/flatpak-oci-registry.c
+++ b/common/flatpak-oci-registry.c
+@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self)
+   self->tmp_dfd = -1;
+ }
+ 
+gboolean
+flatpak_oci_registry_is_local (FlatpakOciRegistry *self)
+{
+  return self->dfd != -1;
+}
+
+ const char *
+ flatpak_oci_registry_get_uri (FlatpakOciRegistry *self)
+ {
+
+From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Fri, 8 May 2020 15:10:38 +0200
+Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to
+ system-helper
+
+When we create a system child registry we also set the current token on
+it. This is not used directly in the client, however its saved in a
+file called .token and re-read in the system-helper, allowing it to
+also do the remote registry operations it needs to verify the child
+registry.
+
+(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d)
+---
+ common/flatpak-dir.c          |  8 ++++++--
+ common/flatpak-oci-registry.c | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 19de4fd38..25f874ecf 100644
+--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
+@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref)
+ 
+ static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
+                                                                          GLnxLockFile *file_lock,
+                                                                         const char   *token,
+                                                                          GError      **error);
+ 
+ static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir   *self,
+@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir   *self,
+ static FlatpakOciRegistry *
+ flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
+                                               GLnxLockFile *file_lock,
+                                              const char   *token,
+                                               GError      **error)
+ {
+   g_autoptr(GFile) cache_dir = NULL;
+@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
+   if (new_registry == NULL)
+     return NULL;
+ 
+  flatpak_oci_registry_set_token (new_registry, token);
+
+   return g_steal_pointer (&new_registry);
+ }
+ 
+@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir          *self,
+           g_autoptr(FlatpakOciRegistry) registry = NULL;
+           g_autoptr(GFile) registry_file = NULL;
+ 
+-          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
+          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
+           if (registry == NULL)
+             return FALSE;
+ 
+@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir                           *self,
+           g_autoptr(FlatpakOciRegistry) registry = NULL;
+           g_autoptr(GFile) registry_file = NULL;
+ 
+-          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
+          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
+           if (registry == NULL)
+             return FALSE;
+ 
+diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
+index fdeee56bd..c3ddb8c2b 100644
+--- a/common/flatpak-oci-registry.c
+++ b/common/flatpak-oci-registry.c
+@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
+ {
+   g_free (self->token);
+   self->token = g_strdup (token);
+
+  if (self->token)
+    (void)glnx_file_replace_contents_at (self->dfd, ".token",
+                                         (guchar *)self->token,
+                                         strlen (self->token),
+                                         0, NULL, NULL);
+ }
+ 
+
+ FlatpakOciRegistry *
+ flatpak_oci_registry_new (const char   *uri,
+                           gboolean      for_write,
+@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
+   int dfd;
+   g_autoptr(GError) local_error = NULL;
+   g_autoptr(GBytes) oci_layout_bytes = NULL;
+  g_autoptr(GBytes) token_bytes = NULL;
+   gboolean not_json;
+ 
+   if (self->dfd != -1)
+@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
+   else if (!verify_oci_version (oci_layout_bytes, &not_json, cancellable, error))
+     return FALSE;
+ 
+  if (self->dfd != -1)
+    {
+      token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL);
+      if (token_bytes != NULL)
+        self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes));
+    }
+
+   if (self->dfd == -1 && local_dfd != -1)
+     self->dfd = glnx_steal_fd (&local_dfd);
+ 
+
+From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Thu, 11 Jun 2020 15:43:16 +0200
+Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking
+ manifests
+
+We handle both types, so look for both.
+
+(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4)
+---
+ common/flatpak-json-oci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c
+index 6d60279d0..f5b3f0a0c 100644
+--- a/common/flatpak-json-oci.c
+++ b/common/flatpak-json-oci.c
+@@ -469,7 +469,8 @@ const char *
+ flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m)
+ {
+   if (m->parent.mediatype == NULL ||
+-      strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0)
+      (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 &&
+       strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0))
+     return NULL;
+ 
+   if (m->parent.annotations == NULL)
+
+From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 4 May 2020 15:51:48 +0200
+Subject: [PATCH 6/7] tests: Make OCI authenticator available
+
+(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86)
+---
+ tests/Makefile.am.inc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
+index 7c2e8271f..15f521485 100644
+--- a/tests/Makefile.am.inc
+++ b/tests/Makefile.am.inc
+@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent
+ 	mkdir -p tests/services
+ 	$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@
+ 
+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in
+	mkdir -p tests/services
+	$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@
+
+ tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in
+ 	mkdir -p tests/share/xdg-desktop-portal/portals
+ 	$(AM_V_GEN) install -m644 $< $@
+ 
+-tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service
+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service
+ 
+ install-test-data-hook:
+ if ENABLE_INSTALLED_TESTS
+@@ -223,6 +227,7 @@ DISTCLEANFILES += \
+ 	tests/services/org.freedesktop.portal.Flatpak.service \
+ 	tests/services/org.freedesktop.impl.portal.desktop.test.service \
+ 	tests/services/org.flatpak.Authenticator.test.service \
+	tests/services/org.flatpak.Authenticator.Oci.service \
+ 	tests/share/xdg-desktop-portal/portals/test.portal \
+ 	tests/package_version.txt \
+ 	$(NULL)
+
+From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Mon, 4 May 2020 15:51:59 +0200
+Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server
+
+This just does a GET, which is not quite right, but will work.
+This is needed for the authenticator.
+
+(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604)
+---
+ tests/oci-registry-server.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py
+index 23c2db916..33c3b646b 100755
+--- a/tests/oci-registry-server.py
+++ b/tests/oci-registry-server.py
+@@ -135,6 +135,9 @@ def do_GET(self):
+             else:
+                 self.wfile.write(response_string.encode('utf-8'))
+ 
+    def do_HEAD(self):
+        return self.do_GET()
+
+     def do_POST(self):
+         if self.check_route('/testing/@repo_name/@tag'):
+             repo_name = self.matches['repo_name']
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@ -0,0 +1,489 @@
+%global bubblewrap_version 0.4.0
+%global ostree_version 2018.9
+
+Name:           flatpak
+Version:        1.6.2
+Release:        3%{?dist}
+Summary:        Application deployment framework for desktop apps
+
+License:        LGPLv2+
+URL:            http://flatpak.org/
+Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1814045
+Patch0:         flatpak-1.6.2-oci-fixes.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1847201
+Patch1:         flatpak-1.6.2-oci-fixes2.patch
+
+BuildRequires:  pkgconfig(appstream-glib)
+BuildRequires:  pkgconfig(dconf)
+BuildRequires:  pkgconfig(fuse)
+BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
+BuildRequires:  pkgconfig(gio-unix-2.0)
+BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 1.40.0
+BuildRequires:  pkgconfig(json-glib-1.0)
+BuildRequires:  pkgconfig(libarchive) >= 2.8.0
+BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libxml-2.0) >= 2.4
+BuildRequires:  pkgconfig(ostree-1) >= %{ostree_version}
+BuildRequires:  pkgconfig(polkit-gobject-1)
+BuildRequires:  pkgconfig(xau)
+BuildRequires:  bison
+BuildRequires:  bubblewrap >= %{bubblewrap_version}
+BuildRequires:  docbook-dtds
+BuildRequires:  docbook-style-xsl
+BuildRequires:  gettext
+BuildRequires:  gpgme-devel
+BuildRequires:  libcap-devel
+BuildRequires:  systemd
+BuildRequires:  /usr/bin/xmlto
+BuildRequires:  /usr/bin/xsltproc
+
+%{?systemd_requires}
+
+Requires:       bubblewrap >= %{bubblewrap_version}
+Requires:       librsvg2%{?_isa}
+Requires:       ostree-libs%{?_isa} >= %{ostree_version}
+# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+Requires:       (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
+Requires:       %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
+Recommends:     p11-kit-server
+
+# Make sure the document portal is installed
+%if 0%{?fedora} || 0%{?rhel} > 7
+Recommends:     xdg-desktop-portal > 0.10
+# Remove in F30.
+Conflicts:      xdg-desktop-portal < 0.10
+%else
+Requires:       xdg-desktop-portal > 0.10
+%endif
+
+%description
+flatpak is a system for building, distributing and running sandboxed desktop
+applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
+more information.
+
+%package devel
+Summary:        Development files for %{name}
+License:        LGPLv2+
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description devel
+This package contains the pkg-config file and development headers for %{name}.
+
+%package libs
+Summary:        Libraries for %{name}
+License:        LGPLv2+
+Requires:       bubblewrap >= %{bubblewrap_version}
+Requires:       ostree%{?_isa} >= %{ostree_version}
+Requires(pre):  /usr/sbin/useradd
+
+%description libs
+This package contains libflatpak.
+
+%package selinux
+Summary:        SELinux policy module for %{name}
+License:        LGPLv2+
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+BuildArch:      noarch
+%{?selinux_requires}
+
+%description selinux
+This package contains the SELinux policy module for %{name}.
+
+%package session-helper
+Summary:        User D-Bus service used by %{name} and others
+License:        LGPLv2+
+Conflicts:      flatpak < 1.4.1-2
+Requires:       systemd
+
+%description session-helper
+This package contains the org.freedesktop.Flatpak user D-Bus service
+that's used by %{name} and other packages.
+
+%package tests
+Summary:        Tests for %{name}
+License:        LGPLv2+
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       %{name}-session-helper%{?_isa} = %{version}-%{release}
+Requires:       bubblewrap >= %{bubblewrap_version}
+Requires:       ostree%{?_isa} >= %{ostree_version}
+
+%description tests
+This package contains installed tests for %{name}.
+
+
+%prep
+%autosetup -p1
+
+
+%build
+(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
+ # Generate consistent IDs between runs to avoid multilib problems.
+ export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
+ %configure \
+            --enable-docbook-docs \
+            --enable-installed-tests \
+            --enable-selinux-module \
+            --with-priv-mode=none \
+            --with-system-bubblewrap \
+            $CONFIGFLAGS)
+%make_build V=1
+
+
+%install
+%make_install
+install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
+# The system repo is not installed by the flatpak build system.
+install -d %{buildroot}%{_localstatedir}/lib/flatpak
+install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
+rm -f %{buildroot}%{_libdir}/libflatpak.la
+%find_lang %{name}
+
+
+%pre
+getent group flatpak >/dev/null || groupadd -r flatpak
+getent passwd flatpak >/dev/null || \
+    useradd -r -g flatpak -d / -s /sbin/nologin \
+     -c "User for flatpak system helper" flatpak
+exit 0
+
+
+%post
+# Create an (empty) system-wide repo.
+flatpak remote-list --system &> /dev/null || :
+
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
+
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
+fi
+
+
+%ldconfig_scriptlets libs
+
+
+%files -f %{name}.lang
+%license COPYING
+# Comply with the packaging guidelines about not mixing relative and absolute
+# paths in doc.
+%doc %{_pkgdocdir}
+%{_bindir}/flatpak
+%{_bindir}/flatpak-bisect
+%{_bindir}/flatpak-coredumpctl
+%{_datadir}/bash-completion
+%{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml
+%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml
+%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
+%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
+%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
+# Co-own directory.
+%{_datadir}/gdm/env.d
+%{_datadir}/%{name}
+%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
+%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
+%{_datadir}/zsh/site-functions
+%{_libexecdir}/flatpak-dbus-proxy
+%{_libexecdir}/flatpak-oci-authenticator
+%{_libexecdir}/flatpak-portal
+%{_libexecdir}/flatpak-system-helper
+%{_libexecdir}/flatpak-validate-icon
+%{_libexecdir}/revokefs-fuse
+%dir %{_localstatedir}/lib/flatpak
+%{_mandir}/man1/%{name}*.1*
+%{_mandir}/man5/%{name}-metadata.5*
+%{_mandir}/man5/flatpak-flatpakref.5*
+%{_mandir}/man5/flatpak-flatpakrepo.5*
+%{_mandir}/man5/flatpak-installation.5*
+%{_mandir}/man5/flatpak-remote.5*
+%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
+%{_sysconfdir}/flatpak/remotes.d
+%{_sysconfdir}/profile.d/flatpak.sh
+%{_unitdir}/flatpak-system-helper.service
+%{_userunitdir}/flatpak-oci-authenticator.service
+%{_userunitdir}/flatpak-portal.service
+%{_systemd_user_env_generator_dir}/60-flatpak
+
+%files devel
+%{_datadir}/gir-1.0/Flatpak-1.0.gir
+%{_datadir}/gtk-doc/
+%{_includedir}/%{name}/
+%{_libdir}/libflatpak.so
+%{_libdir}/pkgconfig/%{name}.pc
+
+%files libs
+%license COPYING
+%{_libdir}/girepository-1.0/Flatpak-1.0.typelib
+%{_libdir}/libflatpak.so.*
+
+%files selinux
+%{_datadir}/selinux/packages/flatpak.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/flatpak.if
+
+%files session-helper
+%license COPYING
+%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml
+%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service
+%{_libexecdir}/flatpak-session-helper
+%{_userunitdir}/flatpak-session-helper.service
+
+%files tests
+%{_datadir}/installed-tests
+%{_libexecdir}/installed-tests
+
+
+%changelog
+* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3
+- Further fixes for OCI authenticator (#1847201)
+
+* Fri Mar 20 2020 David King <dking@redhat.com> - 1.6.2-2
+- Fixes for OCI authenticator (#1814045)
+
+* Thu Feb 13 2020 David King <dking@redhat.com> - 1.6.2-1
+- Rebase to 1.6.2 (#1775339)
+
+* Thu Jan 23 2020 David King <dking@redhat.com> - 1.6.1-1
+- Rebase to 1.6.1 (#1775339)
+
+* Fri Jan 17 2020 David King <dking@redhat.com> - 1.6.0-2
+- Remove broken python3 sed hack (#1775339)
+
+* Sat Dec 21 2019 David King <dking@redhat.com> - 1.6.0-1
+- Rebase to 1.6.0 (#1775339)
+
+* Fri Nov 08 2019 David King <dking@redhat.com> - 1.4.3-2
+- Use %%{?selinux_requires} for proper install ordering
+
+* Tue Oct 08 2019 David King <dking@redhat.com> - 1.4.3-1
+- Rebase to 1.4.3 (#1748276)
+
+* Fri Sep 20 2019 Kalev Lember <klember@redhat.com> - 1.0.9-1
+- Update to 1.0.9 (#1753613)
+
+* Tue May 14 2019 David King <dking@redhat.com> - 1.0.6-4
+- Bump release (#1700654)
+
+* Mon Apr 29 2019 David King <dking@redhat.com> - 1.0.6-3
+- Fix IOCSTI sandbox bypass (#1700654)
+
+* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.6-2
+- Do not mount /proc in root sandbox (#1675776)
+
+* Tue Dec 18 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
+- Update to 1.0.6 (#1630249)
+- Recommend p11-kit-server instead of just p11-kit (#1649049)
+
+* Mon Dec 10 2018 David King <dking@redhat.com> - 1.0.4-2
+- Backport patches to improve OCI support (#1657306)
+
+* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
+- Update to 1.0.4 (#1630249)
+
+* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
+- Update to 1.0.2 (#1630249)
+
+* Tue Aug 28 2018 David King <dking@redhat.com> - 1.0.1-1
+- Update to 1.0.1 (#1621401)
+
+* Wed Aug 01 2018 David King <dking@redhat.com> - 0.99.3-1
+- Update to 0.99.3
+
+* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
+- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
+  somewhere before Fedora 22 which this spec file certainly no longer
+  supports.
+
+* Thu May 03 2018 Kalev Lember <klember@redhat.com> - 0.11.7-1
+- Update to 0.11.7
+
+* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.6-1
+- Update to 0.11.6
+
+* Wed May 02 2018 Kalev Lember <klember@redhat.com> - 0.11.5-2
+- Backport a fix for a gnome-software crash installing .flatpakref files
+
+* Mon Apr 30 2018 David King <amigadave@amigadave.com> - 0.11.5-1
+- Update to 0.11.5
+
+* Thu Apr 26 2018 Kalev Lember <klember@redhat.com> - 0.11.4-1
+- Update to 0.11.4
+
+* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.3-1
+- Update to 0.11.3
+
+* Mon Feb 19 2018 David King <amigadave@amigadave.com> - 0.11.2-1
+- Update to 0.11.2
+
+* Wed Feb 14 2018 David King <amigadave@amigadave.com> - 0.11.1-1
+- Update to 0.11.1 (#1545224)
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.10.3-2
+- Switch to %%ldconfig_scriptlets
+
+* Tue Jan 30 2018 Kalev Lember <klember@redhat.com> - 0.10.3-1
+- Update to 0.10.3
+
+* Thu Dec 21 2017 David King <amigadave@amigadave.com> - 0.10.2.1-1
+- Update to 0.10.2.1
+
+* Fri Dec 15 2017 Kalev Lember <klember@redhat.com> - 0.10.2-1
+- Update to 0.10.2
+
+* Fri Nov 24 2017 David King <amigadave@amigadave.com> - 0.10.1-1
+- Update to 0.10.1
+
+* Thu Oct 26 2017 Kalev Lember <klember@redhat.com> - 0.10.0-1
+- Update to 0.10.0
+
+* Mon Oct 09 2017 Kalev Lember <klember@redhat.com> - 0.9.99-1
+- Update to 0.9.99
+
+* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.2-1
+- Update to 0.9.98.2
+
+* Tue Sep 26 2017 Kalev Lember <klember@redhat.com> - 0.9.98.1-1
+- Update to 0.9.98.1
+
+* Mon Sep 25 2017 Kalev Lember <klember@redhat.com> - 0.9.98-1
+- Update to 0.9.98
+
+* Thu Sep 14 2017 Kalev Lember <klember@redhat.com> - 0.9.12-1
+- Update to 0.9.12
+
+* Wed Sep 13 2017 Kalev Lember <klember@redhat.com> - 0.9.11-1
+- Update to 0.9.11
+
+* Mon Sep 04 2017 Kalev Lember <klember@redhat.com> - 0.9.10-1
+- Update to 0.9.10
+- Split out flatpak-builder to a separate source package
+
+* Fri Aug 25 2017 Kalev Lember <klember@redhat.com> - 0.9.8-2
+- Backport a patch to fix regression in --devel
+
+* Mon Aug 21 2017 David King <amigadave@amigadave.com> - 0.9.8-1
+- Update to 0.9.8
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 0.9.7-4
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Thu Jul 27 2017 Owen Taylor <otaylor@redhat.com> - 0.9.7-3
+- Add a patch to fix OCI refname annotation
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jul 01 2017 David King <amigadave@amigadave.com> - 0.9.7-1
+- Update to 0.9.7 (#1466970)
+
+* Tue Jun 20 2017 David King <amigadave@amigadave.com> - 0.9.6-1
+- Update to 0.9.6
+
+* Sat Jun 10 2017 David King <amigadave@amigadave.com> - 0.9.5-1
+- Update to 0.9.5 (#1460437)
+
+* Tue May 23 2017 David King <amigadave@amigadave.com> - 0.9.4-1
+- Update to 0.9.4 (#1454750)
+
+* Mon Apr 24 2017 David King <amigadave@amigadave.com> - 0.9.3-1
+- Update to 0.9.3
+
+* Fri Apr 07 2017 David King <amigadave@amigadave.com> - 0.9.2-2
+- Add eu-strip dependency for flatpak-builder
+
+* Wed Apr 05 2017 Kalev Lember <klember@redhat.com> - 0.9.2-1
+- Update to 0.9.2
+
+* Wed Mar 15 2017 Kalev Lember <klember@redhat.com> - 0.9.1-1
+- Update to 0.9.1
+
+* Fri Mar 10 2017 Kalev Lember <klember@redhat.com> - 0.8.4-1
+- Update to 0.8.4
+
+* Sun Feb 19 2017 David King <amigadave@amigadave.com> - 0.8.3-3
+- Make flatpak-builder require bzip2 (#1424857)
+
+* Wed Feb 15 2017 Kalev Lember <klember@redhat.com> - 0.8.3-2
+- Avoid pulling in all of ostree and only depend on ostree-libs subpackage
+
+* Tue Feb 14 2017 Kalev Lember <klember@redhat.com> - 0.8.3-1
+- Update to 0.8.3
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Jan 27 2017 Kalev Lember <klember@redhat.com> - 0.8.2-1
+- Update to 0.8.2
+
+* Wed Jan 18 2017 David King <amigadave@amigadave.com> - 0.8.1-1
+- Update to 0.8.1
+
+* Tue Dec 20 2016 Kalev Lember <klember@redhat.com> - 0.8.0-1
+- Update to 0.8.0
+
+* Tue Nov 29 2016 David King <amigadave@amigadave.com> - 0.6.14-2
+- Add a patch to fix a GNOME Software crash
+- Silence repository listing during post
+
+* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 0.6.14-1
+- Update to 0.6.14
+
+* Wed Oct 26 2016 David King <amigadave@amigadave.com> - 0.6.13-2
+- Add empty /etc/flatpak/remotes.d
+
+* Tue Oct 25 2016 David King <amigadave@amigadave.com> - 0.6.13-1
+- Update to 0.6.13
+
+* Thu Oct 06 2016 David King <amigadave@amigadave.com> - 0.6.12-1
+- Update to 0.6.12
+
+* Tue Sep 20 2016 Kalev Lember <klember@redhat.com> - 0.6.11-1
+- Update to 0.6.11
+- Set minimum ostree and bubblewrap versions
+
+* Mon Sep 12 2016 David King <amigadave@amigadave.com> - 0.6.10-1
+- Update to 0.6.10
+
+* Tue Sep 06 2016 David King <amigadave@amigadave.com> - 0.6.9-2
+- Look for bwrap in PATH
+
+* Thu Aug 25 2016 David King <amigadave@amigadave.com> - 0.6.9-1
+- Update to 0.6.9
+
+* Mon Aug 01 2016 David King <amigadave@amigadave.com> - 0.6.8-1
+- Update to 0.6.8 (#1361823)
+
+* Thu Jul 21 2016 David King <amigadave@amigadave.com> - 0.6.7-2
+- Use system bubblewrap
+
+* Fri Jul 01 2016 David King <amigadave@amigadave.com> - 0.6.7-1
+- Update to 0.6.7
+
+* Thu Jun 23 2016 David King <amigadave@amigadave.com> - 0.6.6-1
+- Update to 0.6.6
+
+* Fri Jun 10 2016 David King <amigadave@amigadave.com> - 0.6.5-1
+- Update to 0.6.5
+
+* Wed Jun 01 2016 David King <amigadave@amigadave.com> - 0.6.4-1
+- Update to 0.6.4
+
+* Tue May 31 2016 David King <amigadave@amigadave.com> - 0.6.3-1
+- Update to 0.6.3
+- Move bwrap to main package
+
+* Tue May 24 2016 David King <amigadave@amigadave.com> - 0.6.2-1
+- Rename from xdg-app to flatpak (#1337434)
				`@ -0,0 +1 @@`
				`6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz`