Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
@ -1 +1 @@
|
|||||||
41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz
|
aadb61d0d67fa6bc4a3cbe54b0acfb78403a5cd1 SOURCES/flatpak-1.12.8.tar.xz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/flatpak-1.12.9.tar.xz
|
SOURCES/flatpak-1.12.8.tar.xz
|
||||||
|
@ -1,330 +0,0 @@
|
|||||||
From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 3 Jun 2024 12:22:30 +0200
|
|
||||||
Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
|
|
||||||
|
|
||||||
These directories are in a location under application control, so we
|
|
||||||
can't trust them to not be a symlink outside of the files accessibe to
|
|
||||||
the application.
|
|
||||||
|
|
||||||
Continue to treat --persist=/foo as --persist=foo for backwards compat,
|
|
||||||
since this is how it (accidentally) worked before, but print a warning.
|
|
||||||
|
|
||||||
Don't allow ".." elements in persist paths: these would not be useful
|
|
||||||
anyway, and are unlikely to be in use, however they could potentially
|
|
||||||
be used to confuse the persist path handling.
|
|
||||||
|
|
||||||
This partially addresses CVE-2024-42472. If only one instance of the
|
|
||||||
malicious or compromised app is run at a time, the vulnerability
|
|
||||||
is avoided. If two instances can run concurrently, there is a
|
|
||||||
time-of-check/time-of-use issue remaining, which can only be resolved
|
|
||||||
with changes to bubblewrap; this will be resolved in a separate commit,
|
|
||||||
because the bubblewrap dependency might be more difficult to provide in
|
|
||||||
LTS distributions.
|
|
||||||
|
|
||||||
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
|
||||||
[smcv: Make whitespace consistent]
|
|
||||||
[smcv: Use g_warning() if unable to create --persist paths]
|
|
||||||
[smcv: Use stat() to detect symlinks and warn about them]
|
|
||||||
[smcv: Use glnx_steal_fd() for portability to older GLib]
|
|
||||||
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
|
|
||||||
1 file changed, 105 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
|
|
||||||
index 53b79807..8c784acf 100644
|
|
||||||
--- a/common/flatpak-context.c
|
|
||||||
+++ b/common/flatpak-context.c
|
|
||||||
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
|
|
||||||
return g_steal_pointer (&exports);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* This creates zero or more directories unders base_fd+basedir, each
|
|
||||||
+ * being guaranteed to either exist and be a directory (no symlinks)
|
|
||||||
+ * or be created as a directory. The last directory is opened
|
|
||||||
+ * and the fd is returned.
|
|
||||||
+ */
|
|
||||||
+static gboolean
|
|
||||||
+mkdir_p_open_nofollow_at (int base_fd,
|
|
||||||
+ const char *basedir,
|
|
||||||
+ int mode,
|
|
||||||
+ const char *subdir,
|
|
||||||
+ int *out_fd,
|
|
||||||
+ GError **error)
|
|
||||||
+{
|
|
||||||
+ glnx_autofd int parent_fd = -1;
|
|
||||||
+
|
|
||||||
+ if (g_path_is_absolute (subdir))
|
|
||||||
+ {
|
|
||||||
+ const char *skipped_prefix = subdir;
|
|
||||||
+
|
|
||||||
+ while (*skipped_prefix == '/')
|
|
||||||
+ skipped_prefix++;
|
|
||||||
+
|
|
||||||
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
|
|
||||||
+ subdir = skipped_prefix;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
|
|
||||||
+
|
|
||||||
+ if (strcmp (subdir_dirname, ".") == 0)
|
|
||||||
+ {
|
|
||||||
+ /* It is ok to open basedir with follow=true */
|
|
||||||
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
+ else if (strcmp (subdir_dirname, "..") == 0)
|
|
||||||
+ {
|
|
||||||
+ return glnx_throw (error, "'..' not supported in --persist paths");
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
|
|
||||||
+ subdir_dirname, &parent_fd, error))
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
|
|
||||||
+
|
|
||||||
+ if (strcmp (subdir_basename, ".") == 0)
|
|
||||||
+ {
|
|
||||||
+ *out_fd = glnx_steal_fd (&parent_fd);
|
|
||||||
+ return TRUE;
|
|
||||||
+ }
|
|
||||||
+ else if (strcmp (subdir_basename, "..") == 0)
|
|
||||||
+ {
|
|
||||||
+ return glnx_throw (error, "'..' not supported in --persist paths");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
|
|
||||||
+ return FALSE;
|
|
||||||
+
|
|
||||||
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
|
|
||||||
+ if (fd == -1)
|
|
||||||
+ {
|
|
||||||
+ int saved_errno = errno;
|
|
||||||
+ struct stat stat_buf;
|
|
||||||
+
|
|
||||||
+ /* If it's a symbolic link, that could be a user trying to offload
|
|
||||||
+ * large data to another filesystem, but it could equally well be
|
|
||||||
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
|
|
||||||
+ * Produce a clearer error message in this case.
|
|
||||||
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
|
|
||||||
+ * to ask again to find out whether it's really a symlink. */
|
|
||||||
+ if (saved_errno == ENOTDIR &&
|
|
||||||
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
|
|
||||||
+ S_ISLNK (stat_buf.st_mode))
|
|
||||||
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
|
|
||||||
+
|
|
||||||
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *out_fd = fd;
|
|
||||||
+ return TRUE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void
|
|
||||||
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
|
||||||
FlatpakBwrap *bwrap,
|
|
||||||
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
|
||||||
while (g_hash_table_iter_next (&iter, &key, NULL))
|
|
||||||
{
|
|
||||||
const char *persist = key;
|
|
||||||
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
|
|
||||||
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
|
|
||||||
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
|
|
||||||
+ g_autoptr(GError) local_error = NULL;
|
|
||||||
+
|
|
||||||
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
|
|
||||||
+ {
|
|
||||||
+ g_warning ("Unable to create directory %s", appdir);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Don't follow symlinks from the persist directory, as it is under user control */
|
|
||||||
+ glnx_autofd int src_fd = -1;
|
|
||||||
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
|
|
||||||
+ persist, &src_fd,
|
|
||||||
+ &local_error))
|
|
||||||
+ {
|
|
||||||
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- g_mkdir_with_parents (src, 0755);
|
|
||||||
+ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
|
|
||||||
|
|
||||||
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
|
|
||||||
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
|
|
||||||
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
||||||
|
|
||||||
From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Larsson <alexl@redhat.com>
|
|
||||||
Date: Mon, 3 Jun 2024 12:59:05 +0200
|
|
||||||
Subject: [PATCH 2/4] Add test coverage for --persist
|
|
||||||
|
|
||||||
This adds three "positive" tests: the common case --persist=.persist, the
|
|
||||||
deprecated spelling --persist=/.persist, and the less common special case
|
|
||||||
--persist=. as used by Steam.
|
|
||||||
|
|
||||||
It also adds "negative" tests for CVE-2024-42472: if the --persist
|
|
||||||
directory is a symbolic link or contains path segment "..", we want that
|
|
||||||
to be rejected.
|
|
||||||
|
|
||||||
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
|
||||||
[smcv: Add "positive" tests]
|
|
||||||
[smcv: Exercise --persist=..]
|
|
||||||
[smcv: Assert that --persist with a symlink produces expected message]
|
|
||||||
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 40 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/tests/test-run.sh b/tests/test-run.sh
|
|
||||||
index dd371df3..bca0845d 100644
|
|
||||||
--- a/tests/test-run.sh
|
|
||||||
+++ b/tests/test-run.sh
|
|
||||||
@@ -24,7 +24,7 @@ set -euo pipefail
|
|
||||||
skip_without_bwrap
|
|
||||||
skip_revokefs_without_fuse
|
|
||||||
|
|
||||||
-echo "1..20"
|
|
||||||
+echo "1..21"
|
|
||||||
|
|
||||||
# Use stable rather than master as the branch so we can test that the run
|
|
||||||
# command automatically finds the branch correctly
|
|
||||||
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
|
|
||||||
assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
|
|
||||||
|
|
||||||
ok "--sdk option"
|
|
||||||
+
|
|
||||||
+rm -fr "$HOME/.var/app/org.test.Hello"
|
|
||||||
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
|
||||||
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
|
|
||||||
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
|
|
||||||
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
|
|
||||||
+
|
|
||||||
+ok "--persist=.persist persists a directory"
|
|
||||||
+
|
|
||||||
+rm -fr "$HOME/.var/app/org.test.Hello"
|
|
||||||
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
|
||||||
+# G_DEBUG= to avoid the deprecation warning being fatal
|
|
||||||
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
|
|
||||||
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
|
|
||||||
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
|
|
||||||
+
|
|
||||||
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
|
|
||||||
+
|
|
||||||
+rm -fr "$HOME/.var/app/org.test.Hello"
|
|
||||||
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
|
||||||
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
|
|
||||||
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
|
|
||||||
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
|
|
||||||
+
|
|
||||||
+ok "--persist=. persists all files"
|
|
||||||
+
|
|
||||||
+mkdir "${TEST_DATA_DIR}/inaccessible"
|
|
||||||
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
|
|
||||||
+rm -fr "$HOME/.var/app/org.test.Hello"
|
|
||||||
+mkdir -p "$HOME/.var/app/org.test.Hello"
|
|
||||||
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
|
|
||||||
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
|
|
||||||
+# LC_ALL=C so we get the expected non-localized string.
|
|
||||||
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
|
|
||||||
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
|
|
||||||
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
|
|
||||||
+assert_not_file_has_content hello_out "secret-file"
|
|
||||||
+
|
|
||||||
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
||||||
|
|
||||||
From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Mon, 12 Aug 2024 19:48:18 +0100
|
|
||||||
Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
|
|
||||||
option
|
|
||||||
|
|
||||||
We need this for the --bind-fd option, which will close a race
|
|
||||||
condition in our solution to CVE-2024-42472.
|
|
||||||
|
|
||||||
For this stable branch, check the --help output for a --bind-fd option
|
|
||||||
instead of requiring a specific version number, to accommodate possible
|
|
||||||
backports in LTS distributions.
|
|
||||||
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
configure.ac | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 0a44e11a..0c8e2d0e 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
|
|
||||||
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
|
|
||||||
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
|
|
||||||
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
|
|
||||||
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
|
|
||||||
+ [:],
|
|
||||||
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
|
|
||||||
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
|
|
||||||
else
|
|
||||||
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
||||||
|
|
||||||
From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon McVittie <smcv@collabora.com>
|
|
||||||
Date: Wed, 14 Aug 2024 13:44:30 +0100
|
|
||||||
Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
|
|
||||||
option
|
|
||||||
|
|
||||||
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
|
|
||||||
has two advantages:
|
|
||||||
* bwrap closes the fd when used, so it doesn't leak into the started app
|
|
||||||
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
|
|
||||||
as there is a small (required) gap between symlink resolve and mount
|
|
||||||
where the target path could be replaced.
|
|
||||||
|
|
||||||
Please note that this change requires an updated version of bubblewrap.
|
|
||||||
|
|
||||||
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
|
|
||||||
[smcv: Make whitespace consistent]
|
|
||||||
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
||||||
---
|
|
||||||
common/flatpak-context.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
|
|
||||||
index 8c784acf..baa62728 100644
|
|
||||||
--- a/common/flatpak-context.c
|
|
||||||
+++ b/common/flatpak-context.c
|
|
||||||
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
|
|
||||||
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
|
|
||||||
|
|
||||||
flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
|
|
||||||
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
|
|
||||||
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Debarshi Ray <debarshir@gnome.org>
|
|
||||||
Date: Mon, 6 Nov 2023 20:27:16 +0100
|
|
||||||
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
|
|
||||||
|
|
||||||
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
|
|
||||||
---
|
|
||||||
selinux/flatpak.te | 4 ----
|
|
||||||
1 file changed, 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
|
|
||||||
index bb3d80e316eb..4cf895c44abe 100644
|
|
||||||
--- a/selinux/flatpak.te
|
|
||||||
+++ b/selinux/flatpak.te
|
|
||||||
@@ -33,10 +33,6 @@ optional_policy(`
|
|
||||||
policykit_dbus_chat(flatpak_helper_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
-optional_policy(`
|
|
||||||
- systemd_userdbd_stream_connect(flatpak_helper_t)
|
|
||||||
-')
|
|
||||||
-
|
|
||||||
optional_policy(`
|
|
||||||
unconfined_domain(flatpak_helper_t)
|
|
||||||
')
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -0,0 +1,38 @@
|
|||||||
|
From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <debarshir@gnome.org>
|
||||||
|
Date: Mon, 31 Jan 2022 21:17:29 +0100
|
||||||
|
Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
|
||||||
|
remote
|
||||||
|
|
||||||
|
SHA1 hashes are considered weak these days. Some distributions have
|
||||||
|
static analysis tools to detect the use of such weak hashes, and they
|
||||||
|
get triggered by flatpak. While this particular use of SHA1 in flatpak
|
||||||
|
is likely not security sensitive, it's also easy to move to SHA256 to
|
||||||
|
avoid any debate.
|
||||||
|
|
||||||
|
Here, the SHA1 hash of a named remote's filter file is used to generate
|
||||||
|
the name of the directory where the refs from that remote are cached.
|
||||||
|
One can reasonably assume that the cache is frequently invalidated
|
||||||
|
because the list of refs on the remote changes all the time. Hence,
|
||||||
|
it's not big problem if it gets invalidated once more because of this
|
||||||
|
change.
|
||||||
|
---
|
||||||
|
common/flatpak-dir.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||||
|
index 18384bd432fc..c6d08e85b41f 100644
|
||||||
|
--- a/common/flatpak-dir.c
|
||||||
|
+++ b/common/flatpak-dir.c
|
||||||
|
@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
|
||||||
|
}
|
||||||
|
|
||||||
|
filter = g_new0 (RemoteFilter, 1);
|
||||||
|
- filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
|
||||||
|
+ filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
|
||||||
|
filter->path = g_object_ref (path);
|
||||||
|
filter->mtime = mtime;
|
||||||
|
filter->last_mtime_check = g_get_monotonic_time ();
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,9 +1,9 @@
|
|||||||
%global bubblewrap_version 0.4.0-2
|
%global bubblewrap_version 0.4.0
|
||||||
%global ostree_version 2020.8
|
%global ostree_version 2020.8
|
||||||
|
|
||||||
Name: flatpak
|
Name: flatpak
|
||||||
Version: 1.12.9
|
Version: 1.12.8
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Application deployment framework for desktop apps
|
Summary: Application deployment framework for desktop apps
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -15,11 +15,8 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
|
|||||||
Source1: flatpak-add-fedora-repos.service
|
Source1: flatpak-add-fedora-repos.service
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# https://issues.redhat.com/browse/RHEL-4220
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
|
||||||
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
|
Patch0: flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
|
||||||
|
|
||||||
# Backported upstream patch for CVE-2024-42472
|
|
||||||
Patch1: flatpak-1.12.x-CVE-2024-42472.patch
|
|
||||||
|
|
||||||
BuildRequires: pkgconfig(appstream-glib)
|
BuildRequires: pkgconfig(appstream-glib)
|
||||||
BuildRequires: pkgconfig(dconf)
|
BuildRequires: pkgconfig(dconf)
|
||||||
@ -43,17 +40,17 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
|
|||||||
BuildRequires: docbook-dtds
|
BuildRequires: docbook-dtds
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: libassuan-devel
|
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
BuildRequires: python3-devel
|
|
||||||
BuildRequires: python3-pyparsing
|
BuildRequires: python3-pyparsing
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
|
BuildRequires: /usr/bin/xdg-dbus-proxy
|
||||||
BuildRequires: /usr/bin/xmlto
|
BuildRequires: /usr/bin/xmlto
|
||||||
BuildRequires: /usr/bin/xsltproc
|
BuildRequires: /usr/bin/xsltproc
|
||||||
|
|
||||||
Requires: bubblewrap >= %{bubblewrap_version}
|
Requires: bubblewrap >= %{bubblewrap_version}
|
||||||
Requires: librsvg2%{?_isa}
|
Requires: librsvg2%{?_isa}
|
||||||
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
Requires: ostree-libs%{?_isa} >= %{ostree_version}
|
||||||
|
Requires: /usr/bin/xdg-dbus-proxy
|
||||||
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
|
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
|
||||||
Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
|
Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted)
|
||||||
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
|
Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
|
||||||
@ -62,8 +59,6 @@ Recommends: p11-kit-server
|
|||||||
# Make sure the document portal is installed
|
# Make sure the document portal is installed
|
||||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
Recommends: xdg-desktop-portal > 0.10
|
Recommends: xdg-desktop-portal > 0.10
|
||||||
# Remove in F30.
|
|
||||||
Conflicts: xdg-desktop-portal < 0.10
|
|
||||||
%else
|
%else
|
||||||
Requires: xdg-desktop-portal > 0.10
|
Requires: xdg-desktop-portal > 0.10
|
||||||
%endif
|
%endif
|
||||||
@ -97,6 +92,7 @@ Summary: SELinux policy module for %{name}
|
|||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
BuildRequires: selinux-policy
|
BuildRequires: selinux-policy
|
||||||
BuildRequires: selinux-policy-devel
|
BuildRequires: selinux-policy-devel
|
||||||
|
BuildRequires: make
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%{?selinux_requires}
|
%{?selinux_requires}
|
||||||
|
|
||||||
@ -128,11 +124,14 @@ This package contains installed tests for %{name}.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
# Make sure to use the RHEL-lifetime supported Python and no other
|
|
||||||
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
# gobject introspection does not work with LTO. There is an effort to fix this
|
||||||
|
# in the appropriate project upstreams, so hopefully LTO can be enabled someday
|
||||||
|
# Disable LTO.
|
||||||
|
%define _lto_cflags %{nil}
|
||||||
|
|
||||||
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
|
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
|
||||||
# Generate consistent IDs between runs to avoid multilib problems.
|
# Generate consistent IDs between runs to avoid multilib problems.
|
||||||
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
|
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
|
||||||
@ -142,6 +141,7 @@ This package contains installed tests for %{name}.
|
|||||||
--enable-selinux-module \
|
--enable-selinux-module \
|
||||||
--with-priv-mode=none \
|
--with-priv-mode=none \
|
||||||
--with-system-bubblewrap \
|
--with-system-bubblewrap \
|
||||||
|
--with-system-dbus-proxy \
|
||||||
$CONFIGFLAGS)
|
$CONFIGFLAGS)
|
||||||
%make_build V=1
|
%make_build V=1
|
||||||
|
|
||||||
@ -202,9 +202,6 @@ if [ $1 -eq 0 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
%ldconfig_scriptlets libs
|
|
||||||
|
|
||||||
|
|
||||||
%files -f %{name}.lang
|
%files -f %{name}.lang
|
||||||
%license COPYING
|
%license COPYING
|
||||||
# Comply with the packaging guidelines about not mixing relative and absolute
|
# Comply with the packaging guidelines about not mixing relative and absolute
|
||||||
@ -219,12 +216,11 @@ fi
|
|||||||
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
|
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
|
||||||
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
|
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
|
||||||
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
|
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
|
||||||
%{_datadir}/fish
|
%{_datadir}/fish/
|
||||||
%{_datadir}/%{name}
|
%{_datadir}/%{name}
|
||||||
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
|
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
|
||||||
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
|
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
|
||||||
%{_datadir}/zsh/site-functions
|
%{_datadir}/zsh/site-functions
|
||||||
%{_libexecdir}/flatpak-dbus-proxy
|
|
||||||
%{_libexecdir}/flatpak-oci-authenticator
|
%{_libexecdir}/flatpak-oci-authenticator
|
||||||
%{_libexecdir}/flatpak-portal
|
%{_libexecdir}/flatpak-portal
|
||||||
%{_libexecdir}/flatpak-system-helper
|
%{_libexecdir}/flatpak-system-helper
|
||||||
@ -280,121 +276,319 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
|
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
|
||||||
- Fix previous changelog entry
|
- Update to 1.12.8 (CVE-2023-28100, CVE-2023-28101)
|
||||||
|
Resolves: #2180312, #2221792
|
||||||
|
|
||||||
* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
|
* Mon Jun 27 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-2
|
||||||
- Backport upstream patches for CVE-2024-42472
|
- Let flatpak own %%{_sysconfdir}/flatpak
|
||||||
- Require bubblewrap version that has new --bind-fd option backported for
|
Resolves: #2101456
|
||||||
addressing CVE-2024-42472
|
|
||||||
|
|
||||||
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
|
* Thu Mar 17 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.7-1
|
||||||
- Update to 1.12.9 (CVE-2024-32462)
|
- Update to 1.12.7
|
||||||
|
Resolves: #2058633
|
||||||
|
|
||||||
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
|
* Mon Mar 07 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-2
|
||||||
- Rebase to 1.12.8 (RHEL-4220)
|
- Cope better with /var/lib/flatpak existing but being empty
|
||||||
|
Resolves: #2062806
|
||||||
|
|
||||||
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
|
* Sun Feb 20 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.5-1
|
||||||
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
|
- Update to 1.12.5
|
||||||
|
Resolves: #2054215
|
||||||
|
|
||||||
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
|
* Tue Feb 08 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.12.4-2
|
||||||
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
|
- Don't try to add Fedora's OCI Flatpak repository on RHEL
|
||||||
|
- Remove an obsolete Fedora-specific update path
|
||||||
|
Resolves: #2051697
|
||||||
|
|
||||||
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
|
* Mon Feb 07 2022 Neal Gompa <ngompa@centosproject.org> - 1.12.4-1
|
||||||
- Rebase to 1.10.8 (#2222103)
|
- Rebase to 1.12.4
|
||||||
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
|
Resolves: #2050302
|
||||||
|
|
||||||
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
|
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
|
||||||
- Rebase to 1.10.7 (#2062417)
|
- Use SHA256, not SHA1, to name the cache for a filtered remote
|
||||||
|
Resolves: #1935508
|
||||||
|
|
||||||
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
|
* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
|
||||||
- Rebase to 1.8.7 (#2041972)
|
- Update to 1.10.7 (CVE-2021-43860)
|
||||||
|
Resolves: #2041973
|
||||||
|
|
||||||
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
|
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.5-1
|
||||||
- Rebase to 1.8.6 (#2010533)
|
- Update to 1.10.5 (CVE-2021-41133)
|
||||||
|
Resolves: #2012862
|
||||||
|
|
||||||
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
|
* Wed Sep 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.3-1
|
||||||
- Fix CVE-2021-41133 (#2012869)
|
- Update to 1.10.3
|
||||||
|
Resolves: #2006554
|
||||||
|
|
||||||
* Tue Oct 05 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-5
|
* Sat Aug 28 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.10.2-6
|
||||||
- Disable gvfs plugins when listing flatpak installations (#1980438)
|
- Fix local deploys using system helper
|
||||||
|
Resolves: #1982304
|
||||||
|
|
||||||
* Wed Jul 28 2021 Tomas Popela <tpopela@redhat.com> - 1.8.5-4
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-5
|
||||||
- Ship flatpak-devel in CRB (#1938064)
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
|
* Fri May 07 2021 Kalev Lember <klember@redhat.com> - 1.10.2-4
|
||||||
- Fix CVE-2021-21381 (#1938064)
|
- Disable system env generator to work around selinux denials (#1947214)
|
||||||
|
|
||||||
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.2-3
|
||||||
- Apply post-release CVE fixes (#1918776)
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
|
* Mon Apr 05 2021 Kalev Lember <klember@redhat.com> - 1.10.2-2
|
||||||
- Rebase to 1.8.5 (#1851958)
|
- OCI: Switch to pax format for tar archives
|
||||||
|
|
||||||
* Tue Nov 17 2020 David King <dking@redhat.com> - 1.8.3-1
|
* Wed Mar 10 2021 Kalev Lember <klember@redhat.com> - 1.10.2-1
|
||||||
- Rebase to 1.8.3 (#1851958)
|
- Update to 1.10.2
|
||||||
|
|
||||||
* Mon Oct 05 2020 David King <dking@redhat.com> - 1.8.2-1
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.10.1-4
|
||||||
- Rebase to 1.8.2 (#1851958)
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
* Mon Sep 14 2020 Kalev Lember <klember@redhat.com> - 1.6.2-4
|
* Fri Feb 12 2021 Kalev Lember <klember@redhat.com> - 1.10.1-3
|
||||||
- OCI: extract appstream data for runtimes (#1878231)
|
- Add G_BEGIN_DECLS/G_END_DECLS to public headers (#1927439)
|
||||||
|
- Drop unneeded ldconfig_scriptlets macro call
|
||||||
|
|
||||||
* Wed Jun 17 2020 David King <dking@redhat.com> - 1.6.2-3
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-2
|
||||||
- Further fixes for OCI authenticator (#1847201)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
* Fri Mar 20 2020 David King <dking@redhat.com> - 1.6.2-2
|
* Thu Jan 21 2021 Kalev Lember <klember@redhat.com> - 1.10.1-1
|
||||||
- Fixes for OCI authenticator (#1814045)
|
- Update to 1.10.1
|
||||||
|
|
||||||
* Thu Feb 13 2020 David King <dking@redhat.com> - 1.6.2-1
|
* Thu Jan 14 2021 Kalev Lember <klember@redhat.com> - 1.10.0-1
|
||||||
- Rebase to 1.6.2 (#1775339)
|
- Update to 1.10.0
|
||||||
|
|
||||||
* Thu Jan 23 2020 David King <dking@redhat.com> - 1.6.1-1
|
* Mon Jan 11 2021 Kalev Lember <klember@redhat.com> - 1.9.3-2
|
||||||
- Rebase to 1.6.1 (#1775339)
|
- Use "Fedora Flatpaks" as the visible repo name
|
||||||
|
|
||||||
* Fri Jan 17 2020 David King <dking@redhat.com> - 1.6.0-2
|
* Tue Dec 22 2020 David King <amigadave@amigadave.com> - 1.9.3-1
|
||||||
- Remove broken python3 sed hack (#1775339)
|
- Update to 1.9.3 (#1910054)
|
||||||
|
|
||||||
* Sat Dec 21 2019 David King <dking@redhat.com> - 1.6.0-1
|
* Fri Nov 20 2020 Kalev Lember <klember@redhat.com> - 1.9.2-1
|
||||||
- Rebase to 1.6.0 (#1775339)
|
- Update to 1.9.2
|
||||||
|
|
||||||
* Fri Nov 08 2019 David King <dking@redhat.com> - 1.4.3-2
|
* Thu Nov 19 2020 Kalev Lember <klember@redhat.com> - 1.9.1-1
|
||||||
|
- Update to 1.9.1
|
||||||
|
|
||||||
|
* Wed Nov 18 2020 David King <amigadave@amigadave.com> - 1.8.3-2
|
||||||
|
- Drop obsolete Requires on system-release
|
||||||
|
|
||||||
|
* Tue Nov 17 2020 Kalev Lember <klember@redhat.com> - 1.8.3-1
|
||||||
|
- Update to 1.8.3
|
||||||
|
|
||||||
|
* Sat Oct 31 2020 Jeff Law <law@redhat.com> - 1.8.2-3
|
||||||
|
- Fix bogus volatiles caught by gcc-11
|
||||||
|
|
||||||
|
* Fri Sep 11 2020 Kalev Lember <klember@redhat.com> - 1.8.2-2
|
||||||
|
- Backport various OCI fixes from upstream
|
||||||
|
|
||||||
|
* Fri Aug 21 2020 Kalev Lember <klember@redhat.com> - 1.8.2-1
|
||||||
|
- Update to 1.8.2
|
||||||
|
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jul 03 2020 David King <amigadave@amigadave.com> - 1.8.1-1
|
||||||
|
- Update to 1.8.1 (#1853667)
|
||||||
|
|
||||||
|
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 1.8.0-2
|
||||||
|
- Disable LTO
|
||||||
|
|
||||||
|
* Wed Jun 24 2020 David King <amigadave@amigadave.com> - 1.8.0-1
|
||||||
|
- Update to 1.8.0 (#1850676)
|
||||||
|
|
||||||
|
* Wed Jun 10 2020 David King <amigadave@amigadave.com> - 1.7.3-1
|
||||||
|
- Update to 1.7.3 (#1820762)
|
||||||
|
|
||||||
|
* Fri Apr 03 2020 Kalev Lember <klember@redhat.com> - 1.7.2-1
|
||||||
|
- Update to 1.7.2
|
||||||
|
|
||||||
|
* Mon Mar 30 2020 David King <amigadave@amigadave.com> - 1.7.1-1
|
||||||
|
- Update to 1.7.1 (#1818882)
|
||||||
|
|
||||||
|
* Mon Mar 30 2020 Kalev Lember <klember@redhat.com> - 1.6.3-1
|
||||||
|
- Update to 1.6.3
|
||||||
|
|
||||||
|
* Thu Feb 13 2020 David King <amigadave@amigadave.com> - 1.6.2-1
|
||||||
|
- Update to 1.6.2 (#1802609)
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 23 2020 David King <amigadave@amigadave.com> - 1.6.1-1
|
||||||
|
- Update to 1.6.1
|
||||||
|
|
||||||
|
* Fri Jan 17 2020 David King <amigadave@amigadave.com> - 1.6.0-2
|
||||||
|
- Remove broken python3 sed hack
|
||||||
|
|
||||||
|
* Fri Dec 20 2019 David King <amigadave@amigadave.com> - 1.6.0-1
|
||||||
|
- Update to 1.6.0
|
||||||
|
|
||||||
|
* Mon Dec 16 2019 David King <amigadave@amigadave.com> - 1.5.2-1
|
||||||
|
- Update to 1.5.2
|
||||||
|
|
||||||
|
* Thu Nov 28 2019 David King <amigadave@amigadave.com> - 1.5.1-1
|
||||||
|
- Update to 1.5.1
|
||||||
|
|
||||||
|
* Fri Nov 01 2019 Orion Poplawski <orion@nwra.com> - 1.5.0-2
|
||||||
- Use %%{?selinux_requires} for proper install ordering
|
- Use %%{?selinux_requires} for proper install ordering
|
||||||
|
|
||||||
* Tue Oct 08 2019 David King <dking@redhat.com> - 1.4.3-1
|
* Thu Oct 03 2019 David King <amigadave@amigadave.com> - 1.5.0-1
|
||||||
- Rebase to 1.4.3 (#1748276)
|
- Update to 1.5.0
|
||||||
|
|
||||||
* Fri Sep 20 2019 Kalev Lember <klember@redhat.com> - 1.0.9-1
|
* Thu Sep 19 2019 Kalev Lember <klember@redhat.com> - 1.4.3-1
|
||||||
- Update to 1.0.9 (#1753613)
|
- Update to 1.4.3
|
||||||
|
|
||||||
* Tue May 14 2019 David King <dking@redhat.com> - 1.0.6-4
|
* Wed Sep 18 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.2-6
|
||||||
- Bump release (#1700654)
|
- Trim unused shared library linkages from the session helper
|
||||||
|
|
||||||
* Mon Apr 29 2019 David King <dking@redhat.com> - 1.0.6-3
|
* Wed Aug 7 2019 Owen Taylor <otaylor@redhat.com> - 1.4.2-5
|
||||||
- Fix IOCSTI sandbox bypass (#1700654)
|
- Add patch fixing problem with downloading icons for OCI remotes (#1683375)
|
||||||
|
|
||||||
* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.6-2
|
* Thu Jul 25 2019 Tim Zabel <tjzabel21@gmail.com> - 1.4.2-4
|
||||||
- Do not mount /proc in root sandbox (#1675776)
|
- SELinux needs additional Requires (#1732132)
|
||||||
|
|
||||||
* Tue Dec 18 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
|
||||||
- Update to 1.0.6 (#1630249)
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 09 2019 Kalev Lember <klember@redhat.com> - 1.4.2-2
|
||||||
|
- Backport a patch that fixes a fairly large memory leak in gnome-software
|
||||||
|
|
||||||
|
* Fri Jun 28 2019 David King <amigadave@amigadave.com> - 1.4.2-1
|
||||||
|
- Update to 1.4.2 (#1725071)
|
||||||
|
|
||||||
|
* Tue Jun 25 2019 David King <amigadave@amigadave.com> - 1.4.1-3
|
||||||
|
- Use Requires(post) for selinux-policy (#1723118)
|
||||||
|
|
||||||
|
* Tue Jun 25 2019 Debarshi Ray <rishi@fedoraproject.org> - 1.4.1-2
|
||||||
|
- Split the session helper into a separate sub-package
|
||||||
|
|
||||||
|
* Thu Jun 13 2019 Kalev Lember <klember@redhat.com> - 1.4.1-1
|
||||||
|
- Update to 1.4.1
|
||||||
|
|
||||||
|
* Wed Jun 12 2019 Kalev Lember <klember@redhat.com> - 1.4.0-2
|
||||||
|
- Backport an upstream patch to fix gnome-software CI
|
||||||
|
|
||||||
|
* Tue May 28 2019 Kalev Lember <klember@redhat.com> - 1.4.0-1
|
||||||
|
- Update to 1.4.0
|
||||||
|
|
||||||
|
* Fri May 10 2019 Kalev Lember <klember@redhat.com> - 1.3.4-1
|
||||||
|
- Update to 1.3.4
|
||||||
|
|
||||||
|
* Tue Apr 30 2019 David King <amigadave@amigadave.com> - 1.3.3-2
|
||||||
|
- Generate consistent anchor IDs
|
||||||
|
|
||||||
|
* Fri Apr 26 2019 David King <amigadave@amigadave.com> - 1.3.3-1
|
||||||
|
- Update to 1.3.3 (#1699338)
|
||||||
|
|
||||||
|
* Wed Apr 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.2-2
|
||||||
|
- Fixup selinux requires
|
||||||
|
|
||||||
|
* Fri Apr 12 2019 David King <amigadave@amigadave.com> - 1.3.2-1
|
||||||
|
- Update to 1.3.2 (#1699338)
|
||||||
|
|
||||||
|
* Wed Apr 03 2019 Kalev Lember <klember@redhat.com> - 1.3.1-2
|
||||||
|
- Add a oneshot systemd service to add Fedora flatpak repos
|
||||||
|
- Remove the post script to create system repo now that we have the service
|
||||||
|
|
||||||
|
* Wed Mar 27 2019 David King <amigadave@amigadave.com> - 1.3.1-1
|
||||||
|
- Update to 1.3.1 (#1693207)
|
||||||
|
|
||||||
|
* Tue Mar 12 2019 David King <amigadave@amigadave.com> - 1.3.0-1
|
||||||
|
- Update to 1.3.0
|
||||||
|
|
||||||
|
* Thu Feb 14 2019 David King <amigadave@amigadave.com> - 1.2.3-2
|
||||||
|
- Remove an obsolete Conflicts
|
||||||
|
- Use xdg-dbus-proxy
|
||||||
|
|
||||||
|
* Mon Feb 11 2019 David King <amigadave@amigadave.com> - 1.2.3-1
|
||||||
|
- Update to 1.2.3
|
||||||
|
|
||||||
|
* Wed Feb 06 2019 David King <amigadave@amigadave.com> - 1.2.2-1
|
||||||
|
- Update to 1.2.2
|
||||||
|
|
||||||
|
* Tue Feb 05 2019 Kalev Lember <klember@redhat.com> - 1.2.1-1
|
||||||
|
- Update to 1.2.1
|
||||||
|
|
||||||
|
* Mon Feb 4 2019 fedora-toolbox <otaylor@redhat.com> - 1.2.0-4
|
||||||
|
- Add an upstream patch to add flatpak build-export --disable-sandbox
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Bastien Nocera <bnocera@redhat.com> - 1.2.0-3
|
||||||
|
- Require librsvg2 so SVG icons can be exported
|
||||||
|
|
||||||
|
* Tue Jan 29 2019 Kalev Lember <klember@redhat.com> - 1.2.0-2
|
||||||
|
- Enable libsystemd support
|
||||||
|
|
||||||
|
* Mon Jan 28 2019 David King <amigadave@amigadave.com> - 1.2.0-1
|
||||||
|
- Update to 1.2.0
|
||||||
|
|
||||||
|
* Tue Jan 15 2019 Kalev Lember <klember@redhat.com> - 1.1.3-1
|
||||||
|
- Update to 1.1.3
|
||||||
|
|
||||||
|
* Fri Dec 21 2018 David King <amigadave@amigadave.com> - 1.1.2-1
|
||||||
|
- Update to 1.1.2
|
||||||
|
|
||||||
|
* Mon Dec 17 2018 David King <amigadave@amigadave.com> - 1.1.1-2
|
||||||
|
- Enable installed tests and add to tests subpackage
|
||||||
|
|
||||||
|
* Mon Dec 10 2018 Kalev Lember <klember@redhat.com> - 1.1.1-1
|
||||||
|
- Update to 1.1.1
|
||||||
|
|
||||||
|
* Fri Nov 30 2018 fedora-toolbox <otaylor@redhat.com> - 1.0.6-3
|
||||||
|
- Add a patch to fix OCI system remotes
|
||||||
|
- Add patch fixing permissions on icons downloaded from an OCI registry
|
||||||
|
|
||||||
|
* Fri Nov 16 2018 Kalev Lember <klember@redhat.com> - 1.0.6-1
|
||||||
|
- Update to 1.0.6
|
||||||
|
|
||||||
|
* Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-2
|
||||||
- Recommend p11-kit-server instead of just p11-kit (#1649049)
|
- Recommend p11-kit-server instead of just p11-kit (#1649049)
|
||||||
|
|
||||||
* Mon Dec 10 2018 David King <dking@redhat.com> - 1.0.4-2
|
* Mon Nov 12 2018 Kalev Lember <klember@redhat.com> - 1.0.5-1
|
||||||
- Backport patches to improve OCI support (#1657306)
|
- Update to 1.0.5
|
||||||
|
|
||||||
* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
|
* Fri Oct 12 2018 Kalev Lember <klember@redhat.com> - 1.0.4-1
|
||||||
- Update to 1.0.4 (#1630249)
|
- Update to 1.0.4
|
||||||
|
|
||||||
|
* Thu Oct 04 2018 Kalev Lember <klember@redhat.com> - 1.0.3-1
|
||||||
|
- Update to 1.0.3
|
||||||
|
|
||||||
* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
|
* Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-1
|
||||||
- Update to 1.0.2 (#1630249)
|
- Update to 1.0.2
|
||||||
|
|
||||||
* Tue Aug 28 2018 David King <dking@redhat.com> - 1.0.1-1
|
* Tue Aug 28 2018 David King <amigadave@amigadave.com> - 1.0.1-1
|
||||||
- Update to 1.0.1 (#1621401)
|
- Update to 1.0.1
|
||||||
|
|
||||||
* Wed Aug 01 2018 David King <dking@redhat.com> - 0.99.3-1
|
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-2
|
||||||
|
- Fix double dash in XML documentation
|
||||||
|
|
||||||
|
* Mon Aug 20 2018 David King <amigadave@amigadave.com> - 1.0.0-1
|
||||||
|
- Update to 1.0.0
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 10 2018 Kalev Lember <klember@redhat.com> - 0.99.3-1
|
||||||
- Update to 0.99.3
|
- Update to 0.99.3
|
||||||
|
|
||||||
|
* Wed Jun 27 2018 Kalev Lember <klember@redhat.com> - 0.99.2-1
|
||||||
|
- Update to 0.99.2
|
||||||
|
|
||||||
|
* Thu Jun 21 2018 David King <amigadave@amigadave.com> - 0.99.1-1
|
||||||
|
- Update to 0.99.1
|
||||||
|
|
||||||
|
* Wed Jun 13 2018 David King <amigadave@amigadave.com> - 0.11.8.3-1
|
||||||
|
- Update to 0.11.8.3 (#1590808)
|
||||||
|
|
||||||
|
* Mon Jun 11 2018 David King <amigadave@amigadave.com> - 0.11.8.2-1
|
||||||
|
- Update to 0.11.8.2 (#1589810)
|
||||||
|
|
||||||
|
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8.1-1
|
||||||
|
- Update to 0.11.8.1 (#1588868)
|
||||||
|
|
||||||
|
* Fri Jun 08 2018 David King <amigadave@amigadave.com> - 0.11.8-1
|
||||||
|
- Update to 0.11.8 (#1588868)
|
||||||
|
|
||||||
* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
|
* Wed May 23 2018 Adam Jackson <ajax@redhat.com> - 0.11.7-2
|
||||||
- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
|
- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide
|
||||||
somewhere before Fedora 22 which this spec file certainly no longer
|
somewhere before Fedora 22 which this spec file certainly no longer
|
||||||
|
Loading…
Reference in New Issue
Block a user