Change log for flatpak package in Debian
| 1 → 75 of 189 results | First • Previous • Next • Last |
flatpak (1.14.6-1) unstable; urgency=high
* New upstream stable release 1.14.6
- Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
- Don't parse `<developer><name/></developer>` as the application name
* d/control: Drop alternative dependencies on transitional policykit-1.
polkitd was released in Debian 12 and Ubuntu 22.04.
-- Simon McVittie <email address hidden> Wed, 17 Apr 2024 19:34:28 +0100
Available diffs
| Published in experimental-release |
flatpak (1.15.8-1) experimental; urgency=high
* New upstream development release
- Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
* Merge packaging from unstable
-- Simon McVittie <email address hidden> Wed, 17 Apr 2024 20:17:44 +0100
| Superseded in experimental-release |
flatpak (1.15.7-1) experimental; urgency=medium * New upstream development release * d/copyright: Update * d/flatpak.lintian-overrides: Remove an obsolete Lintian override * d/control, d/rules: Activate dh-sequence-gir declaratively * d/patches: Add a patch to fix the "as-installed" tests -- Simon McVittie <email address hidden> Wed, 27 Mar 2024 15:35:47 +0000
flatpak (1.14.5-1) unstable; urgency=medium
* New upstream stable release
* Drop patches cherry-picked in 1.14.4-2, applied upstream
* d/flatpak.install: Install new tmpfiles.d snippet
* d/test.sh: Disable http proxy if used, to ensure we can reach localhost.
Some reproducible.org builders set http_proxy, which makes attempts
to access our temporary http server on localhost fail with a 503 error.
* d/control: (Build-)depend on pkgconf in preference to pkg-config
* d/control: Add ${gir:Depends}, ${gir:Provides} to -dev package
(Helps: #1030223)
* d/control: Build-depend on required GIR XML files (Helps: #1030223)
* Install systemd system unit into /usr/lib/systemd/system.
This was allowed by TC resolution #1053901.
Build-depend on debhelper 13.11.6~ to ensure that the unit is still
picked up by dh_installsystemd.
-- Simon McVittie <email address hidden> Fri, 08 Dec 2023 12:25:50 +0000
Available diffs
- diff from 1.14.4-2 to 1.14.5-1 (59.4 KiB)
| Superseded in experimental-release |
flatpak (1.15.6-1) experimental; urgency=medium
* New upstream development release
* Mention #1033098, #1033099 in previous changelog entry
* d/control: (Build-)depend on pkgconf in preference to pkg-config
* Install systemd system unit into /usr/lib/systemd/system.
This was allowed by TC resolution #1053901.
Build-depend on debhelper 13.11.6~ to ensure that the unit is still
picked up by dh_installsystemd.
* d/test.sh: Disable http proxy if used, to ensure we can reach localhost.
Some reproducible.org builders set http_proxy, which makes attempts
to access our temporary http server on localhost fail with a 503 error.
* d/control: Build-depend on required GIR XML files (Helps: #1030223)
* d/control: Add ${gir:Depends}, ${gir:Provides} to -dev package
(Helps: #1030223)
* d/control: Require bubblewrap 0.8.0
* d/control: (Build-)depend on Wayland components for new security context
extension
* d/flatpak.install: Install new tmpfiles.d snippet
* d/copyright: Update
* d/libflatpak0.symbols: Update
* d/libflatpak0.symbols: Reduce entropy.
For each symbol introduced in a development branch older than the
current one, behave as if the symbol was added in the stable release
that followed the development branch: this will generate slightly more
conservative dependencies. For 0.x versions, use 1.0.
-- Simon McVittie <email address hidden> Tue, 14 Nov 2023 19:52:48 +0000
flatpak (1.14.4-2) unstable; urgency=medium * Team upload [ Simon McVittie ] * Mention #1033098, #1033099 in previous changelog entry [ Jeremy Bicha ] * Cherry-pick 2 patches for compatibility with glib 2.77 -- Jeremy BĂcha <email address hidden> Tue, 18 Jul 2023 17:05:30 -0400
Available diffs
| Published in bullseye-release |
flatpak (1.10.8-0+deb11u1) bullseye; urgency=high
* New upstream stable release
* Security fixes:
- Escape special characters when displaying permissions and metadata,
preventing malicious apps from manipulating the appearance of the
permissions list using crafted metadata
(Closes: #1033098; CVE-2023-28101)
- If a Flatpak app is run on a Linux virtual console (tty1, etc.),
don't allow copy/paste via the TIOCLINUX ioctl
(Closes: #1033099; CVE-2023-28100).
Note that this is specific to virtual consoles: Flatpak is not
vulnerable to this if run from a graphical terminal emulator such
as xterm, gnome-terminal or Konsole.
* Other bug fixes:
- If an app update is blocked by parental controls policies, clean up
the temporary deploy directory
- Fix Autotools build with newer versions of gpgme
- Fix various regressions in `flatpak history` since 1.9.1
- Fix a typo in an error message
- Translation update: pl
- Add test coverage for seccomp filters
* d/copyright: Update
-- Simon McVittie <email address hidden> Sat, 18 Mar 2023 15:29:44 +0000
flatpak (1.14.4-1) unstable; urgency=high
* New upstream security fix release
- Escape special characters when displaying permissions and metadata,
preventing malicious apps from manipulating the appearance of the
permissions list using crafted metadata (CVE-2023-28101)
- If a Flatpak app is run on a Linux virtual console (tty1, etc.),
don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100).
Note that this is specific to virtual consoles: Flatpak is not
vulnerable to this if run from a graphical terminal emulator such
as xterm, gnome-terminal or Konsole.
- Translation update: pl
-- Simon McVittie <email address hidden> Thu, 16 Mar 2023 10:39:01 +0000
Available diffs
- diff from 1.14.3-1 to 1.14.4-1 (52.5 KiB)
| Superseded in experimental-release |
flatpak (1.15.4-1) experimental; urgency=medium
* New upstream development release
- Escape special characters when displaying permissions and metadata,
preventing malicious apps from manipulating the appearance of the
permissions list using crafted metadata (CVE-2023-28101)
- If a Flatpak app is run on a Linux virtual console (tty1, etc.),
don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100).
Note that this is specific to virtual consoles: Flatpak is not
vulnerable to this if run from a graphical terminal emulator such
as xterm, gnome-terminal or Konsole.
* Merge packaging from unstable
-- Simon McVittie <email address hidden> Thu, 16 Mar 2023 10:41:58 +0000
flatpak (1.14.3-1) unstable; urgency=medium
* New upstream stable release
- Fix handling of apps superseded by an app of a different name
in GNOME Software (flatpak#5172)
- Fix a crash when an app has --socket=gpg-agent permission
(flatpak#5095)
- Fix a crash when listing broken or misconfigured apps (flatpak#5293)
- If an app has invalid syntax in its overrides or metadata, mention
the filename in the error message (flatpak#5293)
- Unset $GDK_BACKEND so that GTK apps with --socket=fallback-x11
work reliably (flatpak#5303)
- Ignore some --filesystem permissions which would otherwise prevent
all apps from starting (flatpak#1357, flatpak#5205, flatpak#5207)
- Show a warning when a --filesystem exists but cannot be shared with
the sandbox (flatpak#1357, flatpak#5035, flatpak#5205, flatpak#5207)
-- Simon McVittie <email address hidden> Mon, 27 Feb 2023 12:52:48 +0000
Available diffs
- diff from 1.14.1-1 to 1.14.3-1 (171.3 KiB)
- diff from 1.14.2-1 to 1.14.3-1 (97.9 KiB)
| Superseded in experimental-release |
flatpak (1.15.3-1) experimental; urgency=medium
* New upstream development release
* Merge packaging changes from unstable
- Remove obsolete maintscript entries
- Avoid explicitly specifying -Wl,--as-needed linker flag, which is
the default with newer toolchains
-- Simon McVittie <email address hidden> Tue, 21 Feb 2023 10:44:05 +0000
flatpak (1.14.2-1) unstable; urgency=medium * New upstream stable release * Update standards version to 4.6.2 (no changes needed) -- Simon McVittie <email address hidden> Mon, 06 Feb 2023 17:21:47 +0000
Available diffs
- diff from 1.14.1-1 to 1.14.2-1 (32.6 KiB)
| Superseded in experimental-release |
flatpak (1.15.2-1) experimental; urgency=medium * New upstream development release * Update standards version to 4.6.2 (no changes needed) -- Simon McVittie <email address hidden> Mon, 06 Feb 2023 14:15:47 +0000
flatpak (1.14.1-1) unstable; urgency=medium
* New upstream stable release
* Remove obsolete maintscript entries
* Avoid explicitly specifying -Wl,--as-needed linker flag, which is
the default with newer toolchains
-- Simon McVittie <email address hidden> Fri, 18 Nov 2022 13:45:56 +0000
Available diffs
- diff from 1.14.0-2 to 1.14.1-1 (205.0 KiB)
| Superseded in experimental-release |
flatpak (1.15.1-1) experimental; urgency=medium
* New upstream development release
* d/test.sh: Don't try to show Autotools test logs.
We're using Meson now, so this is not applicable.
* d/rules, d/test.sh: Rely on debhelper to set HOME, XDG_RUNTIME_DIR etc.
* d/test.sh: Extend test timeout to cope better with slow buildds.
The upstream test timeouts assume a relatively non-loaded system, but
on a buildd we might be sharing the machine with other processes.
* Drop the only patch, applied upstream
-- Simon McVittie <email address hidden> Thu, 17 Nov 2022 19:06:05 +0000
| Superseded in experimental-release |
flatpak (1.15.0-2) experimental; urgency=medium
* d/p/revokefs-Use-correct-format-string-for-a-ssize_t.patch:
Fix the build on ILP32 architectures
-- Simon McVittie <email address hidden> Tue, 25 Oct 2022 09:37:58 +0100
flatpak (1.14.0-2) unstable; urgency=medium
* d/control: Add dependency on fuse3, for fusermount3.
Strictly speaking this is only needed for system installations, but
those are the default, and a missing fusermount3 produces unclear
symptoms.
* d/control: Depend on polkitd in preference to transitional policykit-1.
This package doesn't need pkexec.
* Update Lintian overrides
-- Simon McVittie <email address hidden> Fri, 02 Sep 2022 08:59:06 +0100
Available diffs
- diff from 1.14.0-1 to 1.14.0-2 (1.2 KiB)
flatpak (1.14.0-1) unstable; urgency=medium * New upstream release * d/copyright: Update * Build with libfuse3 -- Simon McVittie <email address hidden> Tue, 23 Aug 2022 20:26:06 +0100
Available diffs
- diff from 1.13.3-2 to 1.14.0-1 (500.9 KiB)
| Deleted in experimental-release (Reason: None provided.) |
flatpak (1.13.3-2) experimental; urgency=medium
* Build with libcurl http backend.
This avoids library conflicts during the transition to GNOME 43, in
which core apps and libraries have switched to libsoup3, which conflicts
with libsoup2.4. See #1016589.
* d/control: Remove backwards-compat with libgdk-pixbuf2.0-dev.
libgdk-pixbuf-2.0-dev was released in bullseye, and official backports
to old distributions need to swap the dependency anyway, because of
how buildds resolve alternative dependencies.
* Set correct Vcs-Git field for experimental branch
* Standards-Version: 4.6.1 (no changes required)
-- Simon McVittie <email address hidden> Fri, 05 Aug 2022 10:06:16 +0100
Available diffs
- diff from 1.12.7-1 to 1.13.3-2 (731.5 KiB)
| Superseded in experimental-release |
flatpak (1.13.3-1) experimental; urgency=medium * New upstream development release * Drop workaround for #1006684 * Continue to use libsoup http backend for now * d/libflatpak0.symbols: Update -- Simon McVittie <email address hidden> Fri, 17 Jun 2022 17:32:52 +0100
| Superseded in bullseye-release |
flatpak (1.10.7-0+deb11u1) bullseye-security; urgency=high
* New upstream stable release
* Security fixes:
- Prevent a malicious repository from arranging for permissions to be
granted without being correctly displayed during installation
(CVE-2021-43860, GHSA-qpjc-vq3c-572j)
- Provide a new --nofilesystem=host:reset option which flatpak-builder
can use to prevent malicious builds from creating directories
outside the build directory (CVE-2022-21682, GHSA-8ch7-5j3h-g4fx)
* Other bug fixes:
- Fix error handling for syscalls that are only allowed with --devel
(this change was already included in 1.10.5-0+deb11u1)
- Improve diagnostic messages when seccomp rules cannot be applied
- Update Polish translation
- Clarify documentation related to CVE-2022-21682
- Improve test coverage related to CVE-2022-21682
- Be compatible with newer versions of python3-pyparsing
(the version in Debian 11 generates identical code before and
after this change)
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Drop patch, included in 1.10.6
* d/copyright: Update
-- Simon McVittie <email address hidden> Tue, 18 Jan 2022 18:24:45 +0000
flatpak (1.12.7-1) unstable; urgency=medium
* New upstream stable release
- Pass through a remote X11 display if the app has --share=network
- Pass through a remote PulseAudio server if the app has --share=network
- WAYLAND_DISPLAY can be an absolute path
- Accept /app/share/metainfo/*.xml exports from apps that were built
with Flatpak 1.13.x
- Automatically set up /var/lib/flatpak/repo if required
- Work around a bug in libostree < 2021.6 when used with GLib >= 2.71
- Fix some memory leaks in GVariant data processing
* d/gbp.conf: Use upstream/1.12.x branch for upstream imports
* d/watch: Only watch for upstream stable releases
-- Simon McVittie <email address hidden> Mon, 14 Mar 2022 17:37:10 +0000
Available diffs
- diff from 1.12.6-1 to 1.12.7-1 (235.4 KiB)
| Superseded in experimental-release |
flatpak (1.13.2-1) experimental; urgency=medium
* New upstream development release
* d/p/tests-Don-t-install-tap-driver.sh-in-the-installed-tests.patch:
Drop patch that was applied upstream
-- Simon McVittie <email address hidden> Mon, 14 Mar 2022 15:37:10 +0000
| Superseded in experimental-release |
flatpak (1.13.1-1) experimental; urgency=medium
* New upstream development release
* Build-depend on libappstream-dev instead of libappstream-glib-dev
* Increase dependency on bubblewrap
* Install fish profile snippet
* Add patch to work around #1006684 in libappstream
* Update symbols file
* Add patch to avoid unnecessarily installing tap-driver.sh.
As well as being unnecessary, this file triggers some Lintian
false-positives.
-- Simon McVittie <email address hidden> Wed, 02 Mar 2022 13:27:15 +0000
flatpak (1.12.6-1) unstable; urgency=medium
* New upstream stable release
- Better robustness against downloads being interrupted or cancelled
- Detect the GTK theme more reliably
- Fix history command unit test when not using persistent systemd journal
- Translation update: pt_BR
-- Simon McVittie <email address hidden> Tue, 22 Feb 2022 10:58:48 +0000
Available diffs
- diff from 1.12.5-1 to 1.12.6-1 (38.8 KiB)
flatpak (1.12.5-1) unstable; urgency=medium
* New upstream stable release
- Don't propagate GStreamer-related environment variables into sandbox
- Fix regressions in `flatpak history` since 1.9.1
- Remove temporary files from /var/lib/flatpak/appstream
* Stop installing flatpak-bisect and flatpak-coredumpctl as examples.
Since 1.8.1-2 they're installed into PATH, in libflatpak-dev.
* d/flatpak.docs: Use debhelper 11 dh_installdoc instead of dh-exec
-- Simon McVittie <email address hidden> Fri, 11 Feb 2022 17:16:22 +0000
Available diffs
- diff from 1.12.4-1 to 1.12.5-1 (194.0 KiB)
flatpak (1.12.4-1) unstable; urgency=medium
* New upstream stable release
* Alter the solution to CVE-2022-21682 to avoid regressions:
- Revert semantics of --nofilesystem=host to be the same as 1.12.2
- Revert semantics of --nofilesystem=home to be the same as 1.12.2
- Add --nofilesystem=host:reset which means the same thing that
--nofilesystem=host did in 1.12.3
- Users of flatpak-builder should update it to 1.2.2 to resolve
CVE-2022-21682
* Other bug fixes:
- Clarify documentation related to CVE-2022-21682
- Improve test coverage related to CVE-2022-21682
- Restore compatibility with older appstream-glib versions, for backports
* Set high urgency to resolve regressions in 1.12.3
-- Simon McVittie <email address hidden> Tue, 18 Jan 2022 18:01:05 +0000
Available diffs
- diff from 1.12.3-1 to 1.12.4-1 (173.0 KiB)
flatpak (1.12.3-1) unstable; urgency=high
* New upstream stable release
* Security fixes:
- Prevent a malicious repository from arranging for permissions to be
granted without being correctly displayed during installation
(CVE-2021-43860, GHSA-qpjc-vq3c-572j)
- Prevent a malicious build in flatpak-builder creating directories
outside the build directory (GHSA-8ch7-5j3h-g4fx)
* Behaviour changes, as a result of how GHSA-8ch7-5j3h-g4fx was fixed:
- --nofilesystem=host is now special-cased to negate all --filesystem
permissions. Previously, it would cancel out --filesystem=host but
not --filesystem=/some/dir.
- --nofilesystem=home is now special-cased to negate several
home-directory-related filesystem permssions such as
--filesystem=xdg-config/foo, not just --filesystem=host.
* Other bug fixes:
- Extra-data downloading now properly handles compressed
content-encodings, which fixes checksum verification
- Avoid unnecessary polkit prompt due to auto-pinning when installing
runtimes
- Better handling of updates of extensions that exist in multiple
repositories
- Fixed (initial) installation of apps with renamed app-IDs
- Support more pulseaudio configuration, including the one used in WSL2
- Fixed regression in updates from no-enumerate remotes
- We now verify checksums of summary caches, to better handle local file
corruption
- Improved CLI output for non-terminal targets
- Flatpak run --session-bus now works
- Fix build with PyParsing >= 3.0.4
- bash auto completion now doesn't complete on command name aliases
- Minor improvements to the search command
- Minor improvements to the list command
- Minor improvements to the repair command
- Add more tests
- Updated translations and docs
* d/copyright: Update
-- Simon McVittie <email address hidden> Wed, 12 Jan 2022 13:33:12 +0000
Available diffs
- diff from 1.12.2-2 to 1.12.3-1 (376.8 KiB)
| Superseded in bullseye-release |
flatpak (1.10.5-0+deb11u1) bullseye-security; urgency=medium
* New upstream stable release 1.10.4
- Don't allow VFS manipulation which could be used to trick portals
into allowing unintended access to host
(Closes: #995935, CVE-2021-41133, GHSA-67h7-w3jq-vh4q)
- Fix parental controls check when installing system-wide as non-root
- OCI now uses the pax tar format, which handles large files better
than GNU tar
- tests: Fix test-sideload.sh if ostree is built with curl backend
(this change is unnecessary but harmless in the configuration used
in Debian)
* New upstream stable release 1.10.5
- Fix regressions in 1.12.0 with extra data or --allow=multiarch.
This only partially prevents use of VFS-manipulating syscalls if a
newer kernel is used with an older libseccomp, but that's the best
we will be able to achieve without new features in libseccomp and/or
bubblewrap.
* d/control: Build-depend on libseccomp 2.5.0.
This ensures that we can block creation of new user namespaces via
clone3(), which should be enough to prevent CVE-2021-41133 on
at least Debian 11 kernels (Linux 5.10). It also allows blocking most
of the syscalls we want to block; we cannot guarantee to be able to
block mount_setattr(), which was only added in libseccomp 2.5.2, but
that syscall was new in Linux 5.12.
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Fix error handling for syscalls that are only allowed with --devel
-- Simon McVittie <email address hidden> Sun, 10 Oct 2021 14:14:51 +0100
flatpak (1.12.2-2) unstable; urgency=medium
* flatpak Recommends xdg-user-dirs.
If we don't have this, the XDG special directories for documents, music,
downloads etc. will not be listed in ~/.config/user-dirs.dirs unless
configured manually; this means that app permissions that would normally
share those directories with the host, such as --filesystem=xdg-download,
will have no practical effect. (Closes: #1000609)
* Build/test-depend on dbus-daemon.
We don't necessarily need a full implementation for the unit tests, but
we do need to be able to run dbus-daemon --session.
* Depend on default-dbus-system-bus | dbus-system-bus instead of dbus.
Any implementation of the system bus will do.
* Adjust Lintian overrides for current Lintian
-- Simon McVittie <email address hidden> Mon, 13 Dec 2021 13:22:23 +0000
Available diffs
- diff from 1.12.2-1 to 1.12.2-2 (1.1 KiB)
flatpak (1.12.2-1) unstable; urgency=medium
* New upstream stable release
- Better diagnostic messages if libseccomp calls fail
- Install translations referenced by LANG, LANGUAGE or LC_ALL,
fixing test failures in 1.12.0+ on older distributions
- Update Polish translation
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Drop patch, applied upstream
-- Simon McVittie <email address hidden> Tue, 12 Oct 2021 11:54:06 +0100
Available diffs
- diff from 1.10.2-3 to 1.12.2-1 (887.6 KiB)
| Superseded in bullseye-release |
flatpak (1.10.3-0+deb11u1) bullseye; urgency=medium
* New upstream stable release
- Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox
(regression in 1.8.5 and 1.10.0)
- Improve unit test coverage
- Various other changes that were already in earlier releases to Debian
* Drop all patches, applied upstream
* d/gbp.conf, d/control: Branch for bullseye
* d/watch: Restrict to 1.10.x versions for bullseye
-- Simon McVittie <email address hidden> Tue, 31 Aug 2021 19:10:52 +0100
flatpak (1.12.1-1) unstable; urgency=medium
* New upstream stable release
- Fix regressions in 1.12.0 with extra data or --allow=multiarch
* Depend on libseccomp 2.5.2 so that CVE-2021-41133 is still fully
prevented. Resolving this with older libseccomp versions will require
further development.
* Add CVE-2021-41133 reference in previous changelog entry
* Standards-Version: 4.6.0 (no changes required)
* Update Lintian overrides
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Fix error handling for syscalls that are only allowed with --devel
-- Simon McVittie <email address hidden> Fri, 08 Oct 2021 21:24:55 +0100
flatpak (1.12.0-1) unstable; urgency=high
* New upstream stable release
- Don't allow VFS manipulation which could be used to trick portals
into allowing unintended access to host
(Closes: #995935, GHSA-67h7-w3jq-vh4q)
- Fix misleading progress output in `flatpak repair`
- Fix parental controls check when installing system-wide as non-root
- Cope with /var/tmp being a symlink
- Improve handling of separate locale environment variables such as
LC_COLLATE
- Share host's /etc/gai.conf with apps that have Internet access
- Test-suite fixes (previously applied in 1.11.3-2)
* Drop both patches from 1.11.3-2, applied upstream
* d/control: Add Recommends on ca-certificates.
Most Flatpak users will likely want to install from https servers.
-- Simon McVittie <email address hidden> Fri, 08 Oct 2021 12:58:34 +0100
flatpak (1.11.3-2) unstable; urgency=medium
* d/p/libtest-Make-sure-ldconfig-and-capsh-are-in-the-PATH.patch:
Add patch from upstream git to improve autopkgtest coverage
* d/p/tests-Don-t-reset-XDG_RUNTIME_DIR-locally.patch:
Add patch from upstream git to prevent an autopkgtest failure under qemu
* d/rules: Remove all .la files, not just the one for libflatpak
* Generalize Lintian overrides to be independent of systemd unit location
-- Simon McVittie <email address hidden> Fri, 27 Aug 2021 14:59:25 +0100
flatpak (1.11.3-1) unstable; urgency=medium
* New upstream development release
* Move to debhelper compat level 13
- Drop dh_missing override, --fail-missing is now the default
* d/rules: Normalize permissions of installed-tests
* Release to unstable to get wider testing.
We're early in the Debian release cycle, and this release is basically
a release-candidate for a new 1.12.x stable branch.
-- Simon McVittie <email address hidden> Wed, 25 Aug 2021 12:45:23 +0100
flatpak (1.10.2-3) unstable; urgency=medium
* d/patches: Align with upstream flatpak-1.10.x branch, making this
effectively a release candidate for upstream stable release 1.10.3
- d/patches: Update metadata to reflect upstream flatpak-1.10.x branch.
All the patches we apply in Debian are expected to be released in
1.10.3 upstream, but not all were annotated to reflect this.
- d/p/system-helper-Fix-deploys-of-local-remotes.patch:
Fix some failures to update in GNOME Software and the unit tests.
This change was previously applied in Ubuntu's flatpak_1.10.2-1ubuntu1
to fix a unit test failure, possibly triggered by a newer version of
GLib. It has also been reported to fix a failure to upgrade Flatpak
apps using GNOME Software, this time in Fedora.
- d/p/create-usb-Skip-copying-extra-data-flatpaks.patch:
Skip flatpaks with "extra-data" when using `flatpak create-usb`.
This command is intended to create USB drives that can be
used to install Flatpak apps and/or runtimes while offline,
but the "extra-data" feature downloads extra content for an app
or runtime at install time, as a way to automate installation of
data that can be re-downloaded by end users but is not licensed
for redistribution by Flatpak repositories. Such apps and runtimes
would fail to install while offline.
- d/p/series: Re-order patches to match upstream flatpak-1.10.x branch
-- Simon McVittie <email address hidden> Sun, 25 Jul 2021 20:44:58 +0100
Available diffs
flatpak (1.10.2-2) unstable; urgency=medium
* Backport changes from upstream git to fix regressions when apps invoke
flatpak-spawn --env=... to launch a subsandbox.
- d/p/Fix-several-memory-leaks.patch:
Fix minor memory leaks so that subsequent backports apply cleanly
- d/p/portal-Don-t-leak-fd-used-for-serialized-environment.patch:
Don't leak a file descriptor each time flatpak-spawn --env=... is used
(Closes: #989934)
- d/p/portal-Use-a-GArray-to-store-fds.patch,
d/p/portal-Remap-env-fd-into-child-process-s-fd-space.patch:
When an app uses flatpak-spawn --env=... --forward-fd=..., ensure
that the file descriptors do not collide, which could result in the
subsandbox failing to launch or being launched with wrong environment
variables. (Closes: #989935)
-- Simon McVittie <email address hidden> Tue, 22 Jun 2021 10:10:38 +0100
| Deleted in experimental-release (Reason: None provided.) |
flatpak (1.11.2-1) experimental; urgency=medium
* New upstream development release
- Don't leak a file descriptor each time flatpak-spawn --env=... is used
(Closes: #989934)
- When an app uses flatpak-spawn --env=... --forward-fd=..., ensure
that the file descriptors do not collide, which could result in the
subsandbox failing to launch or being launched with wrong environment
variables. (Closes: #989935)
- Various other bug fixes
-- Simon McVittie <email address hidden> Thu, 17 Jun 2021 18:07:22 +0100
| Superseded in experimental-release |
flatpak (1.11.1-1) experimental; urgency=medium * New upstream development release -- Simon McVittie <email address hidden> Mon, 26 Apr 2021 12:53:06 +0100
| Superseded in experimental-release |
flatpak (1.11~git20210416.1-1) experimental; urgency=medium * New upstream snapshot -- Simon McVittie <email address hidden> Fri, 16 Apr 2021 14:40:26 +0100
| Superseded in experimental-release |
flatpak (1.11~git20210413-1) experimental; urgency=medium
* New upstream snapshot
- Drop remaining patch, applied upstream
- Update symbols file
-- Simon McVittie <email address hidden> Wed, 14 Apr 2021 12:33:30 +0100
| Published in buster-release |
flatpak (1.2.5-0+deb10u4) buster-security; urgency=high
* Add patches from upstream 1.10.2 release to fix a sandbox escape
via special tokens in .desktop files (flatpak#4146, Closes: #984859)
-- Simon McVittie <email address hidden> Wed, 10 Mar 2021 11:13:59 +0000
flatpak (1.10.2-1) unstable; urgency=medium
* New upstream stable release
- Make --filesystem, --nofilesystem accept non-ASCII filenames more
reliably
- Improve solution for #984859 so it refuses to install apps that
appear to be trying to exploit the vulnerability
- Fix a memory leak
- Improve compatibility with openSUSE's X authentication setup
- Use a single version of Docbook for all documentation
- This release also incorporates the fixes that were applied in
1.10.1-2 and 1.10.1-3, and part of 1.10.1-4
* Drop patches that were applied upstream
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Mark the remaining patch as applied upstream for 1.11.0
* Add reference to #984859 in previous changelog entry
-- Simon McVittie <email address hidden> Wed, 10 Mar 2021 10:58:32 +0000
Available diffs
flatpak (1.10.1-4) unstable; urgency=high
* d/p/Disallow-and-u-usage-in-desktop-files.patch:
Add proposed patch to fix a sandbox escape via crafted .desktop
files (flatpak#4146). Thanks, Ryan Gonzalez
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Add proposed patch to fix some tests on non-x86_64 machines.
The affected tests were already skipped in schroot/lxc for other
reasons, but would be run (and fail) on autopkgtest testbeds with
isolation-machine and working FUSE.
-- Simon McVittie <email address hidden> Fri, 05 Mar 2021 10:21:35 +0000
Available diffs
flatpak (1.10.1-3) unstable; urgency=medium
* Mark patch as applied upstream
* Add bugfixes from upstream flatpak-1.10.x branch
- Add extern "C" guards to header files, fixing compilation of C++ code
such as plasma-discover against GLib 2.67.x
- Fix memory leaks in the unit tests
-- Simon McVittie <email address hidden> Wed, 24 Feb 2021 13:59:56 +0000
Available diffs
| Superseded in buster-release |
flatpak (1.2.5-0+deb10u3) buster-security; urgency=medium
* Fix regressions in DSA 4830-1
- Add patch from upstream to fix a regression in 'flatpak build'.
The patches to resolve CVE-2021-21261 caused a regression in which
'flatpak build' wouldn't set the LD_LIBRARY_PATH that it should.
(Closes: #980323)
- Add a patch from upstream to fix possible regressions in extra-data.
The extra-data mechanism, used to download large or proprietary
components out-of-band, could suffer from a regression similar to
#980323 if the app or runtime's apply_extra entry point relies on
LD_LIBRARY_PATH.
* Add CVE-2021-21261 reference to previous changelog entry
-- Simon McVittie <email address hidden> Thu, 21 Jan 2021 13:57:39 +0000
flatpak (1.10.1-2) unstable; urgency=medium
* d/patches: Disable FUSE-based revokefs if any of several factors fail.
This fixes FTBFS in pbuilder, and hopefully also on Launchpad
autobuilders.
-- Simon McVittie <email address hidden> Thu, 28 Jan 2021 22:24:20 +0000
Available diffs
- diff from 1.10.1-1 to 1.10.1-2 (2.5 KiB)
flatpak (1.10.1-1) unstable; urgency=medium
* New upstream release
- Fix a regression in 'flatpak build' after fixing CVE-2021-21261
(Closes: #980323)
-- Simon McVittie <email address hidden> Thu, 21 Jan 2021 14:12:22 +0000
Available diffs
- diff from 1.10.0-2 to 1.10.1-1 (60.4 KiB)
flatpak (1.10.0-2) unstable; urgency=medium * Upload 1.10.x branch to unstable * Add CVE-2021-21261 reference to 1.8.5-1 changelog entry -- Simon McVittie <email address hidden> Sun, 17 Jan 2021 11:51:16 +0000
Available diffs
- diff from 1.8.5-1 to 1.10.0-2 (887.4 KiB)
| Deleted in experimental-release (Reason: None provided.) |
flatpak (1.10.0-1) experimental; urgency=medium
* d/control: Fix branch in Vcs-Git for experimental
* Merge packaging from unstable
* New upstream release, starting the 1.10.x branch
* Drop patches, applied upstream
* d/flatpak.install: Install new systemd environment generator
* d/tests: Mark update portal test as flaky due to
https://github.com/flatpak/flatpak/issues/4065
-- Simon McVittie <email address hidden> Thu, 14 Jan 2021 12:35:25 +0000
flatpak (1.8.5-1) unstable; urgency=high
* New upstream release fixing a sandbox escape vulnerability
(GHSA-4ppf-fxf6-vxg2)
* Mark patch for #975710 as having been applied upstream
-- Simon McVittie <email address hidden> Thu, 14 Jan 2021 09:34:09 +0000
Available diffs
- diff from 1.8.4-2 to 1.8.5-1 (34.5 KiB)
flatpak (1.8.4-2) unstable; urgency=medium
* Mark patch for #972138 as having been applied upstream
* Add patch to avoid gvfs-daemon being started when logging in as root.
Thanks to Mourad De Clerck (Closes: #975710)
* Add package-specific info from bubblewrap to bug reports.
In particular, this will tell us whether it's setuid.
-- Simon McVittie <email address hidden> Sun, 03 Jan 2021 15:37:04 +0000
Available diffs
- diff from 1.8.4-1 to 1.8.4-2 (1.3 KiB)
| Superseded in experimental-release |
flatpak (1.9.3-2) experimental; urgency=medium
* Add patch to avoid gvfs-daemon being started when logging in as root.
Thanks to Mourad De Clerck (Closes: #975710)
* Add package-specific info from bubblewrap to bug reports.
In particular, this will tell us whether it's setuid.
-- Simon McVittie <email address hidden> Sun, 03 Jan 2021 15:37:18 +0000
| Superseded in experimental-release |
flatpak (1.9.3-1) experimental; urgency=medium
* Merge packaging changes from unstable
* New upstream release
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Drop patch, which should be unnecessary with the new version
* Mark remaining patch as forwarded
-- Simon McVittie <email address hidden> Sun, 27 Dec 2020 14:12:59 +0000
flatpak (1.8.4-1) unstable; urgency=medium
* debian/o.fd.Flatpak.pkla: sync with rules provided by upstream
* Use debian/unstable branch for packaging
* New upstream release
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Drop patch, which should be unnecessary with the new version
-- Simon McVittie <email address hidden> Thu, 24 Dec 2020 10:58:59 +0000
Available diffs
- diff from 1.8.3-2 to 1.8.4-1 (5.4 KiB)
flatpak (1.8.3-2) unstable; urgency=medium
* Preferentially build-depend on libgdk-pixbuf-2.0-dev.
We don't need the deprecated Xlib integration that is also pulled in
by the older libgdk-pixbuf2.0-dev package (see #974870).
* Standards-Version: 4.5.1 (no changes required)
-- Simon McVittie <email address hidden> Tue, 24 Nov 2020 12:01:18 +0000
Available diffs
- diff from 1.8.3-1 to 1.8.3-2 (616 bytes)
| Superseded in experimental-release |
flatpak (1.9.2-1) experimental; urgency=medium
* Branch for experimental
* New upstream development release
* Update ostree build-dependency
* Use upstream's autogen.sh now that it's shipped
* d/copyright: Update
* d/p/Skip-parental-controls-checks-on-ServiceUnknown-or-NameHa.patch:
Drop patch that was applied upstream
* d/p/Skip-a-test-case-if-etc-mtab-doesn-t-exist.patch:
Work around a test failure that can happen in sbuild
* Update symbols file.
Ignore removal of flatpak_http_error_quark (aka FLATPAK_HTTP_ERROR),
which is not in any public headers and is not referenced by any
other Debian package.
-- Simon McVittie <email address hidden> Fri, 20 Nov 2020 17:30:05 +0000
flatpak (1.8.3-1) unstable; urgency=medium * New upstream release -- Simon McVittie <email address hidden> Thu, 19 Nov 2020 14:51:15 +0000
Available diffs
- diff from 1.8.2-3 to 1.8.3-1 (71.9 KiB)
flatpak (1.8.2-3) unstable; urgency=medium
* d/p/Skip-parental-controls-checks-on-ServiceUnknown-or-NameHa.patch:
Add proposed patch to skip parental controls if accountsservice is not
installed.
The malcontent package (which activates parental controls support)
depends on accountsservice, but the libmalcontent-0-0 client library
does not, so we need to cope gracefully with the case where
neither malcontent nor accountsservice is installed. Presumably, in such
installations the sysadmin did not want the parental controls feature.
Ideally libmalcontent would do this itself (#972145). (Closes: #972138)
* Add Depends on dbus, for the well-known system bus service.
Now that the parental controls feature is enabled, Flatpak will refuse
to run apps if the D-Bus system bus is unavailable. Previously, it would
have partially worked (but with severely reduced functionality, in
particular only --user installations).
* d/control: Canonicalize case of Multi-Arch
* Update lintian overrides to silence some false-positives
-- Simon McVittie <email address hidden> Thu, 15 Oct 2020 09:47:28 +0100
Available diffs
- diff from 1.8.2-1 to 1.8.2-3 (2.5 KiB)
- diff from 1.8.2-2 to 1.8.2-3 (2.2 KiB)
flatpak (1.8.2-2) unstable; urgency=medium
[ Laurent Bigonville ]
* debian/control: Add libmalcontent-0-dev to the build-dependencies.
This provides optional parental controls for app installation and
launching.
[ Simon McVittie ]
* Add Suggests on malcontent-gui
-- Simon McVittie <email address hidden> Sat, 10 Oct 2020 20:10:55 +0100
Available diffs
- diff from 1.8.2-1 to 1.8.2-2 (589 bytes)
flatpak (1.8.2-1) unstable; urgency=medium
* New upstream release
- Drop patch for #964541, applied upstream
-- Simon McVittie <email address hidden> Tue, 25 Aug 2020 15:57:31 +0100
Available diffs
- diff from 1.8.1-2 to 1.8.2-1 (78.2 KiB)
flatpak (1.8.1-2) unstable; urgency=medium
* Include flatpak-bisect and flatpak-coredumpctl in libflatpak-dev
- Depends: python3, to be able to run the scripts themselves
- Recommends: flatpak, for both scripts
- Suggests: gdb and systemd-coredump, for flatpak-coredumpctl
- Suggests: python3-gi and ostree, for flatpak-bisect
* d/p/Fix-argument-order-of-clone-for-s390x-in-seccomp-filter.patch:
Add proposed patch to fix seccomp filtering on s390x.
Thanks to Julian Andres Klode. (Closes: #964541, LP: #1886814)
-- Simon McVittie <email address hidden> Thu, 06 Aug 2020 22:45:21 +0100
Available diffs
- diff from 1.8.1-1 to 1.8.1-2 (1.8 KiB)
flatpak (1.8.1-1) unstable; urgency=medium * New upstream stable release -- Simon McVittie <email address hidden> Sat, 04 Jul 2020 15:24:14 +0100
Available diffs
- diff from 1.8.0-1 to 1.8.1-1 (58.9 KiB)
flatpak (1.8.0-1) unstable; urgency=medium
* New upstream stable release
- Update configure options
- Install gdm env.d fragment, but only as an example file.
It is harmful on systems where environment.d(5) works (in particular
systems using systemd), because it overwrites additions to the
XDG_DATA_DIRS coming from other app frameworks like Snap.
However, using either this fragment or manual configuration might
be necessary on non-systemd systems. See
/usr/share/doc/flatpak/README.Debian for more details.
- d/flatpak.README.Debian: Add
-- Simon McVittie <email address hidden> Thu, 25 Jun 2020 12:26:28 +0100
Available diffs
- diff from 1.6.3-1 to 1.8.0-1 (692.7 KiB)
| Deleted in experimental-release (Reason: None provided.) |
flatpak (1.7.3-1) experimental; urgency=medium
* New upstream development release
* Install new fish completions
* Enable new libzstd support
* Install new sysusers.d fragment
* d/libflatpak0.symbols: Update.
Ignore deletion of flatpak_oci_error_quark(), which was not public API.
-- Simon McVittie <email address hidden> Wed, 10 Jun 2020 19:49:14 +0100
flatpak (1.6.3-1) unstable; urgency=medium * New upstream stable release -- Simon McVittie <email address hidden> Tue, 31 Mar 2020 11:56:06 +0100
Available diffs
- diff from 1.6.2-1 to 1.6.3-1 (16.8 KiB)
| Superseded in experimental-release |
flatpak (1.7.1-1) experimental; urgency=medium
* New upstream development release
- Sideloading apps now works differently.
Flatpak no longer supports installing from local network peers, and
sideloading from a local USB drive is no longer automatic.
Instead of being configured via `flatpak config sideload-repos`,
enabling sideloading is now done by creating a symbolic link in
/var/lib/flatpak/sideload-repos or /run/flatpak/sideload-repos.
-- Simon McVittie <email address hidden> Tue, 31 Mar 2020 14:46:05 +0100
| Superseded in experimental-release |
flatpak (1.7.0~git20200330-1) experimental; urgency=medium
* New upstream snapshot
- d/copyright: Update
- Drop all patches, applied upstream
* Revert "d/control: Add spurious Build-Conflicts on elogind packages".
experimental buildds now use aptitude rather than aspcud, so this
particular workaround shouldn't be necessary, even in experimental.
* Explicitly build-depend on python3-pyparsing.
This is required to generate the variant schema compiler.
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Disable optimized calculation of offset size.
This doesn't seem to be completely portable, and it isn't clear why not,
so disable it until we have more answers.
-- Simon McVittie <email address hidden> Mon, 30 Mar 2020 09:59:00 +0100
| Superseded in experimental-release |
flatpak (1.7.0~git20200325-1) experimental; urgency=medium
* Branch for 1.7.x and Debian experimental
- d/control, d/gbp.conf: Use debian/experimental packaging branch
- d/gbp.conf: Use upstream/latest branch
- d/watch: Watch for development releases
* New upstream snapshot
* Build-depend on python3 even when not running tests, for
variant-schema-compiler
* Update symbols file
* d/patches: Add patches proposed upstream to formalize deprecations
and fix rebuild of generated files
* d/control: Add spurious Build-Conflicts on elogind packages.
As in 1.5.0-1, this works around a build-dependency resolver failure
when using the same aspcud resolution behaviour as official Debian
experimental buildds, and can safely be reverted in distributions
that only have elogind, such as Devuan.
-- Simon McVittie <email address hidden> Wed, 25 Mar 2020 13:44:31 +0000
flatpak (1.6.2-1) unstable; urgency=medium * New upstream stable release -- Simon McVittie <email address hidden> Thu, 13 Feb 2020 16:42:14 +0000
Available diffs
- diff from 1.6.1-1 to 1.6.2-1 (118.1 KiB)
flatpak (1.6.1-1) unstable; urgency=medium
* New upstream stable release
* Use secure URI in Homepage field.
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
-- Simon McVittie <email address hidden> Thu, 23 Jan 2020 17:53:52 +0000
Available diffs
- diff from 1.6.0-1 to 1.6.1-1 (74.2 KiB)
flatpak (1.6.0-1) unstable; urgency=medium
* New upstream stable release
- d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
Drop workaround, the leaks that broke this test have been fixed
- Drop other patches, applied upstream
- Bump xdg-desktop-portal dependency to 1.6.x.
That version has new API which Flatpak apps might rely on, so the
corresponding versions should be tested and backported together.
* d/watch: Only watch for stable releases
* Set upstream branch to upstream/1.6.x
* Drop xdg-desktop-portal from Depends to Recommends.
Installing xdg-desktop-portal 1.6.x is strongly recommended, but
strictly speaking it is not required: some of the simpler Flatpak
apps can work without it. (Closes: #947022)
* tests: Depend on fuse and policykit-1
* Revert Build-Conflicts on elogind to be nice to non-systemd derivatives.
This was a workaround for the build-dependency resolver used in
experimental, and is unnecessary now that I'm targeting unstable.
-- Simon McVittie <email address hidden> Tue, 24 Dec 2019 16:11:00 +0000
Available diffs
- diff from 1.4.3-1 to 1.6.0-1 (695.2 KiB)
| Deleted in experimental-release (Reason: None provided.) |
flatpak (1.5.2-1) experimental; urgency=medium
* New upstream development release
- d/copyright: Update
- d/control: Depend on bubblewrap 0.4.0
- Update d/libflatpak0.symbols
* d/tests/build: Use correct compiler for proposed autopkgtest
cross-architecture testing support
* Make autopkgtests shellcheck-clean
* d/p/debian/Use-Python-3-for-test-web-server.patch:
Drop patch, no longer needed.
The tests now require Python 3 upstream, and no longer support
Python 2.
* Depend on xdg-desktop-portal 1.5.4.
This is probably not strictly required, but they are likely to be
released together and some features will need it.
* d/tests/build: Use correct compiler for proposed autopkgtest
cross-architecture testing support
* Make autopkgtests shellcheck-clean
* d/patches:
Add proposed patches from upstream PR 3307 to fix memory and fd leaks
* d/patches:
Add proposed patches from upstream PR 3310, 3311, 3312 to fix some
minor memory leaks
* d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
Remove problematic assertions while the failure is investigated
-- Simon McVittie <email address hidden> Tue, 17 Dec 2019 11:34:34 +0000
| Superseded in buster-release |
flatpak (1.2.5-0+deb10u1) buster; urgency=medium
* New upstream stable release
- Allow runtimes (not just apps) to use extra_data, which is required
by the new org.freedesktop.Platform.openh264 extension
- Support apps that specify several required Flatpak versions,
such as 1.4.2;1.2.5; for runtimes that require the above feature
- Backport some crash bug fixes from 1.4.x
- Fix installation of bundles
- Set looser permissions on the /run/host/monitor directory, to
work better with tools like Fedora Toolbox on the host system
- Do not wrongly remove extensions as "unused" if they are referenced
by the 'versions' extension key rather than by 'version'
* d/gbp.conf: Use debian/buster packaging branch
* d/watch: Only look for 1.2.x releases
-- Simon McVittie <email address hidden> Mon, 23 Sep 2019 08:44:18 +0100
| 1 → 75 of 189 results | First • Previous • Next • Last |
