[Pkg-utopia-maintainers] Bug#1069672: bookworm-pu: package flatpak/1.14.6-1~deb12u1 or 1.14.7-1~deb12u1

Simon McVittie smcv at debian.org
Mon Apr 22 13:33:32 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: flatpak at packages.debian.org
Control: affects -1 + src:flatpak

After the dust has settled from CVE-2024-32462, I would like to do a
stable-update of Flatpak using the upstream 1.14.x branch.

At the moment bookworm-security has 1.14.4 plus the patches for
CVE-2024-32462. The current upstream release is 1.14.6 (also available in
unstable and in testing-proposed-updates), which moves the security fix
from patches into the upstream source and fixes various less serious bugs.

We are also hoping to do a 1.14.7 upstream release soon, perhaps this
week. Would the stable release team prefer this to be proposed as one
big update from 1.14.4 to 1.14.7, or two smaller updates
1.14.4 → 1.14.6 → 1.14.7, or do you not mind either way?

[ Impact ]
If not accepted, several known bugs remain present in stable.
The highest-visibility is that the developer name of an app appears
in the CLI where the app name should be, for example "The Chromium Authors"
instead of the correct "Chromium Web Browser".

Also, if we keep up with upstream stable releases, then next time there
is a CVE, we can take upstream's stable release directly instead of
having to backport individual patches.

[ Tests ]
There is a fairly comprehensive test suite. It cannot be run under schroot
or lxc due to limitations of nested containers, but I run in
autopkgtest-virt-qemu before each upload, and ci.debian.net has now been
configured to run flatpak's tests under autopkgtest-virt-qemu has well.

I will test a final version manually on a bookworm system before upload.

[ Risks ]
Somewhat low risk, all changes are targeted bug fixes. I would say that
the highest-risk are the alterations to how AppStream metadata is parsed
and displayed, but several distributions are already using those changes
via the 1.15.x branch and we have not had regression reports.

[ Checklist ]
The changes in 1.14.7 will not be finalized until the release actually
happens, but I have reviewed and attached a proposed diff.

  [½] *all* changes are documented in the d/changelog
  [½] I reviewed all changes and I approve them
  [½] attach debdiff against the package in (old)stable
  [½] the issue is verified as fixed in unstable

[ Changes in 1.14.5 and 1.14.6 ]
See attached flatpak-1.14.6-bookworm.diff.gz

* Makefile.am,
  configure.ac,
  data/Makefile.am.inc,
  data/tmpfiles.d/flatpak.conf,
  debian/flatpak.install,
  sideload-repos-systemd/Makefile.am.inc:
  - Delete obsolete /var/tmp/flatpak-cache-* (if any) during boot

* app/flatpak-builtins-build.c,
  common/flatpak-dir.c,
  common/flatpak-run.c,
  tests/test-run.sh:
  - Fix CVE-2024-32462 (previously done via a patch)

* app/flatpak-builtins-remote-info.c:
  - Fix display of app info in `flatpak remote-info`
  - Fix some uses of deprecated libappstream API
  - Forward-compatibility with libappstream 0.17.x and 1.0

* app/flatpak-builtins-remote-ls.c,
  app/flatpak-builtins-search.c,
  app/flatpak-builtins-utils.c,
  app/flatpak-builtins-utils.h,
  config.h.in,
  configure.ac:
  - Fix some uses of deprecated libappstream API
  - Forward-compatibility with libappstream 0.17.x and 1.0

* app/flatpak-builtins-run.c,
  common/flatpak-dir.c,
  tests/testlibrary.c:
  - Silence some compiler warning false-positives

* common/flatpak-appdata.c,
  tests/make-test-app.sh,
  tests/test-info.sh:
  - Don't parse the app developer name as though it was the app name

* common/flatpak-run.c,
  doc/flatpak-run.xml:
  - Don't let the sandboxed app inherit a wrong value for $VK_DRIVER_FILES,
    $VK_ICD_FILENAMES

* common/flatpak-utils-http.c:
  - Cancel downloads if they become very slow

* common/flatpak-utils.c,
  tests/test-exports.c,
  tests/test-instance.c:
  - Forward-compatibility with newer GLib releases

* NEWS,
  common/flatpak-version-macros.h,
  configure.ac,
  tests/package_version.txt:
  - The usual release management noise

* debian/test.sh:
  - Unset proxy environment variables to make sure a test http server on
    localhost is reachable

* doc/flatpak-metadata.xml:
  - Provide anchors for internal linking
  - Clarify documentation on which D-Bus names are allowed by default

* doc/reference/html/*.html:
  - Regenerated with Debian 12 toolchain
    (these are also re-regenerated during build)
  (Filtered from debdiff)

* po/*.po,
  po/flatpak.pot:
  - Regenerated during upstream release procedure (different line numbering)
  (Filtered from debdiff)

* portal/flatpak-portal.c:
  - Save the original environment before setting GIO_USE_VFS, and restore it
    before starting sandboxed programs, so that GVfs can work

* revokefs/main.c:
  - Forward-compatibility with libostree 2023.4

* session-helper/flatpak-session-helper.c:
  - Same as portal/, but for programs run on the host system by trusted
    Flatpak apps

* tests/make-test-runtime.sh:
  - Fail tests earlier, with a better error message, if a required program
    is missing

* configure,
  Makefile.in,
  */Makefile.in:
  - Regenerated with Debian 12 toolchain
    (these are also re-regenerated during build)
  (Filtered from debdiff)

[ Changes expected to be included in 1.14.7 ]
See attached flatpak-1.14.6-1.14.7-rc1.diff.gz
(Note to self: this is based on commit
204de3a20c5e4b91ee8feb3a1cab0f80885310b7)

* app/flatpak-builtins-ps.c:
  - Use xdg-desktop-portal-gnome in addition to -gtk and -kde to determine
    whether an app is running in the background

* common/flatpak-dir.c:
  - Automatically reload D-Bus session bus configuration on new
    installations and upgrades, so that new .service files are reliably
    picked up
  - Forward compatibility with newer GLib

* common/flatpak-prune.c:
  - Fix some signed integer arithmetic that is strictly speaking
    undefined behaviour

* common/flatpak-run.c:
  - Ensure that environment variable container=flatpak is set, even if
    Flatpak is run inside a different container manager
  - If we can't connect to the D-Bus system bus, don't treat that as
    though parental controls forbid running apps, which in practice is
    troublesome when running Flatpak in a container

* common/flatpak-run.c,
  tests/test-repo.sh:
  - Don't try to repeat data migration for apps whose data was already
    migrated to a new name and then deleted

* doc/flatpak-*.xml:
  - Fix validity of Docbook XML against its DTD

* profile/flatpak.sh:
  - Don't leak a temporary variable "new_dirs" into user shell sessions

* tests/test-bundle.sh,
  tests/test-update-portal.sh:
  - Skip tests that require FUSE if the test suite is run in an
    environment where FUSE doesn't work or is not allowed

* tests/test-context.c:
  - Fix a double-free in a unit test

* tests/test-run.sh:
  - Fix a misleading comment when testing CVE-2024-32462
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak-1.14.6-1.14.7-rc1.diff.gz
Type: application/gzip
Size: 5253 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20240422/5bdc3fda/attachment-0002.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak-1.14.6-bookworm.diff.gz
Type: application/gzip
Size: 14138 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20240422/5bdc3fda/attachment-0003.gz>

More information about the Pkg-utopia-maintainers mailing list