[Pkg-utopia-maintainers] Bug#1123776: trixie-pu: package flatpak/1.16.2-1~deb13u1

[Simon McVittie]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: flatpak at packages.debian.org
Control: affects -1 + src:flatpak
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
New upstream bugfix release

[ Impact ]
If not accepted, various upstream bugs will go unfixed. The most 
significant are:

- flatpak-kill(1) would accidentally kill its entire process group via
  kill(0) if a race condition was hit, which could result in terminating
  the desktop session
- a memory leak in flatpak-session-helper when privileged apps invoke a
  command outside their sandbox (flatpak-spawn --host) which becomes
  significant with some apps' use patterns (#1114484)
- VA-API didn't work on newer Intel GPUs that use the xe kernel driver,
  because the user-space component was only installed for older Intel
  GPUs that use the i915 driver; now it's installed for both

Additionally, the proposed version includes packaging changes to fix 
FTBFS when using the nocheck build-profile (#1116737) which might be 
useful for cross-compilation.

[ Tests ]
There's an upstream test suite, which still passes. Build-time test 
coverage is limited because bubblewrap doesn't work in a chroot, and 
similarly autopkgtest coverage on non-x86 is limited because nested 
containers usually don't work, but the autopkgtest on amd64 runs in a 
virtual machine on ci.debian.net and therefore has full coverage.

Also successfully smoke-tested on a Debian 13 GNOME desktop (uninstalled 
some obsolete runtimes, installed a new app, ran some apps).

This is a fairly straightforward backport of the version in unstable, 
which hasn't had any regressions reported, although admittedly it hasn't 
been in unstable for very long at this stage (and hasn't reached testing 
yet).

[ Risks ]
All changes are targeted bug fixes: some of the bugs being fixed are not 
particularly major, but it seems better to have the fixes than not. I 
reverted the more intrusive packaging changes from unstable to make this 
update easier to review.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
      (lightly filtered, excludes po/*.po)
  [x] the issue is verified as fixed in unstable

[ Changes ]

Packaging:

d/control: All part of fixing the nocheck build-profile (#1116737). 
fuse3 was previously not installed under nocheck, but that was wrong, 
and it is now installed unconditionally. Similarly polkitd and socat 
were previously not installed under nocheck, but actually they are 
required when building "as-installed" tests, so now they are only not 
installed if both nocheck and noinsttest are active, and the 
flatpak-tests binary package is skipped if noinsttest is active. No 
effect on official buildd builds.

d/rules: Similarly, we have to enable tests in all builds, unless both 
nocheck and noinsttest are active. No effect on official buildd builds.

d/copyright: Apply Lintian fixes, be more pedantic about the difference 
between the Lesser and Library General Public Licenses. No functional 
change, human-readable text only.

d/libflatpak-doc.install: The new upstream bug fix release builds and 
installs a document that was previously missing, fixing a regression 
introduced during 1.15.x, so we need to assign that file to a package.

Upstream:

app/flatpak-builtins-build.c:
Fix fontconfig warnings during `flatpak build` which could break apps'
build-time tests

app/flatpak-builtins-kill.c:
Fix `flatpak kill` as discussed above

app/flatpak-main.c, common/flatpak-run.c, common/flatpak-utils.c (second 
part), common/flatpak-utils-private.h:
Relax "running under sudo?" check so it only prevents
"sudo flatpak run ..." or "sudo flatpak --user ..." as root (which are
unlikely to be appropriate), but allows "sudo -u otheruser ..." or
"sudo -g othergroup ..."

common/flatpak-context.c:
Canonicalize special directories received from GLib before comparison, 
working around a regression in GLib 2.86.1 which was fixed in 2.86.2 
(not relevant to trixie and no longer relevant to unstable, but it 
improves robustness)

common/flatpak-dir.c (first part):
Fix flatpak-pin(1)/flatpak-mask(1) with multiple arguments when acting 
on the system-wide installation

common/flatpak-dir.c, common/flatpak-dir-private.h,
common/flatpak-installation.c, system-helper/flatpak-system-helper.c,
common/flatpak-transaction.c (second part), tests/test-bundle.sh (first part):
Implement the --reinstall option when installing a bundle (previously 
it was ignored)

common/flatpak-json-oci.c:
If a Docker-style OCI registry only has one image, improve command-line 
ergonomics by allowing the tag to be omitted (in practice mostly only 
relevant to Fedora - other publishers like Flathub use OSTree-format 
registries, which are more space-efficient)

common/flatpak-oci-registry.c:
Fix a memory leak when installing Flatpak apps from a Docker-style OCI 
registry (in practice mostly only relevant to Fedora)

common/flatpak-repo-utils.c:
Fix an assertion failure in flatpak-build-import-bundle(1)

common/flatpak-transaction.c (first part):
Fix a crash in `flatpak install --include-sdk` if the app is installed 
on a per-user basis but the corresponding SDK is already installed 
system-wide

common/flatpak-utils.c (first part):
Install the Intel VA-API driver extension for users of the xe kernel 
module, not just the i915 kernel module

common/flatpak-utils-http.c (first part):
Avoid a compiler warning about using a potentially uninitialized 
variable (in practice this is a false positive, we can't actually 
early-return before enumerator is assigned)

common/flatpak-utils-http.c (second and subsequent parts):
In libflatpak users like GNOME Software and KDE Discover, allow 
ongoing downloads to be cancelled

doc/flatpak-spawn.xml:
Clarify documentation

doc/reference/meson.build:
Build a single-file version of the library API reference (in practice 
mainly useful for docs.flatpak.org, but we might as well have it in 
Debian too)

session-helper/flatpak-session-helper.c:
Fix memory leak #1114484 by using automatic memory management for a 
temporary variable

tests/test-bundle.sh, tests/test-run.sh:
Avoid test failure if a required tool is not installed (no practical 
effect in Debian, we do install them as dependencies)

tests/testlib.c:
Fix uninitialized parameter to fcntl F_DUPFD_CLOEXEC which can cause 
test failures on some architectures

[ Other info ]
If you'd prefer to wait a few days for the corresponding unstable upload 
to migrate to testing, that would be fine, but I wanted to get this 
uploaded well before the 13.3 deadline.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flatpak_1.16.2-1~deb13u1.diff
Type: text/x-diff
Size: 45326 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20251221/e2fbea4f/attachment-0001.diff>