diff --git a/.flatpak.metadata b/.flatpak.metadata index 793a70b..3007110 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -51317ee7abeb09fc68c924ee74463185be901658 SOURCES/flatpak-1.0.9.tar.xz +6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz diff --git a/.gitignore b/.gitignore index a16c229..4568fda 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.0.9.tar.xz +SOURCES/flatpak-1.6.2.tar.xz diff --git a/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch b/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch deleted file mode 100644 index 5c49a07..0000000 --- a/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3ad6fe680cf3804193c8a4fe4f9f6e8840ef3524 Mon Sep 17 00:00:00 2001 -From: Matthias Clasen -Date: Wed, 17 Apr 2019 11:40:26 -0400 -Subject: [PATCH 1/3] oci: Handle cancellations for appstream - -When an appstream update is cancelled while downloading -icons, properly fail. Otherwise, the next update attempt -will see an up-to-date timestamp, think everyhing is ok -and not download the missing icons. - -Closes: https://github.com/flatpak/flatpak/issues/2835 - -Closes: #2836 -Approved by: alexlarsson - -(cherry picked from commit f28e62add1eb508bbfe97aab94743b129d1422ee) ---- - common/flatpak-oci-registry.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c -index fe9afbdd..1a6edb76 100644 ---- a/common/flatpak-oci-registry.c -+++ b/common/flatpak-oci-registry.c -@@ -2473,6 +2473,9 @@ flatpak_oci_index_make_appstream (SoupSession *soup_session, - } - } - -+ if (g_cancellable_set_error_if_cancelled (cancellable, error)) -+ return NULL; -+ - if (!flatpak_appstream_xml_root_to_data (appstream_root, - &bytes, NULL, error)) - return NULL; --- -2.21.0 - diff --git a/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch b/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch deleted file mode 100644 index c91ab00..0000000 --- a/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 962a7f560ee0fa08eb30b0536d4ae9659ceaf163 Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Wed, 8 May 2019 16:54:55 +0200 -Subject: [PATCH 3/3] update: Fix OCI updates in the system repo - -We need to check whether the remote is gpg verified after handling -the oci case, because OCI is fine to update systemwide without gpg -verification (in fact it doesn't support verification). - -This just reorders the code, matching what is done in the install -case already. - -Closes: #2891 -Approved by: alexlarsson - -(cherry picked from commit 4c4c80b85d629bad1a377524b7787200f1c831a0) ---- - common/flatpak-dir.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 79fa361d..1fc6a90c 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -8364,22 +8364,6 @@ flatpak_dir_update (FlatpakDir *self, - if (no_pull) - { - } -- else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) -- { -- /* The remote is not gpg verified, so we don't want to allow installation via -- a download in the home directory, as there is no way to verify you're not -- injecting anything into the remote. However, in the case of a remote -- configured to a local filesystem we can just let the system helper do -- the installation, as it can then avoid network i/o and be certain the -- data comes from the right place. -- -- If @collection_id is non-%NULL, we can verify the refs in commit -- metadata, so don’t need to verify the summary. */ -- if (g_str_has_prefix (url, "file:")) -- helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; -- else -- return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); -- } - else if (is_oci) - { - g_autoptr(FlatpakOciRegistry) registry = NULL; -@@ -8396,6 +8380,22 @@ flatpak_dir_update (FlatpakDir *self, - if (!flatpak_dir_mirror_oci (self, registry, state, ref, NULL, progress, cancellable, error)) - return FALSE; - } -+ else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) -+ { -+ /* The remote is not gpg verified, so we don't want to allow installation via -+ a download in the home directory, as there is no way to verify you're not -+ injecting anything into the remote. However, in the case of a remote -+ configured to a local filesystem we can just let the system helper do -+ the installation, as it can then avoid network i/o and be certain the -+ data comes from the right place. -+ -+ If @collection_id is non-%NULL, we can verify the refs in commit -+ metadata, so don’t need to verify the summary. */ -+ if (g_str_has_prefix (url, "file:")) -+ helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; -+ else -+ return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); -+ } - else - { - /* We're pulling from a remote source, we do the network mirroring pull as a --- -2.21.0 - diff --git a/SOURCES/flatpak-1.0.4-oci-fixes.patch b/SOURCES/flatpak-1.0.4-oci-fixes.patch deleted file mode 100644 index 663d389..0000000 --- a/SOURCES/flatpak-1.0.4-oci-fixes.patch +++ /dev/null @@ -1,346 +0,0 @@ -From 3f5235e925ba6555cd9c639684660356867c952f Mon Sep 17 00:00:00 2001 -From: "Owen W. Taylor" -Date: Fri, 30 Nov 2018 16:11:06 -0500 -Subject: [PATCH 1/3] flatpak_cache_http_uri: save downloaded files with - permission 0644 - -Previously, downloaded files were being saved with 0600 permissions, -which prevented OCI icons downloaded by the system helper at appstream -creation time from being read by users. - -Closes: #2362 -Approved by: matthiasclasen ---- - common/flatpak-utils-http.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c -index 53074162..997c9db8 100644 ---- a/common/flatpak-utils-http.c -+++ b/common/flatpak-utils-http.c -@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, - if (fdatasync (tmpfile->fd) != 0) - return glnx_throw_errno_prefix (error, "fdatasync"); - -+ if (fchmod (tmpfile->fd, 0644) != 0) -+ return glnx_throw_errno_prefix (error, "fchmod"); -+ - if (!glnx_link_tmpfile_at (tmpfile, - GLNX_LINK_TMPFILE_REPLACE, - tmpfile->src_dfd, dest_name, error)) --- -2.19.2 - - -From 3263827dbbd4d84919899e91ca066d2d3cf338bc Mon Sep 17 00:00:00 2001 -From: Alexander Larsson -Date: Fri, 30 Nov 2018 10:30:20 +0100 -Subject: [PATCH 2/3] OCI: Use system helper to generate summary for OCI - remotes - -The OCI support relies on downloading a json index and converting it -to a ostree-style summary, which we the use in all sorts of operations -in the client code. Currently this happens in the user code, which means -that it will fail (due to permissions) in the system installation case. - -We could do the conversion as the user, but when eventually installing -something the system-helper will anyway do this download and -conversion, so that would only double the work and risk things going out -of sync. Also, the OCI index is not gpg signed, so we can't realy on -downloads done as the user. - -So, the solution done here is to add a GenerateOciSummary -system-helper call which we use instead of directly generating the -oci summary. - -This fixes https://github.com/flatpak/flatpak/issues/2350 - -Closes: #2363 -Approved by: matthiasclasen ---- - common/flatpak-dir-private.h | 5 ++ - common/flatpak-dir.c | 94 +++++++++++++++++++-------- - data/org.freedesktop.Flatpak.xml | 5 ++ - system-helper/flatpak-system-helper.c | 52 ++++++++++++++- - 4 files changed, 129 insertions(+), 27 deletions(-) - -diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h -index 64a72758..f6126056 100644 ---- a/common/flatpak-dir-private.h -+++ b/common/flatpak-dir-private.h -@@ -718,6 +718,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel - GBytes *opt_summary_sig, - GCancellable *cancellable, - GError **error); -+gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, -+ const char *remote, -+ GBytes **out_summary, -+ GCancellable *cancellable, -+ GError **error); - FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, - const char *remote, - GCancellable *cancellable, -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 828945ca..7853b74a 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, - return ret != NULL; - } - -+static gboolean -+flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, -+ const gchar *arg_origin, -+ const gchar *arg_installation, -+ GCancellable *cancellable, -+ GError **error) -+{ -+ g_autoptr(GVariant) ret = -+ flatpak_dir_system_helper_call (self, "GenerateOciSummary", -+ g_variant_new ("(ss)", -+ arg_origin, -+ arg_installation), -+ cancellable, error); -+ return ret != NULL; -+} -+ - static OstreeRepo * - system_ostree_repo_new (GFile *repodir) - { -@@ -9088,7 +9104,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, - G_UNLOCK (cache); - } - --static gboolean -+gboolean - flatpak_dir_remote_make_oci_summary (FlatpakDir *self, - const char *remote, - GBytes **out_summary, -@@ -9103,42 +9119,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, - g_autoptr(GError) local_error = NULL; - g_autoptr(GMappedFile) mfile = NULL; - g_autoptr(GBytes) cache_bytes = NULL; -+ g_autoptr(GBytes) summary_bytes = NULL; - -- self_name = flatpak_dir_get_name (self); -- -- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); -- if (index_cache == NULL) -- return FALSE; -+ if (flatpak_dir_use_system_helper (self, NULL)) -+ { -+ const char *installation = flatpak_dir_get_id (self); - -- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -- if (summary_cache == NULL) -- return FALSE; -+ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, -+ installation ? installation : "", -+ cancellable, error)) -+ return FALSE; - -- if (check_destination_mtime (index_cache, summary_cache, cancellable)) -+ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -+ if (summary_cache == NULL) -+ return FALSE; -+ } -+ else - { -- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); -- if (mfile) -+ self_name = flatpak_dir_get_name (self); -+ -+ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); -+ if (index_cache == NULL) -+ return FALSE; -+ -+ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); -+ if (summary_cache == NULL) -+ return FALSE; -+ -+ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) - { -- cache_bytes = g_mapped_file_get_bytes (mfile); -- *out_summary = g_steal_pointer (&cache_bytes); -+ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); -+ if (summary == NULL) -+ { -+ g_propagate_error (error, g_steal_pointer (&local_error)); -+ return FALSE; -+ } -+ -+ summary_bytes = g_variant_get_data_as_bytes (summary); -+ -+ if (!g_file_replace_contents (summary_cache, -+ g_bytes_get_data (summary_bytes, NULL), -+ g_bytes_get_size (summary_bytes), -+ NULL, FALSE, 0, NULL, cancellable, error)) -+ { -+ g_prefix_error (error, _("Failed to write summary cache: ")); -+ return FALSE; -+ } -+ -+ if (out_summary) -+ *out_summary = g_steal_pointer (&summary_bytes); - return TRUE; - } - } - -- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); -- if (summary == NULL) -+ if (out_summary) - { -- g_propagate_error (error, g_steal_pointer (&local_error)); -- return FALSE; -- } -- -- *out_summary = g_variant_get_data_as_bytes (summary); -+ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); -+ if (mfile == NULL) -+ return FALSE; - -- if (!g_file_replace_contents (summary_cache, -- g_bytes_get_data (*out_summary, NULL), -- g_bytes_get_size (*out_summary), -- NULL, FALSE, 0, NULL, cancellable, NULL)) -- g_warning ("Failed to write summary cache"); -+ cache_bytes = g_mapped_file_get_bytes (mfile); -+ *out_summary = g_steal_pointer (&cache_bytes); -+ } - - return TRUE; - } -diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml -index 25dc8a02..8b1606c6 100644 ---- a/data/org.freedesktop.Flatpak.xml -+++ b/data/org.freedesktop.Flatpak.xml -@@ -144,6 +144,11 @@ - - - -+ -+ -+ -+ -+ - - - -diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c -index ce647b6e..29a2d3e1 100644 ---- a/system-helper/flatpak-system-helper.c -+++ b/system-helper/flatpak-system-helper.c -@@ -1122,6 +1122,54 @@ handle_update_summary (FlatpakSystemHelper *object, - return TRUE; - } - -+static gboolean -+handle_generate_oci_summary (FlatpakSystemHelper *object, -+ GDBusMethodInvocation *invocation, -+ const gchar *arg_origin, -+ const gchar *arg_installation) -+{ -+ g_autoptr(FlatpakDir) system = NULL; -+ g_autoptr(GError) error = NULL; -+ gboolean is_oci; -+ -+ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); -+ -+ system = dir_get_system (arg_installation, &error); -+ if (system == NULL) -+ { -+ g_dbus_method_invocation_return_gerror (invocation, error); -+ return TRUE; -+ } -+ -+ if (!flatpak_dir_ensure_repo (system, NULL, &error)) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Can't open system repo %s", error->message); -+ return TRUE; -+ } -+ -+ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); -+ if (!is_oci) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, -+ "%s is not a OCI remote", arg_origin); -+ return TRUE; -+ } -+ -+ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) -+ { -+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, -+ "Failed to update OCI summary: %s", error->message); -+ return TRUE; -+ } -+ -+ -+ flatpak_system_helper_complete_generate_oci_summary (object, invocation); -+ -+ return TRUE; -+} -+ -+ - static gboolean - flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, - GDBusMethodInvocation *invocation, -@@ -1250,7 +1298,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, - g_strcmp0 (method_name, "PruneLocalRepo") == 0 || - g_strcmp0 (method_name, "EnsureRepo") == 0 || - g_strcmp0 (method_name, "RunTriggers") == 0 || -- g_strcmp0 (method_name, "UpdateSummary") == 0) -+ g_strcmp0 (method_name, "UpdateSummary") == 0 || -+ g_strcmp0 (method_name, "GenerateOciSummary") == 0) - { - const char *remote; - -@@ -1321,6 +1370,7 @@ on_bus_acquired (GDBusConnection *connection, - g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); - g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); - g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); -+ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); - - g_signal_connect (helper, "g-authorize-method", - G_CALLBACK (flatpak_authorize_method_handler), --- -2.19.2 - - -From b7f1d5118fc4e1df472f7108472f122e279fe2b9 Mon Sep 17 00:00:00 2001 -From: Matthias Clasen -Date: Fri, 7 Dec 2018 14:39:06 -0500 -Subject: [PATCH 3/3] Fix oci pull progress reporting - -Comparing the code in flatpak-utils.c:progress_cb, -we need to set bytes-transferred for the total amount -of data that has been transferred so far. The value -we were setting so far, fetched-delta-part-size, refers -to the size of the objects we already have locally, and -is subtracted from the total, which explains oci progress -running backwards. - -Closes: #2392 - -Closes: #2400 -Approved by: matthiasclasen ---- - common/flatpak-dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 7853b74a..51cd1e66 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -4154,7 +4154,7 @@ oci_pull_progress_cb (guint64 total_size, guint64 pulled_size, - "total-delta-parts", "u", n_layers, - "fetched-delta-fallbacks", "u", 0, - "total-delta-fallbacks", "u", 0, -- "fetched-delta-part-size", "t", pulled_size, -+ "bytes-transferred", "t", pulled_size, - "total-delta-part-size", "t", total_size, - "total-delta-part-usize", "t", total_size, - "total-delta-superblocks", "u", 0, --- -2.19.2 - diff --git a/SOURCES/flatpak-1.6.2-oci-fixes.patch b/SOURCES/flatpak-1.6.2-oci-fixes.patch new file mode 100644 index 0000000..c2c6550 --- /dev/null +++ b/SOURCES/flatpak-1.6.2-oci-fixes.patch @@ -0,0 +1,161 @@ +diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c +--- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000 ++++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000 +@@ -901,6 +901,7 @@ + + static char * + get_token_for_www_auth (FlatpakOciRegistry *self, ++ const char *repository, + const char *www_authenticate, + const char *auth, + GCancellable *cancellable, +@@ -911,6 +912,7 @@ + g_autoptr(GHashTable) params = NULL; + g_autoptr(GHashTable) args = NULL; + const char *realm, *service, *scope, *token; ++ g_autofree char *default_scope = NULL; + g_autoptr(SoupURI) auth_uri = NULL; + g_autoptr(GBytes) body = NULL; + g_autoptr(JsonNode) json = NULL; +@@ -941,16 +943,21 @@ + service = g_hash_table_lookup (params, "service"); + if (service) + g_hash_table_insert (args, "service", (char *)service); ++ + scope = g_hash_table_lookup (params, "scope"); +- if (scope) +- g_hash_table_insert (args, "scope", (char *)scope); ++ if (scope == NULL) ++ scope = default_scope = g_strdup_printf("repository:%s:pull", repository); ++ g_hash_table_insert (args, "scope", (char *)scope); + + soup_uri_set_query_from_form (auth_uri, args); + + auth_msg = soup_message_new_from_uri ("GET", auth_uri); + +- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); +- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); ++ if (auth) ++ { ++ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth); ++ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth); ++ } + + auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error); + if (auth_stream == NULL) +@@ -1030,7 +1037,7 @@ + return NULL; + } + +- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error); ++ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error); + if (token == NULL) + return NULL; + +diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c +--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000 ++++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000 +@@ -428,10 +428,12 @@ + g_autoptr(GError) error = NULL; + g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL; + const char *auth = NULL; ++ gboolean have_auth; + const char *oci_registry_uri = NULL; + gsize n_refs, i; + gboolean no_interaction = FALSE; + g_autoptr(FlatpakOciRegistry) registry = NULL; ++ g_autofree char *first_token = NULL; + GVariantBuilder tokens; + GVariantBuilder results; + g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation)); +@@ -439,6 +441,7 @@ + g_debug ("handling Authenticator.RequestRefTokens"); + + g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth); ++ have_auth = auth != NULL; + + if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri)) + { +@@ -476,18 +479,33 @@ + return error_request (request, sender, error->message); + + +- if (auth == NULL) ++ /* Look up credentials in config files */ ++ if (!have_auth) + { + g_debug ("Looking for %s in auth info", oci_registry_uri); + auth = lookup_auth_from_config (oci_registry_uri); ++ have_auth = auth != NULL; + } + ++ /* Try to see if we can get a token without presenting credentials */ + n_refs = g_variant_n_children (arg_refs); +- if (auth == NULL && n_refs > 0 && ++ if (!have_auth && n_refs > 0) ++ { ++ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); ++ ++ first_token = get_token_for_ref (registry, ref_data, NULL, &error); ++ if (first_token != NULL) ++ have_auth = TRUE; ++ else ++ g_clear_error (&error); ++ } ++ ++ /* Prompt the user for credentials */ ++ n_refs = g_variant_n_children (arg_refs); ++ if (!have_auth && n_refs > 0 && + !no_interaction) + { + g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0); +- g_autofree char *token = NULL; + + while (auth == NULL) + { +@@ -498,13 +516,21 @@ + if (test_auth == NULL) + return cancel_request (request, sender); + +- token = get_token_for_ref (registry, ref_data, test_auth, &error); +- if (token != NULL) +- auth = g_steal_pointer (&test_auth); ++ first_token = get_token_for_ref (registry, ref_data, test_auth, &error); ++ if (first_token != NULL) ++ { ++ auth = g_steal_pointer (&test_auth); ++ have_auth = TRUE; ++ } ++ else ++ { ++ g_debug ("Failed to get token: %s", error->message); ++ g_clear_error (&error); ++ } + } + } + +- if (auth == NULL) ++ if (!have_auth) + return error_request (request, sender, "No authentication information available"); + + g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}")); +@@ -515,9 +541,16 @@ + char *for_refs_strv[2] = { NULL, NULL}; + g_autofree char *token = NULL; + +- token = get_token_for_ref (registry, ref_data, auth, &error); +- if (token == NULL) +- return error_request (request, sender, error->message); ++ if (i == 0 && first_token != NULL) ++ { ++ token = g_steal_pointer (&first_token); ++ } ++ else ++ { ++ token = get_token_for_ref (registry, ref_data, auth, &error); ++ if (token == NULL) ++ return error_request (request, sender, error->message); ++ } + + g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]); + g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 7c8be72..666eda9 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -1,30 +1,31 @@ -%global bubblewrap_version 0.2.1 -%global ostree_version 2018.7 +%global bubblewrap_version 0.4.0 +%global ostree_version 2018.9 Name: flatpak -Version: 1.0.9 +Version: 1.6.2 Release: 2%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1657306 -Patch0: flatpak-1.0.4-oci-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1767007 -Patch1: 0001-oci-Handle-cancellations-for-appstream.patch -Patch2: 0003-update-Fix-OCI-updates-in-the-system-repo.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1814045 +Patch0: flatpak-1.6.2-oci-fixes.patch BuildRequires: pkgconfig(appstream-glib) +BuildRequires: pkgconfig(dconf) +BuildRequires: pkgconfig(fuse) +BuildRequires: pkgconfig(gdk-pixbuf-2.0) BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(libarchive) >= 2.8.0 +BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) >= 2.4 BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} BuildRequires: pkgconfig(polkit-gobject-1) -BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(xau) BuildRequires: bison BuildRequires: bubblewrap >= %{bubblewrap_version} @@ -37,8 +38,14 @@ BuildRequires: systemd BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xsltproc +%{?systemd_requires} + Requires: bubblewrap >= %{bubblewrap_version} +Requires: librsvg2%{?_isa} Requires: ostree-libs%{?_isa} >= %{ostree_version} +# https://fedoraproject.org/wiki/SELinux/IndependentPolicy +Requires: (flatpak-selinux = %{?epoch:%{epoch}:}%{version}-%{release} if selinux-policy-targeted) +Requires: %{name}-session-helper%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Recommends: p11-kit-server # Make sure the document portal is installed @@ -69,10 +76,44 @@ Summary: Libraries for %{name} License: LGPLv2+ Requires: bubblewrap >= %{bubblewrap_version} Requires: ostree%{?_isa} >= %{ostree_version} +Requires(pre): /usr/sbin/useradd %description libs This package contains libflatpak. +%package selinux +Summary: SELinux policy module for %{name} +License: LGPLv2+ +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +This package contains the SELinux policy module for %{name}. + +%package session-helper +Summary: User D-Bus service used by %{name} and others +License: LGPLv2+ +Conflicts: flatpak < 1.4.1-2 +Requires: systemd + +%description session-helper +This package contains the org.freedesktop.Flatpak user D-Bus service +that's used by %{name} and other packages. + +%package tests +Summary: Tests for %{name} +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-session-helper%{?_isa} = %{version}-%{release} +Requires: bubblewrap >= %{bubblewrap_version} +Requires: ostree%{?_isa} >= %{ostree_version} + +%description tests +This package contains installed tests for %{name}. + %prep %autosetup -p1 @@ -80,9 +121,15 @@ This package contains libflatpak. %build (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; - # User namespace support is sufficient. - %configure --with-priv-mode=none \ - --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) + # Generate consistent IDs between runs to avoid multilib problems. + export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" + %configure \ + --enable-docbook-docs \ + --enable-installed-tests \ + --enable-selinux-module \ + --with-priv-mode=none \ + --with-system-bubblewrap \ + $CONFIGFLAGS) %make_build V=1 @@ -96,11 +143,29 @@ rm -f %{buildroot}%{_libdir}/libflatpak.la %find_lang %{name} +%pre +getent group flatpak >/dev/null || groupadd -r flatpak +getent passwd flatpak >/dev/null || \ + useradd -r -g flatpak -d / -s /sbin/nologin \ + -c "User for flatpak system helper" flatpak +exit 0 + + %post # Create an (empty) system-wide repo. flatpak remote-list --system &> /dev/null || : +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 + + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 +fi + + %ldconfig_scriptlets libs @@ -113,9 +178,9 @@ flatpak remote-list --system &> /dev/null || : %{_bindir}/flatpak-bisect %{_bindir}/flatpak-coredumpctl %{_datadir}/bash-completion -%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml %{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml -%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.Authenticator.xml +%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service %{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service %{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service # Co-own directory. @@ -125,9 +190,11 @@ flatpak remote-list --system &> /dev/null || : %{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules %{_datadir}/zsh/site-functions %{_libexecdir}/flatpak-dbus-proxy +%{_libexecdir}/flatpak-oci-authenticator %{_libexecdir}/flatpak-portal -%{_libexecdir}/flatpak-session-helper %{_libexecdir}/flatpak-system-helper +%{_libexecdir}/flatpak-validate-icon +%{_libexecdir}/revokefs-fuse %dir %{_localstatedir}/lib/flatpak %{_mandir}/man1/%{name}*.1* %{_mandir}/man5/%{name}-metadata.5* @@ -139,10 +206,9 @@ flatpak remote-list --system &> /dev/null || : %{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/profile.d/flatpak.sh %{_unitdir}/flatpak-system-helper.service +%{_userunitdir}/flatpak-oci-authenticator.service %{_userunitdir}/flatpak-portal.service -%{_userunitdir}/flatpak-session-helper.service -# Co-own directory. -%{_userunitdir}/dbus.service.d +%{_systemd_user_env_generator_dir}/60-flatpak %files devel %{_datadir}/gir-1.0/Flatpak-1.0.gir @@ -156,11 +222,43 @@ flatpak remote-list --system &> /dev/null || : %{_libdir}/girepository-1.0/Flatpak-1.0.typelib %{_libdir}/libflatpak.so.* +%files selinux +%{_datadir}/selinux/packages/flatpak.pp.bz2 +%{_datadir}/selinux/devel/include/contrib/flatpak.if + +%files session-helper +%license COPYING +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml +%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_libexecdir}/flatpak-session-helper +%{_userunitdir}/flatpak-session-helper.service + +%files tests +%{_datadir}/installed-tests +%{_libexecdir}/installed-tests + %changelog -* Wed Jan 29 2020 Kalev Lember - 1.0.9-2 -- Backport OCI fixes from upstream -- Resolves: #1767007 +* Fri Mar 20 2020 David King - 1.6.2-2 +- Fixes for OCI authenticator (#1814045) + +* Thu Feb 13 2020 David King - 1.6.2-1 +- Rebase to 1.6.2 (#1775339) + +* Thu Jan 23 2020 David King - 1.6.1-1 +- Rebase to 1.6.1 (#1775339) + +* Fri Jan 17 2020 David King - 1.6.0-2 +- Remove broken python3 sed hack (#1775339) + +* Sat Dec 21 2019 David King - 1.6.0-1 +- Rebase to 1.6.0 (#1775339) + +* Fri Nov 08 2019 David King - 1.4.3-2 +- Use %%{?selinux_requires} for proper install ordering + +* Tue Oct 08 2019 David King - 1.4.3-1 +- Rebase to 1.4.3 (#1748276) * Fri Sep 20 2019 Kalev Lember - 1.0.9-1 - Update to 1.0.9 (#1753613)