diff --git a/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch b/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch new file mode 100644 index 0000000..5c49a07 --- /dev/null +++ b/SOURCES/0001-oci-Handle-cancellations-for-appstream.patch @@ -0,0 +1,37 @@ +From 3ad6fe680cf3804193c8a4fe4f9f6e8840ef3524 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Wed, 17 Apr 2019 11:40:26 -0400 +Subject: [PATCH 1/3] oci: Handle cancellations for appstream + +When an appstream update is cancelled while downloading +icons, properly fail. Otherwise, the next update attempt +will see an up-to-date timestamp, think everyhing is ok +and not download the missing icons. + +Closes: https://github.com/flatpak/flatpak/issues/2835 + +Closes: #2836 +Approved by: alexlarsson + +(cherry picked from commit f28e62add1eb508bbfe97aab94743b129d1422ee) +--- + common/flatpak-oci-registry.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c +index fe9afbdd..1a6edb76 100644 +--- a/common/flatpak-oci-registry.c ++++ b/common/flatpak-oci-registry.c +@@ -2473,6 +2473,9 @@ flatpak_oci_index_make_appstream (SoupSession *soup_session, + } + } + ++ if (g_cancellable_set_error_if_cancelled (cancellable, error)) ++ return NULL; ++ + if (!flatpak_appstream_xml_root_to_data (appstream_root, + &bytes, NULL, error)) + return NULL; +-- +2.21.0 + diff --git a/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch b/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch new file mode 100644 index 0000000..c91ab00 --- /dev/null +++ b/SOURCES/0003-update-Fix-OCI-updates-in-the-system-repo.patch @@ -0,0 +1,73 @@ +From 962a7f560ee0fa08eb30b0536d4ae9659ceaf163 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Wed, 8 May 2019 16:54:55 +0200 +Subject: [PATCH 3/3] update: Fix OCI updates in the system repo + +We need to check whether the remote is gpg verified after handling +the oci case, because OCI is fine to update systemwide without gpg +verification (in fact it doesn't support verification). + +This just reorders the code, matching what is done in the install +case already. + +Closes: #2891 +Approved by: alexlarsson + +(cherry picked from commit 4c4c80b85d629bad1a377524b7787200f1c831a0) +--- + common/flatpak-dir.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 79fa361d..1fc6a90c 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -8364,22 +8364,6 @@ flatpak_dir_update (FlatpakDir *self, + if (no_pull) + { + } +- else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) +- { +- /* The remote is not gpg verified, so we don't want to allow installation via +- a download in the home directory, as there is no way to verify you're not +- injecting anything into the remote. However, in the case of a remote +- configured to a local filesystem we can just let the system helper do +- the installation, as it can then avoid network i/o and be certain the +- data comes from the right place. +- +- If @collection_id is non-%NULL, we can verify the refs in commit +- metadata, so don’t need to verify the summary. */ +- if (g_str_has_prefix (url, "file:")) +- helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; +- else +- return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); +- } + else if (is_oci) + { + g_autoptr(FlatpakOciRegistry) registry = NULL; +@@ -8396,6 +8380,22 @@ flatpak_dir_update (FlatpakDir *self, + if (!flatpak_dir_mirror_oci (self, registry, state, ref, NULL, progress, cancellable, error)) + return FALSE; + } ++ else if ((!gpg_verify_summary && state->collection_id == NULL) || !gpg_verify) ++ { ++ /* The remote is not gpg verified, so we don't want to allow installation via ++ a download in the home directory, as there is no way to verify you're not ++ injecting anything into the remote. However, in the case of a remote ++ configured to a local filesystem we can just let the system helper do ++ the installation, as it can then avoid network i/o and be certain the ++ data comes from the right place. ++ ++ If @collection_id is non-%NULL, we can verify the refs in commit ++ metadata, so don’t need to verify the summary. */ ++ if (g_str_has_prefix (url, "file:")) ++ helper_flags |= FLATPAK_HELPER_DEPLOY_FLAGS_LOCAL_PULL; ++ else ++ return flatpak_fail_error (error, FLATPAK_ERROR_UNTRUSTED, _("Can't pull from untrusted non-gpg verified remote")); ++ } + else + { + /* We're pulling from a remote source, we do the network mirroring pull as a +-- +2.21.0 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 3a689f4..366ee6c 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -4,7 +4,7 @@ Name: flatpak Version: %{flatpak_version} -Release: 8%{?dist} +Release: 9%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -21,6 +21,8 @@ Patch0: no-user-systemd.patch Patch1: flatpak-ostree-bundle.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1660137 Patch2: flatpak-1.0.4-oci-fixes.patch +Patch3: 0001-oci-Handle-cancellations-for-appstream.patch +Patch4: 0003-update-Fix-OCI-updates-in-the-system-repo.patch BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(fuse) @@ -132,6 +134,8 @@ This package contains libflatpak. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build @@ -288,6 +292,10 @@ flatpak remote-list --system &> /dev/null || : %changelog +* Wed Jan 29 2020 Kalev Lember - 1.0.9-9 +- Backport OCI fixes from upstream +- Resolves: #1796340 + * Fri Sep 20 2019 Kalev Lember - 1.0.9-8 - Update to 1.0.9 (#1753591)