diff --git a/.flatpak.metadata b/.flatpak.metadata new file mode 100644 index 0000000..abf3c92 --- /dev/null +++ b/.flatpak.metadata @@ -0,0 +1 @@ +d2ebda16446fbd28d78d2f7df5ccb77c34f2874c SOURCES/flatpak-1.0.6.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8b49271 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/flatpak-1.0.6.tar.xz diff --git a/SOURCES/flatpak-1.0.4-oci-fixes.patch b/SOURCES/flatpak-1.0.4-oci-fixes.patch new file mode 100644 index 0000000..663d389 --- /dev/null +++ b/SOURCES/flatpak-1.0.4-oci-fixes.patch @@ -0,0 +1,346 @@ +From 3f5235e925ba6555cd9c639684660356867c952f Mon Sep 17 00:00:00 2001 +From: "Owen W. Taylor" +Date: Fri, 30 Nov 2018 16:11:06 -0500 +Subject: [PATCH 1/3] flatpak_cache_http_uri: save downloaded files with + permission 0644 + +Previously, downloaded files were being saved with 0600 permissions, +which prevented OCI icons downloaded by the system helper at appstream +creation time from being read by users. + +Closes: #2362 +Approved by: matthiasclasen +--- + common/flatpak-utils-http.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c +index 53074162..997c9db8 100644 +--- a/common/flatpak-utils-http.c ++++ b/common/flatpak-utils-http.c +@@ -645,6 +645,9 @@ sync_and_rename_tmpfile (GLnxTmpfile *tmpfile, + if (fdatasync (tmpfile->fd) != 0) + return glnx_throw_errno_prefix (error, "fdatasync"); + ++ if (fchmod (tmpfile->fd, 0644) != 0) ++ return glnx_throw_errno_prefix (error, "fchmod"); ++ + if (!glnx_link_tmpfile_at (tmpfile, + GLNX_LINK_TMPFILE_REPLACE, + tmpfile->src_dfd, dest_name, error)) +-- +2.19.2 + + +From 3263827dbbd4d84919899e91ca066d2d3cf338bc Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Fri, 30 Nov 2018 10:30:20 +0100 +Subject: [PATCH 2/3] OCI: Use system helper to generate summary for OCI + remotes + +The OCI support relies on downloading a json index and converting it +to a ostree-style summary, which we the use in all sorts of operations +in the client code. Currently this happens in the user code, which means +that it will fail (due to permissions) in the system installation case. + +We could do the conversion as the user, but when eventually installing +something the system-helper will anyway do this download and +conversion, so that would only double the work and risk things going out +of sync. Also, the OCI index is not gpg signed, so we can't realy on +downloads done as the user. + +So, the solution done here is to add a GenerateOciSummary +system-helper call which we use instead of directly generating the +oci summary. + +This fixes https://github.com/flatpak/flatpak/issues/2350 + +Closes: #2363 +Approved by: matthiasclasen +--- + common/flatpak-dir-private.h | 5 ++ + common/flatpak-dir.c | 94 +++++++++++++++++++-------- + data/org.freedesktop.Flatpak.xml | 5 ++ + system-helper/flatpak-system-helper.c | 52 ++++++++++++++- + 4 files changed, 129 insertions(+), 27 deletions(-) + +diff --git a/common/flatpak-dir-private.h b/common/flatpak-dir-private.h +index 64a72758..f6126056 100644 +--- a/common/flatpak-dir-private.h ++++ b/common/flatpak-dir-private.h +@@ -718,6 +718,11 @@ FlatpakRemoteState * flatpak_dir_get_remote_state_for_summary (FlatpakDir *sel + GBytes *opt_summary_sig, + GCancellable *cancellable, + GError **error); ++gboolean flatpak_dir_remote_make_oci_summary (FlatpakDir *self, ++ const char *remote, ++ GBytes **out_summary, ++ GCancellable *cancellable, ++ GError **error); + FlatpakRemoteState * flatpak_dir_get_remote_state_optional (FlatpakDir *self, + const char *remote, + GCancellable *cancellable, +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 828945ca..7853b74a 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1385,6 +1385,22 @@ flatpak_dir_system_helper_call_update_summary (FlatpakDir *self, + return ret != NULL; + } + ++static gboolean ++flatpak_dir_system_helper_call_generate_oci_summary (FlatpakDir *self, ++ const gchar *arg_origin, ++ const gchar *arg_installation, ++ GCancellable *cancellable, ++ GError **error) ++{ ++ g_autoptr(GVariant) ret = ++ flatpak_dir_system_helper_call (self, "GenerateOciSummary", ++ g_variant_new ("(ss)", ++ arg_origin, ++ arg_installation), ++ cancellable, error); ++ return ret != NULL; ++} ++ + static OstreeRepo * + system_ostree_repo_new (GFile *repodir) + { +@@ -9088,7 +9104,7 @@ flatpak_dir_cache_summary (FlatpakDir *self, + G_UNLOCK (cache); + } + +-static gboolean ++gboolean + flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + const char *remote, + GBytes **out_summary, +@@ -9103,42 +9119,68 @@ flatpak_dir_remote_make_oci_summary (FlatpakDir *self, + g_autoptr(GError) local_error = NULL; + g_autoptr(GMappedFile) mfile = NULL; + g_autoptr(GBytes) cache_bytes = NULL; ++ g_autoptr(GBytes) summary_bytes = NULL; + +- self_name = flatpak_dir_get_name (self); +- +- index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); +- if (index_cache == NULL) +- return FALSE; ++ if (flatpak_dir_use_system_helper (self, NULL)) ++ { ++ const char *installation = flatpak_dir_get_id (self); + +- summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); +- if (summary_cache == NULL) +- return FALSE; ++ if (!flatpak_dir_system_helper_call_generate_oci_summary (self, remote, ++ installation ? installation : "", ++ cancellable, error)) ++ return FALSE; + +- if (check_destination_mtime (index_cache, summary_cache, cancellable)) ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ } ++ else + { +- mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, NULL); +- if (mfile) ++ self_name = flatpak_dir_get_name (self); ++ ++ index_cache = flatpak_dir_update_oci_index (self, remote, &index_uri, cancellable, error); ++ if (index_cache == NULL) ++ return FALSE; ++ ++ summary_cache = flatpak_dir_get_oci_summary_location (self, remote, error); ++ if (summary_cache == NULL) ++ return FALSE; ++ ++ if (!check_destination_mtime (index_cache, summary_cache, cancellable)) + { +- cache_bytes = g_mapped_file_get_bytes (mfile); +- *out_summary = g_steal_pointer (&cache_bytes); ++ summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); ++ if (summary == NULL) ++ { ++ g_propagate_error (error, g_steal_pointer (&local_error)); ++ return FALSE; ++ } ++ ++ summary_bytes = g_variant_get_data_as_bytes (summary); ++ ++ if (!g_file_replace_contents (summary_cache, ++ g_bytes_get_data (summary_bytes, NULL), ++ g_bytes_get_size (summary_bytes), ++ NULL, FALSE, 0, NULL, cancellable, error)) ++ { ++ g_prefix_error (error, _("Failed to write summary cache: ")); ++ return FALSE; ++ } ++ ++ if (out_summary) ++ *out_summary = g_steal_pointer (&summary_bytes); + return TRUE; + } + } + +- summary = flatpak_oci_index_make_summary (index_cache, index_uri, cancellable, &local_error); +- if (summary == NULL) ++ if (out_summary) + { +- g_propagate_error (error, g_steal_pointer (&local_error)); +- return FALSE; +- } +- +- *out_summary = g_variant_get_data_as_bytes (summary); ++ mfile = g_mapped_file_new (flatpak_file_get_path_cached (summary_cache), FALSE, error); ++ if (mfile == NULL) ++ return FALSE; + +- if (!g_file_replace_contents (summary_cache, +- g_bytes_get_data (*out_summary, NULL), +- g_bytes_get_size (*out_summary), +- NULL, FALSE, 0, NULL, cancellable, NULL)) +- g_warning ("Failed to write summary cache"); ++ cache_bytes = g_mapped_file_get_bytes (mfile); ++ *out_summary = g_steal_pointer (&cache_bytes); ++ } + + return TRUE; + } +diff --git a/data/org.freedesktop.Flatpak.xml b/data/org.freedesktop.Flatpak.xml +index 25dc8a02..8b1606c6 100644 +--- a/data/org.freedesktop.Flatpak.xml ++++ b/data/org.freedesktop.Flatpak.xml +@@ -144,6 +144,11 @@ + + + ++ ++ ++ ++ ++ + + + +diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c +index ce647b6e..29a2d3e1 100644 +--- a/system-helper/flatpak-system-helper.c ++++ b/system-helper/flatpak-system-helper.c +@@ -1122,6 +1122,54 @@ handle_update_summary (FlatpakSystemHelper *object, + return TRUE; + } + ++static gboolean ++handle_generate_oci_summary (FlatpakSystemHelper *object, ++ GDBusMethodInvocation *invocation, ++ const gchar *arg_origin, ++ const gchar *arg_installation) ++{ ++ g_autoptr(FlatpakDir) system = NULL; ++ g_autoptr(GError) error = NULL; ++ gboolean is_oci; ++ ++ g_debug ("GenerateOciSummary %s %s", arg_origin, arg_installation); ++ ++ system = dir_get_system (arg_installation, &error); ++ if (system == NULL) ++ { ++ g_dbus_method_invocation_return_gerror (invocation, error); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_ensure_repo (system, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Can't open system repo %s", error->message); ++ return TRUE; ++ } ++ ++ is_oci = flatpak_dir_get_remote_oci (system, arg_origin); ++ if (!is_oci) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, ++ "%s is not a OCI remote", arg_origin); ++ return TRUE; ++ } ++ ++ if (!flatpak_dir_remote_make_oci_summary (system, arg_origin, NULL, NULL, &error)) ++ { ++ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, ++ "Failed to update OCI summary: %s", error->message); ++ return TRUE; ++ } ++ ++ ++ flatpak_system_helper_complete_generate_oci_summary (object, invocation); ++ ++ return TRUE; ++} ++ ++ + static gboolean + flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + GDBusMethodInvocation *invocation, +@@ -1250,7 +1298,8 @@ flatpak_authorize_method_handler (GDBusInterfaceSkeleton *interface, + g_strcmp0 (method_name, "PruneLocalRepo") == 0 || + g_strcmp0 (method_name, "EnsureRepo") == 0 || + g_strcmp0 (method_name, "RunTriggers") == 0 || +- g_strcmp0 (method_name, "UpdateSummary") == 0) ++ g_strcmp0 (method_name, "UpdateSummary") == 0 || ++ g_strcmp0 (method_name, "GenerateOciSummary") == 0) + { + const char *remote; + +@@ -1321,6 +1370,7 @@ on_bus_acquired (GDBusConnection *connection, + g_signal_connect (helper, "handle-ensure-repo", G_CALLBACK (handle_ensure_repo), NULL); + g_signal_connect (helper, "handle-run-triggers", G_CALLBACK (handle_run_triggers), NULL); + g_signal_connect (helper, "handle-update-summary", G_CALLBACK (handle_update_summary), NULL); ++ g_signal_connect (helper, "handle-generate-oci-summary", G_CALLBACK (handle_generate_oci_summary), NULL); + + g_signal_connect (helper, "g-authorize-method", + G_CALLBACK (flatpak_authorize_method_handler), +-- +2.19.2 + + +From b7f1d5118fc4e1df472f7108472f122e279fe2b9 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Fri, 7 Dec 2018 14:39:06 -0500 +Subject: [PATCH 3/3] Fix oci pull progress reporting + +Comparing the code in flatpak-utils.c:progress_cb, +we need to set bytes-transferred for the total amount +of data that has been transferred so far. The value +we were setting so far, fetched-delta-part-size, refers +to the size of the objects we already have locally, and +is subtracted from the total, which explains oci progress +running backwards. + +Closes: #2392 + +Closes: #2400 +Approved by: matthiasclasen +--- + common/flatpak-dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 7853b74a..51cd1e66 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -4154,7 +4154,7 @@ oci_pull_progress_cb (guint64 total_size, guint64 pulled_size, + "total-delta-parts", "u", n_layers, + "fetched-delta-fallbacks", "u", 0, + "total-delta-fallbacks", "u", 0, +- "fetched-delta-part-size", "t", pulled_size, ++ "bytes-transferred", "t", pulled_size, + "total-delta-part-size", "t", total_size, + "total-delta-part-usize", "t", total_size, + "total-delta-superblocks", "u", 0, +-- +2.19.2 + diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch new file mode 100644 index 0000000..a713027 --- /dev/null +++ b/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch @@ -0,0 +1,29 @@ +From 77f076712949c13b9bcecc02d043cbd6de6e291e Mon Sep 17 00:00:00 2001 +From: Ryan Gonzalez +Date: Mon, 25 Mar 2019 13:00:15 -0500 +Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI + +Closes #2782. + +Closes: #2783 +Approved by: alexlarsson +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 90b435fe..d1acd9f2 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2147,7 +2147,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)}, ++ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct +-- +2.21.0 + diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch new file mode 100644 index 0000000..65bed56 --- /dev/null +++ b/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch @@ -0,0 +1,65 @@ +From 9cb5f1e465cf5a3e643caf7159e89530ae867be2 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Sun, 10 Feb 2019 18:23:44 +0100 +Subject: [PATCH] Don't expose /proc when running apply_extra + +As shown by CVE-2019-5736, it is sometimes possible for the sandbox +app to access outside files using /proc/self/exe. This is not +typically an issue for flatpak as the sandbox runs as the user which +has no permissions to e.g. modify the host files. + +However, when installing apps using extra-data into the system repo +we *do* actually run a sandbox as root. So, in this case we disable mounting +/proc in the sandbox, which will neuter attacks like this. + +(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4) +--- + common/flatpak-common-types-private.h | 1 + + common/flatpak-dir.c | 2 +- + common/flatpak-run.c | 6 +++++- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h +index e361777e1..b8f76b9c4 100644 +--- a/common/flatpak-common-types-private.h ++++ b/common/flatpak-common-types-private.h +@@ -45,6 +45,7 @@ typedef enum { + FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), + FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), + FLATPAK_RUN_FLAG_CANBUS = (1 << 17), ++ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), + } FlatpakRunFlags; + + typedef struct FlatpakDir FlatpakDir; +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 0809a42be..7d44cfb4f 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -6507,7 +6507,7 @@ apply_extra_data (FlatpakDir *self, + NULL); + + if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], +- FLATPAK_RUN_FLAG_NO_SESSION_HELPER, ++ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, + error)) + return FALSE; + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index e8e55262e..ab167c00d 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2373,9 +2373,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, + "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" + "user-config: none\n"; + ++ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) ++ flatpak_bwrap_add_args (bwrap, ++ "--proc", "/proc", ++ NULL); ++ + flatpak_bwrap_add_args (bwrap, + "--unshare-pid", +- "--proc", "/proc", + "--dir", "/tmp", + "--dir", "/var/tmp", + "--dir", "/run/host", diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec new file mode 100644 index 0000000..eabf799 --- /dev/null +++ b/SPECS/flatpak.spec @@ -0,0 +1,380 @@ +%global bubblewrap_version 0.2.1 +%global ostree_version 2018.7 + +Name: flatpak +Version: 1.0.6 +Release: 4%{?dist} +Summary: Application deployment framework for desktop apps + +License: LGPLv2+ +URL: http://flatpak.org/ +Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1657306 +Patch0: flatpak-1.0.4-oci-fixes.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1675776 +Patch1: flatpak-1.0.6-CVE-2019-5736.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1700654 +Patch2: flatpak-1.0.6-CVE-2019-10063.patch + +BuildRequires: pkgconfig(appstream-glib) +BuildRequires: pkgconfig(gio-unix-2.0) +BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 +BuildRequires: pkgconfig(json-glib-1.0) +BuildRequires: pkgconfig(libarchive) >= 2.8.0 +BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libxml-2.0) >= 2.4 +BuildRequires: pkgconfig(ostree-1) >= %{ostree_version} +BuildRequires: pkgconfig(polkit-gobject-1) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(xau) +BuildRequires: bison +BuildRequires: bubblewrap >= %{bubblewrap_version} +BuildRequires: docbook-dtds +BuildRequires: docbook-style-xsl +BuildRequires: gettext +BuildRequires: gpgme-devel +BuildRequires: libcap-devel +BuildRequires: systemd +BuildRequires: /usr/bin/xmlto +BuildRequires: /usr/bin/xsltproc + +Requires: bubblewrap >= %{bubblewrap_version} +Requires: ostree-libs%{?_isa} >= %{ostree_version} +Recommends: p11-kit-server + +# Make sure the document portal is installed +%if 0%{?fedora} || 0%{?rhel} > 7 +Recommends: xdg-desktop-portal > 0.10 +# Remove in F30. +Conflicts: xdg-desktop-portal < 0.10 +%else +Requires: xdg-desktop-portal > 0.10 +%endif + +%description +flatpak is a system for building, distributing and running sandboxed desktop +applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for +more information. + +%package devel +Summary: Development files for %{name} +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains the pkg-config file and development headers for %{name}. + +%package libs +Summary: Libraries for %{name} +License: LGPLv2+ +Requires: bubblewrap >= %{bubblewrap_version} +Requires: ostree%{?_isa} >= %{ostree_version} + +%description libs +This package contains libflatpak. + + +%prep +%autosetup -p1 + + +%build +(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; + # User namespace support is sufficient. + %configure --with-priv-mode=none \ + --with-system-bubblewrap --enable-docbook-docs $CONFIGFLAGS) +%make_build V=1 + + +%install +%make_install +install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir} +# The system repo is not installed by the flatpak build system. +install -d %{buildroot}%{_localstatedir}/lib/flatpak +install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d +rm -f %{buildroot}%{_libdir}/libflatpak.la +%find_lang %{name} + + +%post +# Create an (empty) system-wide repo. +flatpak remote-list --system &> /dev/null || : + + +%ldconfig_scriptlets libs + + +%files -f %{name}.lang +%license COPYING +# Comply with the packaging guidelines about not mixing relative and absolute +# paths in doc. +%doc %{_pkgdocdir} +%{_bindir}/flatpak +%{_bindir}/flatpak-bisect +%{_bindir}/flatpak-coredumpctl +%{_datadir}/bash-completion +%{_datadir}/dbus-1/interfaces/org.freedesktop.Flatpak.xml +%{_datadir}/dbus-1/interfaces/org.freedesktop.portal.Flatpak.xml +%{_datadir}/dbus-1/services/org.freedesktop.Flatpak.service +%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service +%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service +# Co-own directory. +%{_datadir}/gdm/env.d +%{_datadir}/%{name} +%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy +%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules +%{_datadir}/zsh/site-functions +%{_libexecdir}/flatpak-dbus-proxy +%{_libexecdir}/flatpak-portal +%{_libexecdir}/flatpak-session-helper +%{_libexecdir}/flatpak-system-helper +%dir %{_localstatedir}/lib/flatpak +%{_mandir}/man1/%{name}*.1* +%{_mandir}/man5/%{name}-metadata.5* +%{_mandir}/man5/flatpak-flatpakref.5* +%{_mandir}/man5/flatpak-flatpakrepo.5* +%{_mandir}/man5/flatpak-installation.5* +%{_mandir}/man5/flatpak-remote.5* +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf +%{_sysconfdir}/flatpak/remotes.d +%{_sysconfdir}/profile.d/flatpak.sh +%{_unitdir}/flatpak-system-helper.service +%{_userunitdir}/flatpak-portal.service +%{_userunitdir}/flatpak-session-helper.service +# Co-own directory. +%{_userunitdir}/dbus.service.d + +%files devel +%{_datadir}/gir-1.0/Flatpak-1.0.gir +%{_datadir}/gtk-doc/ +%{_includedir}/%{name}/ +%{_libdir}/libflatpak.so +%{_libdir}/pkgconfig/%{name}.pc + +%files libs +%license COPYING +%{_libdir}/girepository-1.0/Flatpak-1.0.typelib +%{_libdir}/libflatpak.so.* + + +%changelog +* Tue May 14 2019 David King - 1.0.6-4 +- Bump release (#1700654) + +* Mon Apr 29 2019 David King - 1.0.6-3 +- Fix IOCSTI sandbox bypass (#1700654) + +* Wed Feb 13 2019 David King - 1.0.6-2 +- Do not mount /proc in root sandbox (#1675776) + +* Tue Dec 18 2018 Kalev Lember - 1.0.6-1 +- Update to 1.0.6 (#1630249) +- Recommend p11-kit-server instead of just p11-kit (#1649049) + +* Mon Dec 10 2018 David King - 1.0.4-2 +- Backport patches to improve OCI support (#1657306) + +* Fri Oct 12 2018 Kalev Lember - 1.0.4-1 +- Update to 1.0.4 (#1630249) + +* Thu Sep 13 2018 Kalev Lember - 1.0.2-1 +- Update to 1.0.2 (#1630249) + +* Tue Aug 28 2018 David King - 1.0.1-1 +- Update to 1.0.1 (#1621401) + +* Wed Aug 01 2018 David King - 0.99.3-1 +- Update to 0.99.3 + +* Wed May 23 2018 Adam Jackson - 0.11.7-2 +- Remove Requires: kernel >= 4.0.4-202, which corresponds to rawhide + somewhere before Fedora 22 which this spec file certainly no longer + supports. + +* Thu May 03 2018 Kalev Lember - 0.11.7-1 +- Update to 0.11.7 + +* Wed May 02 2018 Kalev Lember - 0.11.6-1 +- Update to 0.11.6 + +* Wed May 02 2018 Kalev Lember - 0.11.5-2 +- Backport a fix for a gnome-software crash installing .flatpakref files + +* Mon Apr 30 2018 David King - 0.11.5-1 +- Update to 0.11.5 + +* Thu Apr 26 2018 Kalev Lember - 0.11.4-1 +- Update to 0.11.4 + +* Mon Feb 19 2018 David King - 0.11.3-1 +- Update to 0.11.3 + +* Mon Feb 19 2018 David King - 0.11.2-1 +- Update to 0.11.2 + +* Wed Feb 14 2018 David King - 0.11.1-1 +- Update to 0.11.1 (#1545224) + +* Wed Feb 07 2018 Fedora Release Engineering - 0.10.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Igor Gnatenko - 0.10.3-2 +- Switch to %%ldconfig_scriptlets + +* Tue Jan 30 2018 Kalev Lember - 0.10.3-1 +- Update to 0.10.3 + +* Thu Dec 21 2017 David King - 0.10.2.1-1 +- Update to 0.10.2.1 + +* Fri Dec 15 2017 Kalev Lember - 0.10.2-1 +- Update to 0.10.2 + +* Fri Nov 24 2017 David King - 0.10.1-1 +- Update to 0.10.1 + +* Thu Oct 26 2017 Kalev Lember - 0.10.0-1 +- Update to 0.10.0 + +* Mon Oct 09 2017 Kalev Lember - 0.9.99-1 +- Update to 0.9.99 + +* Tue Sep 26 2017 Kalev Lember - 0.9.98.2-1 +- Update to 0.9.98.2 + +* Tue Sep 26 2017 Kalev Lember - 0.9.98.1-1 +- Update to 0.9.98.1 + +* Mon Sep 25 2017 Kalev Lember - 0.9.98-1 +- Update to 0.9.98 + +* Thu Sep 14 2017 Kalev Lember - 0.9.12-1 +- Update to 0.9.12 + +* Wed Sep 13 2017 Kalev Lember - 0.9.11-1 +- Update to 0.9.11 + +* Mon Sep 04 2017 Kalev Lember - 0.9.10-1 +- Update to 0.9.10 +- Split out flatpak-builder to a separate source package + +* Fri Aug 25 2017 Kalev Lember - 0.9.8-2 +- Backport a patch to fix regression in --devel + +* Mon Aug 21 2017 David King - 0.9.8-1 +- Update to 0.9.8 + +* Wed Aug 02 2017 Fedora Release Engineering - 0.9.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Sun Jul 30 2017 Florian Weimer - 0.9.7-4 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Thu Jul 27 2017 Owen Taylor - 0.9.7-3 +- Add a patch to fix OCI refname annotation + +* Wed Jul 26 2017 Fedora Release Engineering - 0.9.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 01 2017 David King - 0.9.7-1 +- Update to 0.9.7 (#1466970) + +* Tue Jun 20 2017 David King - 0.9.6-1 +- Update to 0.9.6 + +* Sat Jun 10 2017 David King - 0.9.5-1 +- Update to 0.9.5 (#1460437) + +* Tue May 23 2017 David King - 0.9.4-1 +- Update to 0.9.4 (#1454750) + +* Mon Apr 24 2017 David King - 0.9.3-1 +- Update to 0.9.3 + +* Fri Apr 07 2017 David King - 0.9.2-2 +- Add eu-strip dependency for flatpak-builder + +* Wed Apr 05 2017 Kalev Lember - 0.9.2-1 +- Update to 0.9.2 + +* Wed Mar 15 2017 Kalev Lember - 0.9.1-1 +- Update to 0.9.1 + +* Fri Mar 10 2017 Kalev Lember - 0.8.4-1 +- Update to 0.8.4 + +* Sun Feb 19 2017 David King - 0.8.3-3 +- Make flatpak-builder require bzip2 (#1424857) + +* Wed Feb 15 2017 Kalev Lember - 0.8.3-2 +- Avoid pulling in all of ostree and only depend on ostree-libs subpackage + +* Tue Feb 14 2017 Kalev Lember - 0.8.3-1 +- Update to 0.8.3 + +* Fri Feb 10 2017 Fedora Release Engineering - 0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 27 2017 Kalev Lember - 0.8.2-1 +- Update to 0.8.2 + +* Wed Jan 18 2017 David King - 0.8.1-1 +- Update to 0.8.1 + +* Tue Dec 20 2016 Kalev Lember - 0.8.0-1 +- Update to 0.8.0 + +* Tue Nov 29 2016 David King - 0.6.14-2 +- Add a patch to fix a GNOME Software crash +- Silence repository listing during post + +* Tue Nov 29 2016 Kalev Lember - 0.6.14-1 +- Update to 0.6.14 + +* Wed Oct 26 2016 David King - 0.6.13-2 +- Add empty /etc/flatpak/remotes.d + +* Tue Oct 25 2016 David King - 0.6.13-1 +- Update to 0.6.13 + +* Thu Oct 06 2016 David King - 0.6.12-1 +- Update to 0.6.12 + +* Tue Sep 20 2016 Kalev Lember - 0.6.11-1 +- Update to 0.6.11 +- Set minimum ostree and bubblewrap versions + +* Mon Sep 12 2016 David King - 0.6.10-1 +- Update to 0.6.10 + +* Tue Sep 06 2016 David King - 0.6.9-2 +- Look for bwrap in PATH + +* Thu Aug 25 2016 David King - 0.6.9-1 +- Update to 0.6.9 + +* Mon Aug 01 2016 David King - 0.6.8-1 +- Update to 0.6.8 (#1361823) + +* Thu Jul 21 2016 David King - 0.6.7-2 +- Use system bubblewrap + +* Fri Jul 01 2016 David King - 0.6.7-1 +- Update to 0.6.7 + +* Thu Jun 23 2016 David King - 0.6.6-1 +- Update to 0.6.6 + +* Fri Jun 10 2016 David King - 0.6.5-1 +- Update to 0.6.5 + +* Wed Jun 01 2016 David King - 0.6.4-1 +- Update to 0.6.4 + +* Tue May 31 2016 David King - 0.6.3-1 +- Update to 0.6.3 +- Move bwrap to main package + +* Tue May 24 2016 David King - 0.6.2-1 +- Rename from xdg-app to flatpak (#1337434)