Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qubesome for openSUSE:Factory checked in at 2025-11-06 18:12:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qubesome (Old) and /work/SRC/openSUSE:Factory/.qubesome.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qubesome" Thu Nov 6 18:12:59 2025 rev:10 rq:1315733 version:0.0.15 Changes: -------- --- /work/SRC/openSUSE:Factory/qubesome/qubesome.changes 2025-10-06 18:08:00.078951635 +0200 +++ /work/SRC/openSUSE:Factory/.qubesome.new.1980/qubesome.changes 2025-11-06 18:14:24.414468894 +0100 @@ -1,0 +2,19 @@ +Wed Nov 05 09:33:50 UTC 2025 - Paulo Gomes <[email protected]> + +- Update to version 0.0.15: + * Enforce soft failure when mtls data not available The mtls data storage is largely a convenience feature which enables things such as mime handling. This change ensures that a profile can still be started regardless of it. + * Disable SELinux for profile and workloads In order for qubesome to work in environments where SELinux is enabled and enforced the container execution needs to opt-out from SELinux. + * build(deps): bump github.com/cyphar/filepath-securejoin + * build(deps): bump the github-actions-updates group with 4 updates + * build(deps): bump github.com/urfave/cli/v3 from 3.4.1 to 3.5.0 + * build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 + * build(deps): bump the golang-org group with 2 updates + +------------------------------------------------------------------- +Wed Nov 05 09:28:30 UTC 2025 - Paulo Gomes <[email protected]> + +- Update to version 0.0.14: + * run: Add support for X11/Wayland and NoGPU specific args This provides an easier way to customise a given workload so that it will work effectively regardless of running it on Wayland or X11. It will also avoid issues when no GPU is available. + * build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10 + +------------------------------------------------------------------- Old: ---- qubesome-0.0.13.tar.gz New: ---- qubesome-0.0.15.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qubesome.spec ++++++ --- /var/tmp/diff_new_pack.VTep8K/_old 2025-11-06 18:14:25.142499608 +0100 +++ /var/tmp/diff_new_pack.VTep8K/_new 2025-11-06 18:14:25.142499608 +0100 @@ -17,7 +17,7 @@ Name: qubesome -Version: 0.0.13 +Version: 0.0.15 Release: 0 Summary: Containerize Window Managers, apps and config from a declarative state in Git License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.VTep8K/_old 2025-11-06 18:14:25.190501633 +0100 +++ /var/tmp/diff_new_pack.VTep8K/_new 2025-11-06 18:14:25.194501802 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/qubesome/cli.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.0.13</param> + <param name="revision">v0.0.15</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="match-tag">v*</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.VTep8K/_old 2025-11-06 18:14:25.246503996 +0100 +++ /var/tmp/diff_new_pack.VTep8K/_new 2025-11-06 18:14:25.254504334 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/qubesome/cli.git</param> - <param name="changesrevision">67a4cbcb3abe3fb3c441f18b4ac23ad470089ee7</param></service></servicedata> + <param name="changesrevision">934455fbc63211650bbada1523e53708e8623807</param></service></servicedata> (No newline at EOF) ++++++ qubesome-0.0.13.tar.gz -> qubesome-0.0.15.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/go.mod new/qubesome-0.0.15/go.mod --- old/qubesome-0.0.13/go.mod 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/go.mod 2025-11-03 23:31:15.000000000 +0100 @@ -3,16 +3,16 @@ go 1.24.0 require ( - github.com/cyphar/filepath-securejoin v0.5.0 + github.com/cyphar/filepath-securejoin v0.6.0 github.com/go-git/go-git/v6 v6.0.0-20250628104446-20c25df268c3 github.com/google/uuid v1.6.0 github.com/stretchr/testify v1.11.1 - github.com/urfave/cli/v3 v3.4.1 + github.com/urfave/cli/v3 v3.5.0 github.com/zalando/go-keyring v0.2.6 - golang.org/x/sys v0.36.0 - golang.org/x/term v0.35.0 - google.golang.org/grpc v1.75.1 - google.golang.org/protobuf v1.36.9 + golang.org/x/sys v0.37.0 + golang.org/x/term v0.36.0 + google.golang.org/grpc v1.76.0 + google.golang.org/protobuf v1.36.10 gopkg.in/yaml.v3 v3.0.1 ) @@ -33,9 +33,9 @@ github.com/pjbgf/sha1cd v0.3.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/sergi/go-diff v1.4.0 // indirect - golang.org/x/crypto v0.39.0 // indirect + golang.org/x/crypto v0.40.0 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect - golang.org/x/net v0.41.0 // indirect - golang.org/x/text v0.26.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect + golang.org/x/net v0.42.0 // indirect + golang.org/x/text v0.27.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/go.sum new/qubesome-0.0.15/go.sum --- old/qubesome-0.0.13/go.sum 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/go.sum 2025-11-03 23:31:15.000000000 +0100 @@ -12,8 +12,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= -github.com/cyphar/filepath-securejoin v0.5.0 h1:hIAhkRBMQ8nIeuVwcAoymp7MY4oherZdAxD+m0u9zaw= -github.com/cyphar/filepath-securejoin v0.5.0/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is= +github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0= github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -74,8 +74,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/urfave/cli/v3 v3.4.1 h1:1M9UOCy5bLmGnuu1yn3t3CB4rG79Rtoxuv1sPhnm6qM= -github.com/urfave/cli/v3 v3.4.1/go.mod h1:FJSKtM/9AiiTOJL4fJ6TbMUkxBXn7GO9guZqoZtpYpo= +github.com/urfave/cli/v3 v3.5.0 h1:qCuFMmdayTF3zmjG8TSsoBzrDqszNrklYg2x3g4MSgw= +github.com/urfave/cli/v3 v3.5.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s= github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= @@ -90,26 +90,26 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= -golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= -golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= +golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= -google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= -google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw= -google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/internal/profiles/profiles.go new/qubesome-0.0.15/internal/profiles/profiles.go --- old/qubesome-0.0.13/internal/profiles/profiles.go 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/internal/profiles/profiles.go 2025-11-03 23:31:15.000000000 +0100 @@ -557,7 +557,8 @@ "-e", "Q_MTLS_CERT", "-e", "Q_MTLS_KEY", "--device", "/dev/dri", - "--security-opt=no-new-privileges:true", + "--security-opt=no-new-privileges=true", + "--security-opt=label=disable", "--cap-drop=ALL", } @@ -687,7 +688,7 @@ err = storeMtlsData(profile.Name, string(ca), string(cert), string(key)) if err != nil { - return err + slog.Error("failed storing mtls data", "error", err) } output, err := cmd.CombinedOutput() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/internal/qubesome/run.go new/qubesome-0.0.15/internal/qubesome/run.go --- old/qubesome-0.0.13/internal/qubesome/run.go 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/internal/qubesome/run.go 2025-11-03 23:31:15.000000000 +0100 @@ -184,6 +184,16 @@ slog.Debug("unknown objects mismatch", "w", w, "ew", ew) } + if strings.EqualFold(os.Getenv("XDG_SESSION_TYPE"), "wayland") { + ew.Workload.Args = append(ew.Workload.Args, ew.Workload.WaylandArgs...) + } else { + ew.Workload.Args = append(ew.Workload.Args, ew.Workload.X11Args...) + } + + if len(ew.Workload.HostAccess.Gpus) == 0 { + ew.Workload.Args = append(ew.Workload.Args, ew.Workload.NoGPUArgs...) + } + ew.Workload.Args = append(ew.Workload.Args, in.Args...) if runnerOverride != "" { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/internal/runners/docker/run.go new/qubesome-0.0.15/internal/runners/docker/run.go --- old/qubesome-0.0.13/internal/runners/docker/run.go 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/internal/runners/docker/run.go 2025-11-03 23:31:15.000000000 +0100 @@ -60,6 +60,7 @@ "--rm", "-d", "--security-opt=seccomp=unconfined", + "--security-opt=label=disable", "--security-opt=no-new-privileges=true", } @@ -271,27 +272,16 @@ // Since the implementation of mTLS, workloads granted mime handling // need the mTLS creds so that they can communicate with the inception // server. - ks := keyring.New(ew.Profile.Name, backend.New()) - ca, err := ks.Get(keyring.MtlsCA) - if err != nil { - return err - } - cert, err := ks.Get(keyring.MtlsClientCert) - if err != nil { - return err - } + if ca, cert, key, ok := mtlsData(ew.Profile.Name); ok { + slog.Debug("mime access: enabled") - key, err := ks.Get(keyring.MtlsClientKey) - if err != nil { - return err + cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca) + cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert) + cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key) + } else { + slog.Debug("mime access: skipped") } - - slog.Debug("enabling mime access") - - cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca) - cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert) - cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key) } cmd.Stderr = os.Stderr @@ -301,6 +291,29 @@ return cmd.Run() } +func mtlsData(name string) (string, string, string, bool) { + ks := keyring.New(name, backend.New()) + ca, err := ks.Get(keyring.MtlsCA) + if err != nil { + slog.Error("failed to fetch mtls-ca", "error", err) + return "", "", "", false + } + + cert, err := ks.Get(keyring.MtlsClientCert) + if err != nil { + slog.Error("failed to fetch mtls-client-cert", "error", err) + return "", "", "", false + } + + key, err := ks.Get(keyring.MtlsClientKey) + if err != nil { + slog.Error("failed to fetch mtls-client-key", "error", err) + return "", "", "", false + } + + return ca, cert, key, true +} + func getHomeDir(image string) (string, error) { args := []string{"run", "--rm", image, "ls", "/home"} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/internal/runners/podman/run.go new/qubesome-0.0.15/internal/runners/podman/run.go --- old/qubesome-0.0.13/internal/runners/podman/run.go 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/internal/runners/podman/run.go 2025-11-03 23:31:15.000000000 +0100 @@ -61,6 +61,7 @@ "-d", "--security-opt=seccomp=unconfined", "--security-opt=no-new-privileges=true", + "--security-opt=label=disable", "--group-add=keep-groups", } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/qubesome-0.0.13/internal/types/workload.go new/qubesome-0.0.15/internal/types/workload.go --- old/qubesome-0.0.13/internal/types/workload.go 2025-10-05 23:10:31.000000000 +0200 +++ new/qubesome-0.0.15/internal/types/workload.go 2025-11-03 23:31:15.000000000 +0100 @@ -10,10 +10,17 @@ ) type Workload struct { - Name string `yaml:"name"` - Image string `yaml:"image"` - Command string `yaml:"command"` - Args []string `yaml:"args"` + Name string `yaml:"name"` + Image string `yaml:"image"` + Command string `yaml:"command"` + // Args defines X11-specific arguments. + Args []string `yaml:"args"` + // X11Args defines X11-specific arguments. + X11Args []string `yaml:"x11Args"` + // WaylandArgs defines Wayland-specific arguments. + WaylandArgs []string `yaml:"waylandArgs"` + // NoGPUArgs defines arguments to be used when no GPU is available. + NoGPUArgs []string `yaml:"noGpuArgs"` SingleInstance bool `yaml:"singleInstance"` HostAccess HostAccess `yaml:"hostAccess"` MimeApps []string `yaml:"mimeApps"` ++++++ vendor.tar.gz ++++++ ++++ 4426 lines of diff (skipped)
