Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bubblewrap for openSUSE:Factory checked in at 2026-04-26 21:10:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bubblewrap (Old) and /work/SRC/openSUSE:Factory/.bubblewrap.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bubblewrap" Sun Apr 26 21:10:45 2026 rev:23 rq:1348886 version:0.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/bubblewrap/bubblewrap.changes 2025-09-17 16:37:16.177224266 +0200 +++ /work/SRC/openSUSE:Factory/.bubblewrap.new.11940/bubblewrap.changes 2026-04-26 21:11:20.053470564 +0200 @@ -1,0 +2,30 @@ +Wed Apr 22 22:51:40 UTC 2026 - Antonio Larrosa <[email protected]> + +- Really drop the nobwrap.helper script as intended on Sep 29 2025. + +------------------------------------------------------------------- +Mon Mar 23 15:54:47 UTC 2026 - Dirk Müller <[email protected]> + +- update to 0.11.1: + * Reset disposition of `SIGCHLD`, restoring normal subprocess + management if bwrap was run from a process that was ignoring + that signal, such as Erlang or volumeicon + * Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if + used + * Note that using a fd number ≥ 3 for these purposes is still + * preferred, to avoid confusion with the stdin, stdout, stderr + * that will be inherited by the command inside the container. + * Fix grammar in an error message + * Fix a broken link in the documentation + * Enable user namespaces in Github Actions configuration, + fixing a CI regression with newer Ubuntu + * Clarify comments + +------------------------------------------------------------------- +Mon Sep 29 07:40:43 UTC 2025 - Dominique Leuenberger <[email protected]> + +- Drop the nobwrap.helper again: glycin could find a solution to + detect it running in a CI/BuildEnvironment and it disarms + bubblewrap in this case, making this wrapper obsolete + +------------------------------------------------------------------- Old: ---- bubblewrap-0.11.0.tar.xz bubblewrap-0.11.0.tar.xz.asc nobwrap.helper New: ---- bubblewrap-0.11.1.tar.xz bubblewrap-0.11.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bubblewrap.spec ++++++ --- /var/tmp/diff_new_pack.Cbr7np/_old 2026-04-26 21:11:20.721497877 +0200 +++ /var/tmp/diff_new_pack.Cbr7np/_new 2026-04-26 21:11:20.725498041 +0200 @@ -1,7 +1,7 @@ # # spec file for package bubblewrap # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2024 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: bubblewrap -Version: 0.11.0 +Version: 0.11.1 Release: 0 Summary: Core execution tool for unprivileged containers License: LGPL-2.0-or-later @@ -29,7 +29,6 @@ # https://www.pseudorandom.co.uk/2003/contact/ # 0x4DE8FF2A63C7CC90, fingerprint: DA98 F25C 0871 C49A 59EA FF2C 4DE8 FF2A 63C7 CC90 Source2: %{name}.keyring -Source3: nobwrap.helper BuildRequires: docbook-xsl-stylesheets BuildRequires: gcc BuildRequires: git @@ -55,7 +54,6 @@ %prep %autosetup -p1 -n %{name}-%{version} -cp %SOURCE3 . sed -i '1d' completions/bash/bwrap %if 0%{?suse_version} < 1500 sed -i '1s,%{_bindir}/env bash,/bin/bash,' demos/bubblewrap-shell.sh @@ -76,7 +74,6 @@ %files %license COPYING %doc README.md demos -%doc nobwrap.helper %dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/bwrap ++++++ bubblewrap-0.11.0.tar.xz -> bubblewrap-0.11.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/.github/workflows/check.yml new/bubblewrap-0.11.1/.github/workflows/check.yml --- old/bubblewrap-0.11.0/.github/workflows/check.yml 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/.github/workflows/check.yml 2026-03-21 18:33:47.000000000 +0100 @@ -17,6 +17,8 @@ uses: actions/checkout@v4 - name: Install build-dependencies run: sudo ./ci/builddeps.sh + - name: Enable user namespaces + run: sudo ./ci/enable-userns.sh - name: Create logs dir run: mkdir test-logs - name: setup diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/NEWS.md new/bubblewrap-0.11.1/NEWS.md --- old/bubblewrap-0.11.0/NEWS.md 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/NEWS.md 2026-03-21 18:33:47.000000000 +0100 @@ -1,3 +1,31 @@ +bubblewrap 0.11.1 +================= + +Released: 2026-03-21 + +Bug fixes: + + * Reset disposition of `SIGCHLD`, restoring normal subprocess management + if bwrap was run from a process that was ignoring that signal, + such as Erlang or volumeicon (#705, Joel Pelaez Jorge) + + * Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if used + (#731, Daniel Cazares). + Note that using a fd number ≥ 3 for these purposes is still + preferred, to avoid confusion with the stdin, stdout, stderr + that will be inherited by the command inside the container. + + * Fix grammar in an error message (#694, J. Neuschäfer) + + * Fix a broken link in the documentation (#729, Aaron Brooks) + +Internal changes: + + * Enable user namespaces in Github Actions configuration, fixing a CI + regression with newer Ubuntu (#728, Joel Pelaez Jorge) + + * Clarify comments (#737, Simon McVittie) + bubblewrap 0.11.0 ================= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/README.md new/bubblewrap-0.11.1/README.md --- old/bubblewrap-0.11.0/README.md 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/README.md 2026-03-21 18:33:47.000000000 +0100 @@ -151,7 +151,7 @@ IPC namespaces ([CLONE_NEWIPC](https://linux.die.net/man/2/clone)): The sandbox will get its own copy of all the different forms of IPCs, like SysV shared memory and semaphores. -PID namespaces ([CLONE_NEWPID](https://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/). +PID namespaces ([CLONE_NEWPID](https://linux.die.net/man/2/clone)): The sandbox will not see any processes outside the sandbox. Additionally, bubblewrap will run a trivial pid1 inside your container to handle the requirements of reaping children in the sandbox. This avoids what is known now as the [Docker pid 1 problem](https://blog.phusion.nl/docker-and-the-pid-1-zombie-reaping-problem/). Network namespaces ([CLONE_NEWNET](https://linux.die.net/man/2/clone)): The sandbox will not see the network. Instead it will have its own network namespace with only a loopback device. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/bubblewrap.c new/bubblewrap-0.11.1/bubblewrap.c --- old/bubblewrap-0.11.0/bubblewrap.c 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/bubblewrap.c 2026-03-21 18:33:47.000000000 +0100 @@ -2889,6 +2889,7 @@ int intermediate_pids_sockets[2] = {-1, -1}; const char *exec_path = NULL; int i; + struct sigaction sa = {}; /* Handle --version early on before we try to acquire/drop * any capabilities so it works in a build environment; @@ -2898,6 +2899,12 @@ if (argc == 2 && (strcmp (argv[1], "--version") == 0)) print_version_and_exit (); + /* Reset SIGCHILD to SIG_DFL allowing signalfd working propertly + * if the parent process had set SIGCHLD to SIG_IGN. */ + sigemptyset (&sa.sa_mask); + sa.sa_handler = SIG_DFL; + sigaction (SIGCHLD, &sa, NULL); + real_uid = getuid (); real_gid = getgid (); @@ -3105,7 +3112,7 @@ } /* Switch to the custom user ns before the clone, gets us privs in that ns (assuming its a child of the current and thus allowed) */ - if (opt_userns_fd > 0 && setns (opt_userns_fd, CLONE_NEWUSER) != 0) + if (opt_userns_fd != -1 && setns (opt_userns_fd, CLONE_NEWUSER) != 0) { if (errno == EINVAL) die ("Joining the specified user namespace failed, it might not be a descendant of the current user namespace."); @@ -3128,7 +3135,7 @@ if (errno == EINVAL) die ("Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems."); else if (errno == EPERM && !is_privileged) - die ("No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'."); + die ("No permissions to create a new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'."); } if (errno == ENOSPC) @@ -3171,7 +3178,7 @@ /* Initial launched process, wait for pid 1 or exec:ed command to exit */ - if (opt_userns2_fd > 0 && setns (opt_userns2_fd, CLONE_NEWUSER) != 0) + if (opt_userns2_fd != -1 && setns (opt_userns2_fd, CLONE_NEWUSER) != 0) die_with_error ("Setting userns2 failed"); /* We don't need any privileges in the launcher, drop them immediately. */ @@ -3212,7 +3219,7 @@ return monitor_child (event_fd, pid, setup_finished_pipe[0]); } - if (opt_pidns_fd > 0) + if (opt_pidns_fd != -1) { if (setns (opt_pidns_fd, CLONE_NEWPID) != 0) die_with_error ("Setting pidns failed"); @@ -3439,7 +3446,7 @@ die_with_error ("chdir /"); } - if (opt_userns2_fd > 0 && setns (opt_userns2_fd, CLONE_NEWUSER) != 0) + if (opt_userns2_fd != -1 && setns (opt_userns2_fd, CLONE_NEWUSER) != 0) die_with_error ("Setting userns2 failed"); if (opt_unshare_user && opt_userns_block_fd == -1 && diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/ci/enable-userns.sh new/bubblewrap-0.11.1/ci/enable-userns.sh --- old/bubblewrap-0.11.0/ci/enable-userns.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/bubblewrap-0.11.1/ci/enable-userns.sh 2026-03-21 18:33:47.000000000 +0100 @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +echo "kernel.apparmor_restrict_unprivileged_userns = 0" > /etc/sysctl.d/99-userns.conf +sysctl --system diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/meson.build new/bubblewrap-0.11.1/meson.build --- old/bubblewrap-0.11.0/meson.build 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/meson.build 2026-03-21 18:33:47.000000000 +0100 @@ -1,7 +1,7 @@ project( 'bubblewrap', 'c', - version : '0.11.0', + version : '0.11.1', meson_version : '>=0.49.0', default_options : [ 'warning_level=2', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/release-checklist.md new/bubblewrap-0.11.1/release-checklist.md --- old/bubblewrap-0.11.0/release-checklist.md 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/release-checklist.md 2026-03-21 18:33:47.000000000 +0100 @@ -1,13 +1,13 @@ bubblewrap release checklist ============================ -* Collect release notes in `NEWS` -* Update version number in `meson.build` and release date in `NEWS` +* Collect release notes in `NEWS.md` +* Update version number in `meson.build` and release date in `NEWS.md` * Commit the changes * `meson dist -C ${builddir}` * Do any final smoke-testing, e.g. update a package, install and test it * `git evtag sign v$VERSION` - * Include the release notes from `NEWS` in the tag message + * Include the release notes from `NEWS.md` in the tag message * `git push --atomic origin main v$VERSION` * https://github.com/containers/bubblewrap/releases/new * Fill in the new version's tag in the "Tag version" box diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bubblewrap-0.11.0/utils.c new/bubblewrap-0.11.1/utils.c --- old/bubblewrap-0.11.0/utils.c 2024-10-30 17:07:47.000000000 +0100 +++ new/bubblewrap-0.11.1/utils.c 2026-03-21 18:33:47.000000000 +0100 @@ -510,14 +510,18 @@ the create file will fail in the read-only case with EROFS instead of EEXIST. - We're trying to set up a mount point for a non-directory, so any - non-directory, non-symlink is acceptable - it doesn't necessarily - have to be a regular file. */ + We're trying to set up a mount point for a non-directory, for which + the kernel will accept any non-directory. If it's a symlink, follow + it and look at the target: again, any non-directory is good enough. + We'll only get S_ISLNK if the path is a dangling symlink (target + doesn't exist). */ if (stat (path, &buf) == 0 && !S_ISDIR (buf.st_mode) && !S_ISLNK (buf.st_mode)) return 0; + /* If the file didn't exist, create it. If it was a dangling symlink + * (S_ISLNK above) then this will create the target of the symlink. */ if (create_file (path, mode, NULL) != 0 && errno != EEXIST) return -1; @@ -681,7 +685,8 @@ /* We check this ahead of time, otherwise the mkdir call can fail in the read-only case with EROFS instead of EEXIST on some - filesystems (such as NFS) */ + filesystems (such as NFS). + We follow symlinks: it's OK if path is a symlink to a directory. */ if (stat (path, &buf) == 0) { if (!S_ISDIR (buf.st_mode))
