Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package otpclient for openSUSE:Factory checked in at 2026-06-30 15:14:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/otpclient (Old) and /work/SRC/openSUSE:Factory/.otpclient.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "otpclient" Tue Jun 30 15:14:37 2026 rev:50 rq:1362643 version:5.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/otpclient/otpclient.changes 2026-05-28 17:34:32.198572904 +0200 +++ /work/SRC/openSUSE:Factory/.otpclient.new.11887/otpclient.changes 2026-06-30 15:14:57.783151476 +0200 @@ -1,0 +2,95 @@ +Tue Jun 30 07:39:49 UTC 2026 - Paolo Stivanin <[email protected]> + +- Update to 5.1.1: + * FIX: databases containing a token with an issuer but no account + name (for example some ProtonMail or Steam entries) refused to + open on 5.1.0 with "Could not open database: Token has a missing + label", locking you out of the entire database. A token is now + valid as long as it has either an account name or an issuer; the + same rule applies to imports and manual token entry (#458) + +------------------------------------------------------------------- +Thu Jun 25 07:14:45 UTC 2026 - Paolo Stivanin <[email protected]> + +- Update to 5.1.0: + * BREAKING: After upgrading to 5.1.0, older OTPClient releases + will NOT be able to open v3 databases, so keep a backup before + upgrading if you may need to downgrade + * NEW: webcam QR scanning runs on a worker thread, no more main- + thread freeze while the camera initializes or while frames are + decoded + * NEW: you can quit OTPClient while the database is locked (#456) + * NEW: the app locks automatically when the system suspends (via + logind PrepareForSleep), so the database is never left + decrypted across sleep + * IMPROVEMENT: database file format bumped to v3 with a portable, + byte-addressable big-endian header. v1 and v2 databases are + read transparently and upgraded to v3 on first successful + open/unlock. Older OTPClient releases cannot open v3 databases, + so keep a backup before upgrading if you may need to downgrade + * IMPROVEMENT: cross-process write serialization via a bounded- + wait .lock sidecar, prevents two OTPClient instances from + clobbering each other on save + * IMPROVEMENT: search-filter cache, large token lists filter + without re-walking the model on every keystroke + * IMPROVEMENT: changing the password now requires verifying the + current one before the change is applied + * IMPROVEMENT: CLI plain imports dispatch by file type + automatically, no longer prompt for a password on unencrypted + formats + * IMPROVEMENT: Google Authenticator migration import was + rewritten with bounded payload/token/batch limits and now + reports multi-batch progress, across the file, screen, and + webcam paths + * SECURITY: locking wipes the decrypted database and master key + from memory; unlocking re-derives the key instead of comparing + a copy held in RAM + * SECURITY: generated codes, notification text, clipboard + contents, and per-token values are wiped after use, and live + codes are kept in libgcrypt secure memory + * SECURITY: search-provider activation IDs are now random 128-bit + capability tokens with a 30-second TTL and single-use + enforcement, replacing the predictable db_index:json_index + scheme + * SECURITY: HOTP entries are excluded from the search provider at + load time, advancing a counter from a desktop search result is + too easy to do by accident + * SECURITY: transient password buffers are wiped after use across + the GUI and CLI, including on password-dialog cancel and + dispose + * SECURITY: search-provider derived-key cache + rate limit on OTP + delivery, using a single global rate bucket (no per-connection + bypass) and an idle-wipe timer for keys and caches + * SECURITY: 2FAS encrypted import now surfaces decryption errors + instead of silently swallowing them + * SECURITY: broad correctness and hardening pass across src/ + (core, GUI, importers, CLI), including a parse-uri double-error + fix, an authpro stream check, a bytes_to_hexstr overflow guard, + and NULL-checked secure-memory allocations + * SECURITY: tightened Argon2id parameter bounds (MAX_ITER 100 -> + 64, MAX_MC 4 GiB -> 1 GiB, MAX_PARAL 64 -> 16) to reject + pathological configurations + * FIX: v2 databases were misread as a far-future format version + and refused to open; both v2 and v3 headers are now read + correctly + * FIX: the window no longer gets stuck on the "Unlocking..." page + when a database fails to load for a reason other than a missing + file or wrong password; it drops back to the no-database view + so you can retry + * FIX: the desktop search provider copies the OTP to the + clipboard asynchronously on KDE; the synchronous Klipper D-Bus + call could block every activation for up to a second when + Klipper did not reply in time, delaying the copy and the + notification + * FIX: CLI HOTP counter is now persisted before the code is + printed, the counter upper bound is exclusive everywhere, the + terminal is restored on interrupt, and CR/LF is stripped from + piped input + * FIX: memory leaks in DB and OTP handling paths + * FIX: freeotp importer secmem budget and GError-overwrite bug + that also affected other importers + * FIX: in-memory database state is now restored if an encrypt-on- + save fails, instead of being left half-mutated + * FIX: debianStable CI build and the JPEG sanitizers test + +------------------------------------------------------------------- Old: ---- v5.0.6.tar.gz v5.0.6.tar.gz.asc New: ---- v5.1.1.tar.gz v5.1.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ otpclient.spec ++++++ --- /var/tmp/diff_new_pack.m8jzrU/_old 2026-06-30 15:14:59.335204161 +0200 +++ /var/tmp/diff_new_pack.m8jzrU/_new 2026-06-30 15:14:59.359204976 +0200 @@ -18,7 +18,7 @@ %define uclname OTPClient Name: otpclient -Version: 5.0.6 +Version: 5.1.1 Release: 0 Summary: Simple GTK+ client for managing TOTP and HOTP License: GPL-3.0-or-later ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.m8jzrU/_old 2026-06-30 15:14:59.723217333 +0200 +++ /var/tmp/diff_new_pack.m8jzrU/_new 2026-06-30 15:14:59.767218826 +0200 @@ -1,5 +1,5 @@ -mtime: 1779970912 -commit: 5ce711dc87ec867be094857817e53358c4332ef8a45e784266e08e458397abea +mtime: 1782805223 +commit: 5e0abec62dd086beb5a6c336598ffd44e909c3fbf58727be47043db47b3f1e4a url: https://src.opensuse.org/GNOME/otpclient revision: factory ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-30 09:40:23.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ v5.0.6.tar.gz -> v5.1.1.tar.gz ++++++ ++++ 21822 lines of diff (skipped)
