Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package flatpak [ Reason ] * Apply proposed patch fixing a security vulnerability * Improve compatibility with C++ * Fixes to automated tests [ Impact ] * If the security fix is not applied: - a malicious Flatpak app can escape the sandbox even if its permissions should not allow that * If the header file fixes are not applied: - C++ code cannot use libflatpak without using a problematic workaround that is broken by future (Debian 12) versions of GLib * If test fixes are not applied: - test failure on non-x86 in non-schroot, non-lxc environments - some minor memory leaks when running the automated tests (I wouldn't have fixed this one if I had known I would have to do a security update so soon, but the patch is trivial and low-risk) [ Tests ] The upstream test suite is run at build time and under autopkgtest. A lot of it has to be skipped in schroot and lxc, but I run it under qemu before upload for better coverage. Also manually tested by installing an app modified to exploit the security vulnerability. Most of the changes were only 2 days from migration, but the need to upload the security fix resets the migration clock. [ Risks ] These are targeted fixes that seem unlikely to cause regressions. They're easy to revert if it somehow becomes necessary. The patch adding G_BEGIN_DECLS/G_END_DECLS (macros around 'extern "C" {}' guards) is fairly long, but is just making one straightforward change in multiple places. The other patches are all closely-targeted and easy to review. The security fix might not be the final version: it has not been reviewed by an upstream maintainer yet, and I made some suggestions for improvement on the upstream PR. However, it seems correct, and applying something is better than nothing. I'll update the package with an upstream-reviewed patch when one becomes available. The fix for test failure on non-x86 is unreviewed, but is also quite obvious. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] In previous Debian stable releases I have followed the upstream stable-branch in Debian for as long as it continued to be maintained, to pick up targeted bug fixes and interop fixes recommended by upstream, and I hope to do the same for Flatpak 1.10.x in Debian 11. The SRMs and security team seem happy with this approach so far. unblock flatpak/1.10.1-4
diffstat for flatpak-1.10.1 flatpak-1.10.1 changelog | 23 + patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch | 208 ++++++++++ patches/Disallow-and-u-usage-in-desktop-files.patch | 23 + patches/series | 4 patches/testlibrary-Fix-memory-leaks.patch | 28 + patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch | 3 patches/tests-Remove-hard-coded-references-to-x86_64.patch | 40 + 7 files changed, 328 insertions(+), 1 deletion(-) diff -Nru flatpak-1.10.1/debian/changelog flatpak-1.10.1/debian/changelog --- flatpak-1.10.1/debian/changelog 2021-01-28 22:24:20.000000000 +0000 +++ flatpak-1.10.1/debian/changelog 2021-03-05 10:21:35.000000000 +0000 @@ -1,3 +1,26 @@ +flatpak (1.10.1-4) unstable; urgency=high + + * d/p/Disallow-and-u-usage-in-desktop-files.patch: + Add proposed patch to fix a sandbox escape via crafted .desktop + files (flatpak#4146). Thanks, Ryan Gonzalez + * d/p/tests-Remove-hard-coded-references-to-x86_64.patch: + Add proposed patch to fix some tests on non-x86_64 machines. + The affected tests were already skipped in schroot/lxc for other + reasons, but would be run (and fail) on autopkgtest testbeds with + isolation-machine and working FUSE. + + -- Simon McVittie <s...@debian.org> Fri, 05 Mar 2021 10:21:35 +0000 + +flatpak (1.10.1-3) unstable; urgency=medium + + * Mark patch as applied upstream + * Add bugfixes from upstream flatpak-1.10.x branch + - Add extern "C" guards to header files, fixing compilation of C++ code + such as plasma-discover against GLib 2.67.x + - Fix memory leaks in the unit tests + + -- Simon McVittie <s...@debian.org> Wed, 24 Feb 2021 13:59:56 +0000 + flatpak (1.10.1-2) unstable; urgency=medium * d/patches: Disable FUSE-based revokefs if any of several factors fail. diff -Nru flatpak-1.10.1/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch flatpak-1.10.1/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch --- flatpak-1.10.1/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.10.1/debian/patches/Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch 2021-03-05 10:21:35.000000000 +0000 @@ -0,0 +1,208 @@ +From: Kalev Lember <klem...@redhat.com> +Date: Fri, 12 Feb 2021 15:55:28 +0100 +Subject: Add G_BEGIN_DECLS/G_END_DECLS to public headers + +This ensures that we correctly specify C linkage when including flatpak +headers from C++ code. + +This should fix fallout from glib's change to include C++ code in its +headers, see https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1935 +for discussion. + +Fixes https://github.com/flatpak/flatpak/issues/4117 + +(cherry picked from commit 426284759c58df81bdbc80167f01058a2c197c0d) + +Origin: upstream, 1.10.2, commit:93fb812b44ccccf7415cd2ee21dc49807df302a2 +--- + common/flatpak-bundle-ref.h | 4 ++++ + common/flatpak-installation.h | 3 +++ + common/flatpak-installed-ref.h | 4 ++++ + common/flatpak-instance.h | 4 ++++ + common/flatpak-ref.h | 4 ++++ + common/flatpak-related-ref.h | 4 ++++ + common/flatpak-remote-ref.h | 4 ++++ + common/flatpak-remote.h | 3 +++ + common/flatpak-transaction.h | 4 ++++ + 9 files changed, 34 insertions(+) + +diff --git a/common/flatpak-bundle-ref.h b/common/flatpak-bundle-ref.h +index 20484db..0b3638b 100644 +--- a/common/flatpak-bundle-ref.h ++++ b/common/flatpak-bundle-ref.h +@@ -30,6 +30,8 @@ typedef struct _FlatpakBundleRef FlatpakBundleRef; + #include <gio/gio.h> + #include <flatpak-ref.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_BUNDLE_REF flatpak_bundle_ref_get_type () + #define FLATPAK_BUNDLE_REF(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_BUNDLE_REF, FlatpakBundleRef)) + #define FLATPAK_IS_BUNDLE_REF(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_BUNDLE_REF)) +@@ -62,4 +64,6 @@ FLATPAK_EXTERN char *flatpak_bundle_ref_get_runtime_repo_url (Flatpak + G_DEFINE_AUTOPTR_CLEANUP_FUNC (FlatpakBundleRef, g_object_unref) + #endif + ++G_END_DECLS ++ + #endif /* __FLATPAK_BUNDLE_REF_H__ */ +diff --git a/common/flatpak-installation.h b/common/flatpak-installation.h +index 8a6f784..2119a74 100644 +--- a/common/flatpak-installation.h ++++ b/common/flatpak-installation.h +@@ -32,6 +32,8 @@ typedef struct _FlatpakInstallation FlatpakInstallation; + #include <flatpak-instance.h> + #include <flatpak-remote.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_INSTALLATION flatpak_installation_get_type () + #define FLATPAK_INSTALLATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_INSTALLATION, FlatpakInstallation)) + #define FLATPAK_IS_INSTALLATION(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_INSTALLATION)) +@@ -477,5 +479,6 @@ FLATPAK_EXTERN gboolean flatpak_installation_run_triggers (FlatpakInsta + GCancellable *cancellable, + GError **error); + ++G_END_DECLS + + #endif /* __FLATPAK_INSTALLATION_H__ */ +diff --git a/common/flatpak-installed-ref.h b/common/flatpak-installed-ref.h +index 9de0451..0bb90ef 100644 +--- a/common/flatpak-installed-ref.h ++++ b/common/flatpak-installed-ref.h +@@ -30,6 +30,8 @@ typedef struct _FlatpakInstalledRef FlatpakInstalledRef; + #include <gio/gio.h> + #include <flatpak-ref.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_INSTALLED_REF flatpak_installed_ref_get_type () + #define FLATPAK_INSTALLED_REF(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_INSTALLED_REF, FlatpakInstalledRef)) + #define FLATPAK_IS_INSTALLED_REF(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_INSTALLED_REF)) +@@ -71,4 +73,6 @@ FLATPAK_EXTERN GBytes *flatpak_installed_ref_load_appdata (FlatpakInstalled + FLATPAK_EXTERN const char * flatpak_installed_ref_get_eol (FlatpakInstalledRef *self); + FLATPAK_EXTERN const char * flatpak_installed_ref_get_eol_rebase (FlatpakInstalledRef *self); + ++G_END_DECLS ++ + #endif /* __FLATPAK_INSTALLED_REF_H__ */ +diff --git a/common/flatpak-instance.h b/common/flatpak-instance.h +index 772551f..7b064cf 100644 +--- a/common/flatpak-instance.h ++++ b/common/flatpak-instance.h +@@ -29,6 +29,8 @@ typedef struct _FlatpakInstance FlatpakInstance; + + #include <glib-object.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_INSTANCE flatpak_instance_get_type () + #define FLATPAK_INSTANCE(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_INSTANCE, FlatpakInstance)) + #define FLATPAK_IS_INSTANCE(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_INSTANCE)) +@@ -65,4 +67,6 @@ FLATPAK_EXTERN GKeyFile * flatpak_instance_get_info (FlatpakInstance *self); + + FLATPAK_EXTERN gboolean flatpak_instance_is_running (FlatpakInstance *self); + ++G_END_DECLS ++ + #endif /* __FLATPAK_INSTANCE_H__ */ +diff --git a/common/flatpak-ref.h b/common/flatpak-ref.h +index 285379b..f6d3620 100644 +--- a/common/flatpak-ref.h ++++ b/common/flatpak-ref.h +@@ -29,6 +29,8 @@ typedef struct _FlatpakRef FlatpakRef; + + #include <glib-object.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_REF flatpak_ref_get_type () + #define FLATPAK_REF(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_REF, FlatpakRef)) + #define FLATPAK_IS_REF(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_REF)) +@@ -73,4 +75,6 @@ FLATPAK_EXTERN FlatpakRef * flatpak_ref_parse (const char *ref, + GError **error); + FLATPAK_EXTERN const char * flatpak_ref_get_collection_id (FlatpakRef *self); + ++G_END_DECLS ++ + #endif /* __FLATPAK_REF_H__ */ +diff --git a/common/flatpak-related-ref.h b/common/flatpak-related-ref.h +index f33dae8..10d32a1 100644 +--- a/common/flatpak-related-ref.h ++++ b/common/flatpak-related-ref.h +@@ -30,6 +30,8 @@ typedef struct _FlatpakRelatedRef FlatpakRelatedRef; + #include <gio/gio.h> + #include <flatpak-ref.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_RELATED_REF flatpak_related_ref_get_type () + #define FLATPAK_RELATED_REF(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_RELATED_REF, FlatpakRelatedRef)) + #define FLATPAK_IS_RELATED_REF(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_RELATED_REF)) +@@ -55,4 +57,6 @@ FLATPAK_EXTERN gboolean flatpak_related_ref_should_download (FlatpakRelatedR + FLATPAK_EXTERN gboolean flatpak_related_ref_should_delete (FlatpakRelatedRef *self); + FLATPAK_EXTERN gboolean flatpak_related_ref_should_autoprune (FlatpakRelatedRef *self); + ++G_END_DECLS ++ + #endif /* __FLATPAK_RELATED_REF_H__ */ +diff --git a/common/flatpak-remote-ref.h b/common/flatpak-remote-ref.h +index 0c9a4e8..b6478a0 100644 +--- a/common/flatpak-remote-ref.h ++++ b/common/flatpak-remote-ref.h +@@ -30,6 +30,8 @@ typedef struct _FlatpakRemoteRef FlatpakRemoteRef; + #include <gio/gio.h> + #include <flatpak-ref.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_REMOTE_REF flatpak_remote_ref_get_type () + #define FLATPAK_REMOTE_REF(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_REMOTE_REF, FlatpakRemoteRef)) + #define FLATPAK_IS_REMOTE_REF(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_REMOTE_REF)) +@@ -57,4 +59,6 @@ FLATPAK_EXTERN const char * flatpak_remote_ref_get_eol_rebase (FlatpakRemoteRef + G_DEFINE_AUTOPTR_CLEANUP_FUNC (FlatpakRemoteRef, g_object_unref) + #endif + ++G_END_DECLS ++ + #endif /* __FLATPAK_REMOTE_REF_H__ */ +diff --git a/common/flatpak-remote.h b/common/flatpak-remote.h +index fa223d3..6495413 100644 +--- a/common/flatpak-remote.h ++++ b/common/flatpak-remote.h +@@ -44,6 +44,8 @@ typedef struct _FlatpakRemote FlatpakRemote; + #include <gio/gio.h> + #include <flatpak-remote-ref.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_REMOTE flatpak_remote_get_type () + #define FLATPAK_REMOTE(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), FLATPAK_TYPE_REMOTE, FlatpakRemote)) + #define FLATPAK_IS_REMOTE(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), FLATPAK_TYPE_REMOTE)) +@@ -124,5 +126,6 @@ FLATPAK_EXTERN void flatpak_remote_set_filter (FlatpakRemote *self, + + FLATPAK_EXTERN FlatpakRemoteType flatpak_remote_get_remote_type (FlatpakRemote *self); + ++G_END_DECLS + + #endif /* __FLATPAK_REMOTE_H__ */ +diff --git a/common/flatpak-transaction.h b/common/flatpak-transaction.h +index 37c4144..870bfbc 100644 +--- a/common/flatpak-transaction.h ++++ b/common/flatpak-transaction.h +@@ -28,6 +28,8 @@ + #include <gio/gio.h> + #include <flatpak-installation.h> + ++G_BEGIN_DECLS ++ + #define FLATPAK_TYPE_TRANSACTION flatpak_transaction_get_type () + #define FLATPAK_TYPE_TRANSACTION_PROGRESS flatpak_transaction_progress_get_type () + #define FLATPAK_TYPE_TRANSACTION_OPERATION flatpak_transaction_operation_get_type () +@@ -315,4 +317,6 @@ gboolean flatpak_transaction_add_uninstall (FlatpakTransaction *self, + FLATPAK_EXTERN + gboolean flatpak_transaction_is_empty (FlatpakTransaction *self); + ++G_END_DECLS ++ + #endif /* __FLATPAK_TRANSACTION_H__ */ diff -Nru flatpak-1.10.1/debian/patches/Disallow-and-u-usage-in-desktop-files.patch flatpak-1.10.1/debian/patches/Disallow-and-u-usage-in-desktop-files.patch --- flatpak-1.10.1/debian/patches/Disallow-and-u-usage-in-desktop-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.10.1/debian/patches/Disallow-and-u-usage-in-desktop-files.patch 2021-03-05 10:21:35.000000000 +0000 @@ -0,0 +1,23 @@ +From: Ryan Gonzalez <rym...@gmail.com> +Date: Tue, 2 Mar 2021 13:20:07 -0600 +Subject: Disallow @@ and @@u usage in desktop files + +Bug: https://github.com/flatpak/flatpak/issues/4146 +Forwarded: https://github.com/flatpak/flatpak/pull/4148 +--- + common/flatpak-dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 507a71b..82f2ce6 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app, + g_string_append_printf (new_exec, " @@ %s @@", arg); + else if (strcasecmp (arg, "%u") == 0) + g_string_append_printf (new_exec, " @@u %s @@", arg); ++ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) ++ g_print (_("Skipping invalid Exec argument %s\n"), arg); + else + g_string_append_printf (new_exec, " %s", arg); + } diff -Nru flatpak-1.10.1/debian/patches/series flatpak-1.10.1/debian/patches/series --- flatpak-1.10.1/debian/patches/series 2021-01-28 22:24:20.000000000 +0000 +++ flatpak-1.10.1/debian/patches/series 2021-03-05 10:21:35.000000000 +0000 @@ -1 +1,5 @@ +testlibrary-Fix-memory-leaks.patch +Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch tests-Disable-revokefs-if-FUSE-doesn-t-work.patch +Disallow-and-u-usage-in-desktop-files.patch +tests-Remove-hard-coded-references-to-x86_64.patch diff -Nru flatpak-1.10.1/debian/patches/testlibrary-Fix-memory-leaks.patch flatpak-1.10.1/debian/patches/testlibrary-Fix-memory-leaks.patch --- flatpak-1.10.1/debian/patches/testlibrary-Fix-memory-leaks.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.10.1/debian/patches/testlibrary-Fix-memory-leaks.patch 2021-03-05 10:21:35.000000000 +0000 @@ -0,0 +1,28 @@ +From: Phaedrus Leeds <mwle...@endlessos.org> +Date: Thu, 4 Feb 2021 19:04:15 -0800 +Subject: testlibrary: Fix memory leaks + +(cherry picked from commit 7224809bc1e2584708b29ec1389cbcf1eeba1d3f) + +Origin: upstream, 1.10.2, commit:a1a6b7f208676885c770ab5ee97f71dacbc4baa1 +--- + tests/testlibrary.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/testlibrary.c b/tests/testlibrary.c +index 718f37c..b5ad853 100644 +--- a/tests/testlibrary.c ++++ b/tests/testlibrary.c +@@ -1338,10 +1338,10 @@ test_list_remote_related_refs (void) + // Make the test with extra-languages, instead of languages + clean_languages(); + configure_extra_languages(); +- +- inst = flatpak_installation_new_user (NULL, &error); ++ flatpak_installation_drop_caches (inst, NULL, &error); + g_assert_no_error (error); + ++ g_clear_pointer (&refs, g_ptr_array_unref); + refs = flatpak_installation_list_remote_related_refs_sync (inst, repo_name, app, NULL, &error); + g_assert_nonnull (refs); + g_assert_no_error (error); diff -Nru flatpak-1.10.1/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch flatpak-1.10.1/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch --- flatpak-1.10.1/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch 2021-01-28 22:24:20.000000000 +0000 +++ flatpak-1.10.1/debian/patches/tests-Disable-revokefs-if-FUSE-doesn-t-work.patch 2021-03-05 10:21:35.000000000 +0000 @@ -15,6 +15,7 @@ that needs it, is based on the patches applied in @alexlarsson's PPA. Signed-off-by: Simon McVittie <s...@collabora.com> +Applied-upstream: 1.11.0, commit:a926776cf4fcacc2d096e10bf1578a0e7c626cc7 Forwarded: https://github.com/flatpak/flatpak/pull/4098 --- tests/Makefile.am.inc | 8 +++- @@ -179,7 +180,7 @@ +gboolean check_fuse (void); +gboolean check_fuse_or_skip_test (void); diff --git a/tests/testlibrary.c b/tests/testlibrary.c -index 718f37c..64dff19 100644 +index b5ad853..b8f04ef 100644 --- a/tests/testlibrary.c +++ b/tests/testlibrary.c @@ -10,6 +10,8 @@ diff -Nru flatpak-1.10.1/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch flatpak-1.10.1/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch --- flatpak-1.10.1/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch 1970-01-01 01:00:00.000000000 +0100 +++ flatpak-1.10.1/debian/patches/tests-Remove-hard-coded-references-to-x86_64.patch 2021-03-05 10:21:35.000000000 +0000 @@ -0,0 +1,40 @@ +From: Simon McVittie <s...@collabora.com> +Date: Fri, 26 Feb 2021 19:48:10 +0000 +Subject: tests: Remove hard-coded references to x86_64 + +Distributions run these tests on other architectures, but hard-coding +x86_64 to look for in output dooms that to failure. + +Signed-off-by: Simon McVittie <s...@collabora.com> +Forwarded: https://github.com/flatpak/flatpak/pull/4142 +--- + tests/test-oci.sh | 2 +- + tests/test-unused.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/test-oci.sh b/tests/test-oci.sh +index 50e4504..0e4726f 100755 +--- a/tests/test-oci.sh ++++ b/tests/test-oci.sh +@@ -51,7 +51,7 @@ image=oci/image/blobs/sha256/$DIGEST + assert_has_file $image + assert_file_has_content $image "org\.freedesktop\.appstream\.appdata.*<summary>Print a greeting</summary>" + assert_file_has_content $image "org\.freedesktop\.appstream\.icon-64" +-assert_file_has_content $image org.flatpak.ref.*app/org.test.Hello/x86_64/master ++assert_file_has_content $image org.flatpak.ref.*app/"org.test.Hello/$ARCH/master" + + ok "export oci" + +diff --git a/tests/test-unused.sh b/tests/test-unused.sh +index 5bd359a..20bbabe 100755 +--- a/tests/test-unused.sh ++++ b/tests/test-unused.sh +@@ -391,7 +391,7 @@ ok "list unused regular" + + mv unused.txt old-unused.txt + +-${test_builddir}/list-unused --exclude app/org.app.APP_A/x86_64/stable | sed s@^app/@@g | sed s@^runtime/@@g | sort > unused.txt ++${test_builddir}/list-unused --exclude "app/org.app.APP_A/$ARCH/stable" | sed s@^app/@@g | sed s@^runtime/@@g | sort > unused.txt + + # We don't report the excluded ref itself as unused. It's as if it wasn't even installed + assert_not_file_has_content unused.txt "org.app.APP_A/"