Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Sync up with upstream to make future stable/security updates easier. Fix a bug affecting users who set XDG_RUNTIME_DIR to an unusual value. [ Impact ] If not accepted, future stable/security updates will take longer to prepare (backporting fixes to an old upstream release) or longer to review (the first time we pull in a new upstream stable release, the diff will look like this one). Additionally, users with an unusual XDG_RUNTIME_DIR will find that Wayland, Pipewire and similar protocols don't work in a Flatpak sandbox. Most users of systemd-logind or elogind, or users who do not have an XDG_RUNTIME_DIR at all, are unaffected by this. This was a regression in 1.8.5/1.10.0. [ Tests ] Flatpak has fairly thorough autopkgtests. They can't be run on ci.debian.net due to conflicts between LXC and Flatpak containers, but I run them under qemu-system-x86_64 before each upload. I've also done some manual testing on bullseye GNOME desktop/laptop systems and will continue to do so. [ Risks ] It's a high-visibility and security-sensitive package, but the code has hardly changed since stable. All changes are backports from unstable (either the development release 1.11.3, or post-release fixes in 1.11.3-2 which resulted from me testing 1.11.3 under autopkgtest). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable - It's a filtered git diff rather than a debdiff, but I upload with dgit, so what's in git has to match what's uploaded. I did a diff between patched trees, because the majority of the upstream code changes were previously in debian/patches. [x] the issue is verified as fixed in unstable [ Changes ] common/flatpak-run.c: Make sure user's custom XDG_RUNTIME_DIR is overwritten with the one Flatpak sets up, as intended. Previously, the XDG_RUNTIME_DIR inside the sandbox was only correct for users of systemd-logind or elogind (Flatpak deliberately makes its path consistent with those), or users who do not have that variable set at all. tests/test-run.sh: Assert that the XDG_RUNTIME_DIR bug is fixed. Other files: new upstream stable release (NEWS, version number, Autotools noise). [ Other info ] I would like to keep tracking Flatpak stable releases in bullseye if possible. From its security history and position at a sandbox boundary, I expect to see CVEs during the lifetime of bullseye. Thanks, smcv