Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: flat...@packages.debian.org
Control: affects -1 + src:flatpak
After the dust has settled from CVE-2024-32462, I would like to do a
stable-update of Flatpak using the upstream 1.14.x branch.
At the moment bookworm-security has 1.14.4 plus the patches for
CVE-2024-32462. The current upstream release is 1.14.6 (also available in
unstable and in testing-proposed-updates), which moves the security fix
from patches into the upstream source and fixes various less serious bugs.
We are also hoping to do a 1.14.7 upstream release soon, perhaps this
week. Would the stable release team prefer this to be proposed as one
big update from 1.14.4 to 1.14.7, or two smaller updates
1.14.4 → 1.14.6 → 1.14.7, or do you not mind either way?
[ Impact ]
If not accepted, several known bugs remain present in stable.
The highest-visibility is that the developer name of an app appears
in the CLI where the app name should be, for example "The Chromium Authors"
instead of the correct "Chromium Web Browser".
Also, if we keep up with upstream stable releases, then next time there
is a CVE, we can take upstream's stable release directly instead of
having to backport individual patches.
[ Tests ]
There is a fairly comprehensive test suite. It cannot be run under schroot
or lxc due to limitations of nested containers, but I run in
autopkgtest-virt-qemu before each upload, and ci.debian.net has now been
configured to run flatpak's tests under autopkgtest-virt-qemu has well.
I will test a final version manually on a bookworm system before upload.
[ Risks ]
Somewhat low risk, all changes are targeted bug fixes. I would say that
the highest-risk are the alterations to how AppStream metadata is parsed
and displayed, but several distributions are already using those changes
via the 1.15.x branch and we have not had regression reports.
[ Checklist ]
The changes in 1.14.7 will not be finalized until the release actually
happens, but I have reviewed and attached a proposed diff.
[½] *all* changes are documented in the d/changelog
[½] I reviewed all changes and I approve them
[½] attach debdiff against the package in (old)stable
[½] the issue is verified as fixed in unstable
[ Changes in 1.14.5 and 1.14.6 ]
See attached flatpak-1.14.6-bookworm.diff.gz
* Makefile.am,
configure.ac,
data/Makefile.am.inc,
data/tmpfiles.d/flatpak.conf,
debian/flatpak.install,
sideload-repos-systemd/Makefile.am.inc:
- Delete obsolete /var/tmp/flatpak-cache-* (if any) during boot
* app/flatpak-builtins-build.c,
common/flatpak-dir.c,
common/flatpak-run.c,
tests/test-run.sh:
- Fix CVE-2024-32462 (previously done via a patch)
* app/flatpak-builtins-remote-info.c:
- Fix display of app info in `flatpak remote-info`
- Fix some uses of deprecated libappstream API
- Forward-compatibility with libappstream 0.17.x and 1.0
* app/flatpak-builtins-remote-ls.c,
app/flatpak-builtins-search.c,
app/flatpak-builtins-utils.c,
app/flatpak-builtins-utils.h,
config.h.in,
configure.ac:
- Fix some uses of deprecated libappstream API
- Forward-compatibility with libappstream 0.17.x and 1.0
* app/flatpak-builtins-run.c,
common/flatpak-dir.c,
tests/testlibrary.c:
- Silence some compiler warning false-positives
* common/flatpak-appdata.c,
tests/make-test-app.sh,
tests/test-info.sh:
- Don't parse the app developer name as though it was the app name
* common/flatpak-run.c,
doc/flatpak-run.xml:
- Don't let the sandboxed app inherit a wrong value for $VK_DRIVER_FILES,
$VK_ICD_FILENAMES
* common/flatpak-utils-http.c:
- Cancel downloads if they become very slow
* common/flatpak-utils.c,
tests/test-exports.c,
tests/test-instance.c:
- Forward-compatibility with newer GLib releases
* NEWS,
common/flatpak-version-macros.h,
configure.ac,
tests/package_version.txt:
- The usual release management noise
* debian/test.sh:
- Unset proxy environment variables to make sure a test http server on
localhost is reachable
* doc/flatpak-metadata.xml:
- Provide anchors for internal linking
- Clarify documentation on which D-Bus names are allowed by default
* doc/reference/html/*.html:
- Regenerated with Debian 12 toolchain
(these are also re-regenerated during build)
(Filtered from debdiff)
* po/*.po,
po/flatpak.pot:
- Regenerated during upstream release procedure (different line numbering)
(Filtered from debdiff)
* portal/flatpak-portal.c:
- Save the original environment before setting GIO_USE_VFS, and restore it
before starting sandboxed programs, so that GVfs can work
* revokefs/main.c:
- Forward-compatibility with libostree 2023.4
* session-helper/flatpak-session-helper.c:
- Same as portal/, but for programs run on the host system by trusted
Flatpak apps
* tests/make-test-runtime.sh:
- Fail tests earlier, with a better error message, if a
