Bug#993396: bullseye-pu: package flatpak/1.10.3-0+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993396: bullseye-pu: package flatpak/1.10.3-0+deb11u1
From: Simon McVittie <smcv@debian.org>
Date: Tue, 31 Aug 2021 20:10:17 +0100
Message-id: <[🔎] YS5+mc3gjvpQXoGZ@momentum.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 993396@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Sync up with upstream to make future stable/security updates easier.
Fix a bug affecting users who set XDG_RUNTIME_DIR to an unusual value.

[ Impact ]
If not accepted, future stable/security updates will take longer to
prepare (backporting fixes to an old upstream release) or longer to
review (the first time we pull in a new upstream stable release, the diff
will look like this one).

Additionally, users with an unusual XDG_RUNTIME_DIR will find that Wayland,
Pipewire and similar protocols don't work in a Flatpak sandbox. Most users
of systemd-logind or elogind, or users who do not have an XDG_RUNTIME_DIR
at all, are unaffected by this. This was a regression in 1.8.5/1.10.0.

[ Tests ]
Flatpak has fairly thorough autopkgtests. They can't be run on
ci.debian.net due to conflicts between LXC and Flatpak containers,
but I run them under qemu-system-x86_64 before each upload. I've also
done some manual testing on bullseye GNOME desktop/laptop systems and
will continue to do so.

[ Risks ]
It's a high-visibility and security-sensitive package, but the code has
hardly changed since stable. All changes are backports from unstable
(either the development release 1.11.3, or post-release fixes in 1.11.3-2
which resulted from me testing 1.11.3 under autopkgtest).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
      - It's a filtered git diff rather than a debdiff, but I upload with
        dgit, so what's in git has to match what's uploaded. I did a diff
        between patched trees, because the majority of the upstream code
        changes were previously in debian/patches.
  [x] the issue is verified as fixed in unstable

[ Changes ]
common/flatpak-run.c: Make sure user's custom XDG_RUNTIME_DIR is overwritten
with the one Flatpak sets up, as intended. Previously, the XDG_RUNTIME_DIR
inside the sandbox was only correct for users of systemd-logind or
elogind (Flatpak deliberately makes its path consistent with those),
or users who do not have that variable set at all.

tests/test-run.sh: Assert that the XDG_RUNTIME_DIR bug is fixed.

Other files: new upstream stable release (NEWS, version number,
Autotools noise).

[ Other info ]
I would like to keep tracking Flatpak stable releases in bullseye if
possible. From its security history and position at a sandbox boundary,
I expect to see CVEs during the lifetime of bullseye.

Thanks,
    smcv

Reply to:

Prev by Date: Bug#993394: transition: glibc 2.32
Next by Date: Bug#992078: bullseye-pu: package libbluray/1:1.2.1-4+deb11u1
Previous by thread: Bug#993394: transition: glibc 2.32
Next by thread: Bug#993406: bullseye-pu: package king/2.23.161103+dfsg1-4
Index(es):
- Date
- Thread