[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993396: marked as done (bullseye-pu: package flatpak/1.10.3-0+deb11u1)

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #993396,
regarding bullseye-pu: package flatpak/1.10.3-0+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993396: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993396
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Sync up with upstream to make future stable/security updates easier.
Fix a bug affecting users who set XDG_RUNTIME_DIR to an unusual value.

[ Impact ]
If not accepted, future stable/security updates will take longer to
prepare (backporting fixes to an old upstream release) or longer to
review (the first time we pull in a new upstream stable release, the diff
will look like this one).

Additionally, users with an unusual XDG_RUNTIME_DIR will find that Wayland,
Pipewire and similar protocols don't work in a Flatpak sandbox. Most users
of systemd-logind or elogind, or users who do not have an XDG_RUNTIME_DIR
at all, are unaffected by this. This was a regression in 1.8.5/1.10.0.

[ Tests ]
Flatpak has fairly thorough autopkgtests. They can't be run on
ci.debian.net due to conflicts between LXC and Flatpak containers,
but I run them under qemu-system-x86_64 before each upload. I've also
done some manual testing on bullseye GNOME desktop/laptop systems and
will continue to do so.

[ Risks ]
It's a high-visibility and security-sensitive package, but the code has
hardly changed since stable. All changes are backports from unstable
(either the development release 1.11.3, or post-release fixes in 1.11.3-2
which resulted from me testing 1.11.3 under autopkgtest).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
      - It's a filtered git diff rather than a debdiff, but I upload with
        dgit, so what's in git has to match what's uploaded. I did a diff
        between patched trees, because the majority of the upstream code
        changes were previously in debian/patches.
  [x] the issue is verified as fixed in unstable

[ Changes ]
common/flatpak-run.c: Make sure user's custom XDG_RUNTIME_DIR is overwritten
with the one Flatpak sets up, as intended. Previously, the XDG_RUNTIME_DIR
inside the sandbox was only correct for users of systemd-logind or
elogind (Flatpak deliberately makes its path consistent with those),
or users who do not have that variable set at all.

tests/test-run.sh: Assert that the XDG_RUNTIME_DIR bug is fixed.

Other files: new upstream stable release (NEWS, version number,
Autotools noise).

[ Other info ]
I would like to keep tracking Flatpak stable releases in bullseye if
possible. From its security history and position at a sandbox boundary,
I expect to see CVEs during the lifetime of bullseye.

Thanks,
    smcv

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam

--- End Message ---
Reply to: