--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package flatpak.
[ Reason ]
Sync up bug fix for #984859 with upstream stable-branch release, to make
it more obvious that we have the fix, and easier to track 1.10.x during
bullseye's stable lifetime.
[ Impact ]
The main impact is that with the provisional solution to #984859 that
I included in 1.10.1-4, malicious apps that are attempting to exploit
#984859 will install but not work, whereas with the solution that got
merged upstream and that I'm asking to be unblocked, flatpak will refuse
to install them.
The new upstream release has some other targeted bug fixes: the most
important is making --filesystem, --nofilesystem accept non-ASCII filenames
more reliably.
[ Tests ]
Verified that non-malicious apps and runtimes can still install, update
and run in the proposed version, and that the proof-of-concept exploit
provided on the upstream issue does not install successfully.
autopkgtests also pass in autopkgtest-virt-qemu.
[ Risks ]
This is a new upstream release of a key package, but the changes are
narrowly-targeted. I'd say the highest-risk parts are the interop fixes
for openSUSE's weird Xauthority handling (in common/flatpak-run.c),
but it seems safer to keep those than to revert them.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
(note that because several changes have gone from debian/patches/
to being incorporated in upstream source, this is a diff between
the patched trees - I hope that's OK)
[ Other info ]
As of yesterday, I'm considered to be an upstream maintainer of this
package. I intend to follow the 1.10.x branch during bullseye's stable
lifetime if possible.
unblock flatpak/1.10.2-1
--- End Message ---