Bug#1113902: trixie-pu: package xssproxy/1.0.0-1+deb13u1

[Nicolas Schodet <nico@ni.fr.eu.org>]

Dear release team,

here is an updated bug for package xssproxy:

Please approve the upload of xssproxy 1.0.0-1+deb13u1 to Debian trixie
in order to fix those bugs:

https://bugs.debian.org/1092965 - xssproxy: Listening on /ScreenSaver
instead of /org/freedesktop/ScreenSaver

https://bugs.debian.org/1115458 - xssproxy: When used with
xdg-desktop-portal-gtk, screen saver is not enabled back after video
playback

[ Reason ]
xssproxy implements the org.freedesktop.ScreenSaver D-Bus interface so
that screen saver can be inhibited when, for example, playing a video
in a browser. The version in stable binds to /ScreenSaver while
Chrome and xdg-desktop-portal-gtk for example send the request to
/org/freedesktop/ScreenSaver. Without the fix, the request to inhibit
screen saving is ignored.

Also, xdg-desktop-portal-gtk handles the value zero that xssproxy use
for the response cookie specially, preventing screen saver to be enabled
back.

xssproxy package has been salvaged, but too late to make it into trixie
without disturbing the release process.

[ Impact ]
Users of full featured desktops (GNOME/KDE/…) do not need this package
as the desktop system implements the interface. This is only used for
lightweight environments under X11.

Since some time around January, screen saver inhibition mechanism
changed in Firefox (or xdg-desktop-portal?), making it depend on the
interface implemented in xssproxy. This is correlated with the xssproxy
significant popularity increase, from less than 100 to 1400 reported
installations:
https://qa.debian.org/popcon.php?package=xssproxy

Without the fix, the package does not work as intended.

[ Tests ]
Without the first fix, when playing a video in Firefox, this can be seen
in journal, with xssproxy running:

	xdg-desktop-por[1787]: Backend call failed:
	GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method
	"Inhibit" with signature "ss" on interface
	"org.freedesktop.ScreenSaver" doesn't exist

After some time without user input, screen saver triggers and interrupts
the video playback.

With the first fix, when playing a video, no error is reported and
screen saver does not interrupt the video playback.

Without the second fix, once screen saver has been disabled,
xdg-desktop-portal-gtk do not send the uninhibit call, and screen saver
stay disabled for ever.

[ Risks ]
Should be low because:

First fix:

- This is a direct import of upstream change.
- Change is present upstream since Nov 2023.
- The fix binds to /org/freedesktop/ScreenSaver in addition to
  /ScreenSaver, so a program using the old name would still work.
- The new path is the conventional path documented in D-Bus
  specification[1].

Second fix:

- Fix accepted upstream.
- Change is small, the cookie value is only incremented by one.

I tested both fixes this month on my computer with various programs
running.

[1]: https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names-bus

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Previous code binds to /ScreenSaver, new code binds to both /ScreenSaver
and the right /org/freedesktop/ScreenSaver path.

New code adds one to the returned cookie, so that the value 0 is never
sent.

[ Other info ]
The xssproxy has been salvaged and is now maintained by the Debian
Salvaging Team. I am a DM, with upload rights to xssproxy.
of the team.

Kind regards,

Nicolas.


*** xssproxy_1.0.0-1+deb13u1.diff
diff -Nru xssproxy-1.0.0/debian/changelog xssproxy-1.0.0/debian/changelog
--- xssproxy-1.0.0/debian/changelog	2017-08-22 16:57:23.000000000 +0200
+++ xssproxy-1.0.0/debian/changelog	2025-09-27 23:35:22.000000000 +0200
@@ -1,3 +1,12 @@
+xssproxy (1.0.0-1+deb13u1) trixie; urgency=medium
+
+  * Add listen-path.patch, listening on object path
+    /org/freedesktop/ScreenSaver too (Closes: #1092965)
+  * Add cookie-not-zero.patch, avoiding problem with xdg-desktop-portal-gtk
+    (Closes: #1115458)
+
+ -- Nicolas Schodet <nico@ni.fr.eu.org>  Sat, 27 Sep 2025 23:35:22 +0200
+
 xssproxy (1.0.0-1) unstable; urgency=medium
 
   * Initial release (Closes: #872805)
diff -Nru xssproxy-1.0.0/debian/patches/cookie-not-zero.patch xssproxy-1.0.0/debian/patches/cookie-not-zero.patch
--- xssproxy-1.0.0/debian/patches/cookie-not-zero.patch	1970-01-01 01:00:00.000000000 +0100
+++ xssproxy-1.0.0/debian/patches/cookie-not-zero.patch	2025-09-27 23:35:12.000000000 +0200
@@ -0,0 +1,38 @@
+From: Nicolas Schodet <nico@ni.fr.eu.org>
+Last-Update: 2025-09-27
+Subject: Do not use cookie with a zero value
+
+Bug: https://github.com/vincentbernat/xssproxy/pull/10
+Bug-Debian: https://bugs.debian.org/1115458
+Applied-Upstream: 1.1.2
+
+This causes problems at least for xdg-desktop-portal-gtk, see
+https://github.com/flatpak/xdg-desktop-portal-gtk/issues/528.
+
+Avoid the problem by not using zero value.
+---
+ xssproxy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/xssproxy.c b/xssproxy.c
+index 62966ed..cceb068 100644
+--- a/xssproxy.c
++++ b/xssproxy.c
+@@ -145,13 +145,14 @@ uint32_t inhibit_request(const char *app)
+     int i;
+     for (i=0; i<cookies->len; i++)
+     {
+-        if (i != g_array_index(cookies, uint32_t, i))
++        if (i + 1 != g_array_index(cookies, uint32_t, i))
+         {
+             break;
+         }
+     }
+-    g_array_insert_val(cookies, i, i);
+-    return i;
++    uint32_t cookie = i + 1;
++    g_array_insert_val(cookies, i, cookie);
++    return cookie;
+ }
+ 
+ void handle_inhibit(DBusConnection *conn, DBusMessage *msg)
diff -Nru xssproxy-1.0.0/debian/patches/listen-path.patch xssproxy-1.0.0/debian/patches/listen-path.patch
--- xssproxy-1.0.0/debian/patches/listen-path.patch	1970-01-01 01:00:00.000000000 +0100
+++ xssproxy-1.0.0/debian/patches/listen-path.patch	2025-09-27 23:34:41.000000000 +0200
@@ -0,0 +1,38 @@
+Description: Listen on object path `/org/freedesktop/ScreenSaver` too
+Origin: upstream, https://github.com/vincentbernat/xssproxy/commit/8990c56b706f0faf1ec8ca974a8ba64f37c2b1b3
+Bug: https://github.com/vincentbernat/xssproxy/issues/9
+Bug-Debian: https://bugs.debian.org/1092965
+Last-Update: 2023-11-11
+Applied-Upstream: 1.1.1
+
+The freedesktop.org spec doesn't mention which object path the methods
+are supposed to be called on. xssproxy currently listens on
+`/ScreenSaver`, but Chromium wants the ["conventional"][1]
+`/org/freedesktop/ScreenSaver` path instead.
+
+There's no reason we can't listen on both, so let's do that.
+
+[1]: https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names-bus
+---
+ xssproxy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xssproxy.c b/xssproxy.c
+index 8bef8d0..2541c5d 100644
+--- a/xssproxy.c
++++ b/xssproxy.c
+@@ -280,6 +280,11 @@ DBusConnection *dbus_conn_init()
+         &vtable, NULL, &err);
+     check_and_exit(&err);
+ 
++    dbus_connection_try_register_object_path(conn,
++        "/org/freedesktop/ScreenSaver",
++        &vtable, NULL, &err);
++    check_and_exit(&err);
++
+     return conn;
+ }
+ 
+-- 
+2.47.2
+
diff -Nru xssproxy-1.0.0/debian/patches/series xssproxy-1.0.0/debian/patches/series
--- xssproxy-1.0.0/debian/patches/series	2017-08-22 16:57:23.000000000 +0200
+++ xssproxy-1.0.0/debian/patches/series	2025-09-27 23:35:12.000000000 +0200
@@ -1 +1,3 @@
 install.patch
+listen-path.patch
+cookie-not-zero.patch