Update flatpak and ostree to 0.8

Bug #1656712 reported by Jeremy Bicha on 2017-01-15
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
flatpak (Ubuntu)
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned
ostree (Ubuntu)
Low
Unassigned
Xenial
Low
Unassigned
Yakkety
Low
Unassigned

Bug Description

Impact
======
Flatpak 0.8 is a new LTS release of the alternative package set.

https://blogs.gnome.org/alexl/2016/12/22/a-stable-base-for-flatpak-0-8/

This update includes these components for 16.04 LTS and 16.10:
- flatpak 0.8.2
- ostree 2016.15

This basically matches the set that is also available in Debian's upcoming new stable release. All of these source packages are new to 16.04 LTS.

Test Case
=========
1. Install an app with the old syntax (before upgrading flatpak and ostree)
sudo apt install flatpak
wget https://people.gnome.org/~alexl/keys/gnome-sdk.gpg
flatpak remote-add --user --gpg-import=gnome-sdk.gpg gnome http://sdk.gnome.org/repo/
flatpak --user install gnome org.gnome.Platform 3.22
flatpak --user remote-add --gpg-import=gnome-sdk.gpg gnome-apps http://sdk.gnome.org/repo-apps/
flatpak --user install gnome-apps org.gnome.iagno

Note that you may need to logout and log back in after installing your first Flatpak app before the app shows up in the Activities Overview.

After upgrading flapak and ostree, check whether the Iagno app is still installed.

2. Install an app with the new syntax
flatpak remote-add --from gnome https://sdk.gnome.org/gnome.flatpakrepo
flatpak remote-add --from gnome-apps https://sdk.gnome.org/gnome-apps.flatpakrepo
flatpak --user install gnome-apps org.gnome.Devhelp
flatpak run org.gnome.Devhelp (or click the launcher like any other app)

The test case for ostree is just making sure flatpak works.

Regression Potential
====================
There's no regression for Ubuntu 16.04 since these are new packages there that should have no affect on other packages.

For 16.10, this has an inherent regression. The command-line syntax changed in flatpak 0.6.13. However, since virtually all of the guides to using Flatpak including http://flatpak.org/apps use the new syntax that will not work with 16.10's older flatpak, it seems better for users to get used to the new syntax.

Other Info
==========
Just like snap was backported to 14.04 LTS to -updates, this is being backported to 16.04 LTS -updates. Both snap and Flatpak are useful for people who want to run new apps on an LTS operating system.

Flatpak is not easily backportable to 14.04 LTS.

bubblewrap is required for this SRU and is being tracked in LP: #1649330

A separate SRU may be filed later to update xdg-desktop-portal and xdg-desktop-portal-gtk. They are optional dependencies and I'm told that most Flatpak apps do not use them yet.

CVE References

Jeremy Bicha (jbicha) on 2017-01-15
Changed in flatpak (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Low
Changed in flatpak (Ubuntu Yakkety):
status: New → Triaged
importance: Undecided → Low
Jeremy Bicha (jbicha) on 2017-01-16
description: updated
Changed in ostree (Ubuntu):
status: New → Fix Released
Changed in ostree (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Low
Jeremy Bicha (jbicha) on 2017-01-16
Changed in flatpak (Ubuntu Yakkety):
status: Triaged → In Progress
Changed in ostree (Ubuntu Yakkety):
status: New → In Progress
importance: Undecided → Low
Jeremy Bicha (jbicha) on 2017-01-16
description: updated
Changed in flatpak (Ubuntu Xenial):
status: Triaged → In Progress
Changed in ostree (Ubuntu Xenial):
status: Triaged → In Progress
summary: - Update flatpak and friends to 0.8
+ Update flatpak and ostree to 0.8
Changed in ostree (Ubuntu):
importance: Undecided → Low
Jeremy Bicha (jbicha) on 2017-01-20
description: updated
Jeremy Bicha (jbicha) on 2017-01-27
Changed in ostree (Ubuntu Xenial):
status: In Progress → Incomplete
Changed in ostree (Ubuntu Yakkety):
status: In Progress → Incomplete
Changed in flatpak (Ubuntu Xenial):
status: In Progress → Incomplete
Changed in flatpak (Ubuntu Yakkety):
status: In Progress → Incomplete
description: updated
Jeremy Bicha (jbicha) on 2017-02-10
description: updated
Changed in ostree (Ubuntu Xenial):
status: Incomplete → In Progress
Changed in ostree (Ubuntu Yakkety):
status: Incomplete → In Progress
Changed in flatpak (Ubuntu Yakkety):
status: Incomplete → In Progress
Changed in flatpak (Ubuntu Xenial):
status: Incomplete → In Progress
Jeremy Bicha (jbicha) on 2017-02-10
description: updated

Hello Jeremy, or anyone else affected,

Accepted flatpak into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/flatpak/0.8.2-1~ubuntu16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in flatpak (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in ostree (Ubuntu Yakkety):
status: In Progress → Fix Committed
Chris Halse Rogers (raof) wrote :

Hello Jeremy, or anyone else affected,

Accepted ostree into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ostree/2016.15-2ubuntu1~ubuntu16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Jiří Janoušek (fenryxo) wrote :

Hello. Is there any plan to update also the accompanying xdg-desktop-portal & xdg-desktop-portal-gtk packages? Without these, some functionality of desktop apps might not work properly, e.g. proxy settings, file chooser dialogs and opening URIs.

Jeremy Bicha (jbicha) wrote :

Jiří, yes it sounds like a good idea. Are you interested in opening the bug for that? Do you have a test case to verify that the functionality works?

Jeremy Bicha (jbicha) wrote :

I tried installing Clocks with Flatpak but I got an error because apparently its gsettings schema wasn't installed, so I installed Iagno instead. I then upgraded Flatpak to 0.8.2-1ubuntu16.10.1 (and ostree 2016.15-2ubuntu1~ubuntu16.10.1) and verified that I could still run the Iagno flatpak and that the gnome and gnome-apps remote sources were still set up.

I then installed Devhelp with the new flatpak and ran it successfully.

The important part of verifying this SRU for Ubuntu 16.10 is that earlier installed Flatpaks still work and that it's possible to install new apps.

description: updated
tags: added: verification-done
removed: verification-needed
Robie Basak (racb) wrote :

ostree is showing autopkgtest regressions in Yakkety. Please could you take a look?

http://people.canonical.com/~ubuntu-archive/pending-sru.html

Jeremy Bicha (jbicha) wrote :

The flatpak autopkgtest is working now for yakkety. Thanks slangasek, who retried using the proposed flatpak.

Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package ostree - 2016.15-2ubuntu1~ubuntu16.10.1

---------------
ostree (2016.15-2ubuntu1~ubuntu16.10.1) yakkety; urgency=medium

  * No-change backport to yakkety (LP: #1656712)

ostree (2016.15-2ubuntu1) zesty; urgency=medium

  * Build-depend on libgpgme11-dev instead of new libgpgme-dev which
    isn't built in Ubuntu yet

ostree (2016.15-2) unstable; urgency=medium

  * Make all test failures non-fatal at build time, so that intermittent
    test failures do not interfere with possible security updates during
    Debian stretch-as-stable.

ostree (2016.15-1) unstable; urgency=medium

  * New upstream release
    - d/patches: drop all patches, applied upstream

ostree (2016.14-2) unstable; urgency=medium

  * Make build-time test failures non-fatal, as long as at least
    3 out of 5 attempts succeed.

    There are several upstream bugs that cause intermittent test
    failures, and can intermittently be reproduced in real use.
    However, these are not regressions, so we should not FTBFS just
    because we happen to have been unlucky during build.

  * d/p/Terminate-individual-tests-after-10-minutes.patch:
    replace d/p/debian/Terminate-individual-tests-after-half-an-hour.patch
    with the version that I sent upstream, which uses SIGABRT and
    terminates the tests sooner
  * d/p/*.patch: import more memory leak fixes from upstream

ostree (2016.14-1) unstable; urgency=medium

  * Switch the build-dependency on libgpgme11-dev (which no longer exists
    as a real package) to libgpgme-dev
  * Drop the version from versioned build-dependencies where the required
    version was already present in oldstable
  * New upstream release
    - update symbols file for new ABI
  * Import various post-release fixes from upstream

ostree (2016.13-1) unstable; urgency=medium

  * New upstream release
    - d/p/dist/Retrieve-some-missing-test-files-from-upstream-git.patch:
      remove, 2016.13 was released with a fixed "make dist"
    - d/p/Filter-bootloader-supplied-kernel-cmdline-options.patch:
      remove, merged upstream
  * d/copyright: drop copyright and license stanzas for files that are
    in upstream git but not in tarballs

ostree (2016.12-2) unstable; urgency=medium

  * d/p/Filter-bootloader-supplied-kernel-cmdline-options.patch:
    - Filter out kernel command line parameters set by the bootloading when
      deriving the configuration from /proc/cmdline.
  * Add myself to uploaders

ostree (2016.12-1) unstable; urgency=medium

  * Force LC_ALL=C.UTF-8 during build, so that builds in non-English
    locales can pass their build-time tests
  * New upstream release
  * Build-depend on ca-certificates. glib-networking now generates
    warnings if those are missing, causing the build-time tests to fail.

ostree (2016.11-1) unstable; urgency=medium

  * New upstream release
  * Relicense debian/ from GPL-2+ to LGPL-2+, with permission from
    David King
  * Install GObject-Introspection typelibs to multiarch path,
    and mark gir1.2-ostree-1.0 as Multi-Arch: same
  * libostree-dev: stop depending on ostree. It isn't necessary to
    use the library, and would break multiarch installability
  * Move to debh...

Read more...

Changed in ostree (Ubuntu Yakkety):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ostree has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :
Download full text (4.9 KiB)

This bug was fixed in the package flatpak - 0.8.2-1~ubuntu16.10.1

---------------
flatpak (0.8.2-1~ubuntu16.10.1) yakkety; urgency=medium

  * Backport to Ubuntu 16.10 (LP: #1656712)
  * Drop all patches, applied in new version
  * Keep dh compat 9 (including explicit dh-autoreconf and dh-systemd) for
    easier backporting to Ubuntu 16.04 LTS
  * Also allow libgtk-3-bin to satisfy the gtk-update-icon-cache dependency

flatpak (0.8.2-1) unstable; urgency=medium

  * New upstream bugfix release
    - drop remaining patch, applied upstream
    - security fix: prevent writing to per-user-installed fonts
      and Flatpak extensions (typically locales)
  * d/control: flatpak-tests Recommends python, which is needed for
    one test (silencing a lintian warning)

flatpak (0.8.1-1) unstable; urgency=medium

  * New upstream release, very similar to 0.8.0-2
    - drop all patches
  * d/p/flatpak-system-helper-remove-dangling-reference-to-EXTERN.patch:
    do not search /export/share, which seems to have been unintended

flatpak (0.8.0-2) unstable; urgency=medium

  * d/p/Use-seccomp-to-filter-out-TIOCSTI-ioctl.patch:
    Add patch from upstream to prevent contained apps from using
    TIOCSTI ioctl. This would let the app inject commands into the
    terminal from which it was invoked (CVE-2017-5226). This was
    initially fixed in bubblewrap by calling setsid(), but that
    breaks the ability to use Ctrl+Z or Ctrl+C on a flatpak-confined
    process, so it is being made optional; prevent the attack here
    instead, in a way that doesn't break shells.
  * d/p/Fix-update-of-standalone-bundle.patch:
    Add patch from upstream to fix updating an existing app with
    "flatpak install --bundle foo.flatpak"
  * d/p/Make-sure-var-tmp-is-not-on-tmpfs.patch:
    Add patch from upstream to mount ~/.var/APP/cache/tmp at /var/tmp
    inside the sandbox, so apps can rely on /var/tmp being on disk
  * d/p/Document-the-DefaultBranch-key.patch,
    d/p/Document-RuntimeRepo-key.patch:
    Add patches from upstream to fill in some missing documentation
  * d/p/testlibrary-ensure-that-contents_array-is-NULL-terminated.patch,
    d/p/tests-Install-testpython.py-executable.patch,
    d/p/tests-Move-the-test-repo-to-a-subdirectory-repos-test.patch:
    Fix some bugs in the tests
  * debian/tests/: split out builder-python into a separate autopkgtest,
    it too has more dependencies

flatpak (0.8.0-1) unstable; urgency=medium

  * New upstream stable release
    - Bump bubblewrap dependencies to 0.1.5 following configure.ac
    - Bump ostree dependency to 2016.15 following upstream release notes
      (the minimal dependency is 2016.14, but 2016.15 is recommended)
    - debian/libflatpak0.symbols: add new ABIs
    - d/p/pull-Exit-early-on-error-without-aborting-transaction.patch:
      drop patch, applied upstream
  * debian/gbp.conf: switch upstream branch to debian/0.8.x to follow
    the first upstream stable-branch
  * debian/watch: only follow stable-branches
  * debian/org.freedesktop.Flatpak.pkla: configure polkit 0.105 to
    allow sudoers to uninstall apps and runtimes without re-authenticating,
    following upstream changes to the org.freedesktop.Flatpak...

Read more...

Changed in flatpak (Ubuntu Yakkety):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers