Comment 11 for bug 1911473

@Paulo, Thanks !

BTW smcv just pointed out two more potential patches that could be included in the focal 1.6 patch, these are only for users that use setuid on the bubblewrap binary though (users who disable user namespaces - like Debian). It would be up to us if we want to include them. See https://github.com/flatpak/flatpak/pull/4070#issuecomment-764664659 I can try and include these extra two commits if you think it is useful, but not sure how many users would do this or if it would be considered "supported" ?

For bionic note that the flatpak-1.2.x branch has the fixes applied (with extra setuid patches here https://github.com/flatpak/flatpak/pull/4087 ) these may help for figuring out 1.0.x

And what would the security team prefer to do for groovy ? We could either sync 1.8.5 from hirsute or apply the patches to 1.8.2 ? (although looks like 1.10.0-2 is in hirsute-proposed, so might have to be quick :') unless we can sync an older version somehow )

Please advise if you want me to attempt any other areas :-)