Changes in 1.15.8 ~~~~~~~~~~~~~~~~~ Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Other bug fixes: * Pass the -export-dynamic linker option as -Wl,-export-dynamic, fixing build failures with clang 18 and lld 18 (#5760) * Fix a double-free when installation is cancelled (#5763) * Fix installed-tests failure with "FUSERMOUNT: unbound variable" (#5751) * Translation updates: pt_BR (#5762), tr (#5761) Changes in 1.15.7 ~~~~~~~~~~~~~~~~~ Released: 2024-03-27 Dependencies: * The Meson build system is now required. Compiling with Autotools is no longer possible. * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.9.0 is recommended. Several of the bug fixes listed below will not be active if an older version is used. * In distributions that compile Flatpak to use a separate xdg-dbus-proxy executable, version 0.1.5 is recommended. * If libmalcontent (parental controls) is enabled, it must be version 0.5.0 or later. New features: * Automatically remove obsolete driver versions and other autopruned refs (#5632) * `--socket=inherit-wayland-socket` (#5614) * Automatically reload D-Bus session bus configuration after installing or upgrading apps, to pick up any exported D-Bus services (#3342) Bug fixes: * Update included copy of bubblewrap to version 0.9.0: * `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#2387, #3477, #5255) * Report a better error message if `mount(2)` fails with `ENOSPC` * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument * Improve memory allocation behaviour * Silence various compiler warnings * Update included copy of bubblewrap to version 0.1.5: * Fix handling of long object paths * Don't parse `` as the application name (#5700) * Don't refuse to start apps when there is no D-Bus system bus available (#5076) * Don't try to repeat migration of apps whose data was migrated to a new name and then deleted (#5668) * Improve handling of mixed locales on systems with systemd-localed (#5497) * Improve display of ellipsized columns in wide terminals (#5722) * Make `flatpak info -e` look for extensions in all installations (#5670) * Fix warnings from newer GLib versions (#5660, #5737) * Always set the `container` environment variable (#5610) * Always let the app inherit redirected file descriptors (#5626) * In `flatpak ps`, add xdg-desktop-portal-gnome to the list of backends we'll use to learn which apps are running in the background (#5729) * Don't use `WAYLAND_SOCKET` unless given `--socket=inherit-wayland-socket` (#5614) * Use `fusermount3` if compiled with FUSE 3, overridable with `-Dsystem_fusermount` compile-time option (#5104) * Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment (#5574) * Improve async-signal safety (#5687) * Fix various memory leaks (#5683, #5690, #5691) * Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table (#5738) * Detect the correct gtk-doc when cross-compiling (#5650) * Detect the correct wayland-scanner when cross-compiling (#5596) * Documentation improvements (#5659, #5677, #5682, #5664, #5719) * Skip more tests when FUSE isn't available (#5611) * Translation updates (#5602, #5707) Changes in 1.15.6 ~~~~~~~~~~~~~~~~~ Released: 2023-11-14 Dependencies: * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.8.0 is now required. * Enabling the optional Wayland security context feature requires libwayland-client, wayland-scanner >= 1.15 and wayland-protocols >= 1.32. * Ubuntu 18.04 is no longer routinely tested. Support for dependency versions included in Ubuntu 18.04 should be considered "at risk". Features: * Add --device=input, for access to evdev devices in /dev/input (#5481) * Update bundled copy of bubblewrap to version 0.8.0, and rely on its features: * Improve error message if seccomp is disabled in kernel config * Security hardening: set user namespace limit to 0, to prevent creation of nested user namespaces in a more robust way (#5084) * For subsandboxes started by flatpak-portal, inherit environment variables from the `flatpak run` that started the original instance rather than from flatpak-portal, fixing behaviour of FLATPAK_GL_DRIVERS and similar features (#5278) * Stop http transfers if a download in progress becomes very slow (#5519) * Make it easier to configure extra languages, by picking them up from AccountsService if configured there (#5006) * Add new flatpak_transaction_add_rebase_and_uninstall() API, allowing end-of-life apps to be replaced by their intended replacement more reliably (#3991) * Create a private Wayland socket with the "security context" extension if available, allowing the compositor to identify connections from sandboxed apps as belonging to the sandbox (#4920, #5507, #5558) * Update libglnx to 2023-08-29 * Use features of newer GLib versions if available * Turn off system-level crash reporting infrastructure during some unit tests that involve intentional assertion failures * Add anchors to link to sections of flatpak-metadata documentation (#5582) * New translations: ka, nl. Bug fixes: * Avoid warnings processing symbolic links with GLib >= 2.77.0, and with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings) * Bypass page cache for backend requests in revokefs, fixing installation errors with libostree 2023.4 (#5452) * Show AppStream metadata in `flatpak remote-info` as intended (#5523; regression in 1.9.1) * Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES from the host system, which would be wrong for the sandbox (#5553) * Fix build failure with prereleases of libappstream 0.17.x (#5472) * Forward-compatibility with libappstream 1.0 (#5563) * Fix installation with Meson if configured with -Dauto_sideloading=true (#5495) * Fix a memory leak (#5329) * Fix compiler warnings (#5362, #5366) * Make the tests fail more comprehensibly if a required tool is missing (#5020) * Clean up `/var/tmp/flatpak-cache-*` directories on boot (#1119) * Don't force `GIO_USE_VFS=local` for programs launched via flatpak-spawn (#5567) * Clarify documentation for D-Bus name ownership (#5582) * Translation updates: id, tr, zh_CN (#5332, #5565) Internal changes: * Split up large source files into smaller modules, reducing internal circular dependencies (#5410, #5411, #5415, #5419, #5416, #5414) * Re-synchronize code backported from GLib with the version in GLib (#5410) * Make the flags used to apply "extra data" clearer (#5466) * Use glnx_opendirat() where possible (#5527) * CI improvements (#5374, #5381) Changes in 1.15.4 ~~~~~~~~~~~~~~~~~ Released: 2023-03-16 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * Document the path used for `flatpak override` * Translation updates: oc, pl, ru, sv, tr Changes in 1.15.3 ~~~~~~~~~~~~~~~~~ Released: 2023-02-21 Build system: * Building this version of Flatpak with Meson is recommended. The source release flatpak-1.15.3.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running `./autogen.sh`. Future versions are likely to remove the Autotools build system. Bug fixes: * When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172) * Fix a crash when --socket=gpg-agent is used (#5095) * Fix a crash when listing apps if one of them is broken or misconfigured (#5293) * If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293) * Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (#5303) * Fix a deprecation warning when compiled with curl >= 7.85 (#5284) * Translation updates: es, ru (#5266, #5312, #5313) Internal changes: * Better diagnostic messages for why runtimes are or are not considered unused (#5237) Changes in 1.15.2 ~~~~~~~~~~~~~~~~~ Released: 2023-02-06 Bug fixes: * Never try to export a parent of reserved directories as a --filesystem, for example /run, which would prevent the app from starting (#5205, #5207) * Never try to export a --filesystem below /run/flatpak or /run/host, which could similarly prevent the app from starting * The above change also fixes apps not starting if a --filesystem is a symlink to the root directory (#1357) * Show a warning when the --filesystem exists but cannot be shared with the sandbox (#1357, #5035, #5205, #5207) * Display the intended messages for `flatpak repair` (#5204) * Exporting an app to an existing repository on a CIFS filesystem now works as intended (#5257) * Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib apps when set to a path on the host (#5206) * Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps under Wayland when this variable is set to a path not available in the sandbox (#5194) * When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the profile script is sourced more than once (#5198) * Update included copy of bubblewrap to 0.7.0 for better error messages * Install SELinux files correctly when building with Meson * Translation updates: ru, tr (#5256, #5262) Internal changes: * Update included copy of libglnx * flatpak -v now uses the INFO log level, and flatpak -vv uses the DEBUG log level in the flatpak log domain. Previously, the extra messages that were logged by flatpak -vv were in a separate "flatpak2" log domain. G_MESSAGES_DEBUG=flatpak previously had an effect similar to flatpak -v, and is now more similar to flatpak -vv. (#5001) Changes in 1.15.1 ~~~~~~~~~~~~~~~~~ Released: 2022-11-17 Dependencies: * When building with Meson, gpgme 1.8.0 is now required. Older versions can still be used by building with Autotools. Features: * If an old temporary deploy directory was leaked by versions before #5146, clean it up the next time the same app is updated (#5164) Bug fixes: * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) * Fix a possible parallel build failure with Meson (#5165) * Fix a compiler warning on 32-bit architectures (#5148) * When building with Autotools, be more consistent about applying compiler warning flags (#5149) * Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168) * Treat /efi the same as /boot/efi (#5155) Changes in 1.15.0 ~~~~~~~~~~~~~~~~~ Released: 2022-10-24 Build system: * Flatpak can now be compiled using Meson instead of Autotools. This requires Meson 0.53.0 or later, and Python 3.5 or later. The Autotools build system is likely to be removed during either the 1.15.x or 1.17.x cycle. (#4845) New features: * Allow the `modify_ldt` system call as part of `--allow=multiarch`. This increases attack surface, but is required when running 16-bit executables in some versions of Wine. (#4297) * Share gssproxy socket, which acts like a portal for Kerberos authentication. This lets apps use Kerberos authentication without needing a sandbox hole. (#4914) * Add a httpbackend variable to flatpak.pc, allowing dependent projects like GNOME Software to detect whether they are compatible with libflatpak (#5054) Bug fixes: * Terminate the flatpak-session-helper and flatpak-portal services when the session ends, so that applications will not inherit outdated Wayland and X11 socket addresses (#5068) * When using `fish` shell, don't overwrite a previously-set XDG_DATA_DIRS (#5123) * Don't try to enable HTTP 2 if linked to a libcurl version that doesn't support it (#5074) * Stop systemd reporting the session-helper as failed when terminated by a signal (#5129) * Fix a warning when listing a document with no permissions (#5055) * Fix compilation with GLib 2.66.x (as used in Debian 11) (#5062) * Fix compilation with GLib 2.58.x (as used in Debian 10) (#5066) * Make generated files more reproducible (#5085) * Translation updates: cs, id, pl, pt_BR (#5052, #5056, #5059, #5126) Internal changes: * Update project logo in README (#5119) * Update libglnx subproject (#5140) Changes in 1.14.0 ~~~~~~~~~~~~~~~~~ Released: 2022-08-22 Known issues: * There may be an issue where non-primary architecture builds don't show up (https://github.com/flatpak/flatpak/issues/5045) * There is a new security advisory on Flatpak but all supported versions are not affected due to using new enough versions of libostree (https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x) Dependencies: * Conditional on a build time option, revokefs will now use version 3 of the FUSE API rather than version 2 (#4326) * Libappstream should be updated to at least 0.15.3 to avoid critical warning messages when using the "flatpak search" command (https://github.com/ximion/appstream/issues/384) New features: * A new key "DeploySideloadCollectionID" is now supported in flatpakref and flatpakrepo files, to allow setting a collection ID at the time a remote is added from one of those files, rather than when metadata is pulled from the remote, and without affecting versions of Flatpak with the older pre-sideload P2P implementation (#4826) * Allow sub-sandboxes to own MPRIS names on the session bus (#5023) * Commands that accept "--user" will now also take "-u" as an alias for that (#5014) * The CLI now properly informs the user of which apps are (indirectly) using end-of-life runtime extensions in end-of-life info messages (#4835) * The CLI now takes into account operations in the pending transaction when printing end-of-life messages (#4835) * The uninstall command now asks for confirmation before removing in-use runtimes or runtime extensions (#4835) * A "--socket=gpg-agent" option is now recognized by "flatpak run" and related commands (#4958) Bug fixes: * Fix a memory corruption issue caused by use of libcurl in an unsafe way (#5046) * Update selinux policy to cover symbolic links in /var/lib/flatpak (#4992) * Fix a crash in case a .desktop file processed by the build-export command has no Exec= key, and some related fixes for handling such .desktop files (#4817) * Preserve the X11 display number rather than redirecting it to :99 (#5034) Other changes: * Various improvements to the unit tests, CI infra, and documentation * Some changes were made to ensure translators can work on full sentences rather than fragments in several places * Translation updates: de, ru, sv, tr, uk, zh_CN Changes in 1.13.3 ~~~~~~~~~~~~~~~~~ Released: 2022-06-16 Dependencies: * Support curl 7.29 or later as an additional, and the default, HTTP backend alongwith libsoup 2.x (#4943) * Clarify that glib 2.46 or later is now required (#4944) New features: * Implement support for rewriting dynamic launchers when an app is renamed (#4703) * Add --include-sdk/debug options to install command to install SDK/debuginfo along with a ref (#4777) * Improve --sideload-repo option to take create-usb dirs (#4843) * Add a new library API flatpak_transaction_get_operation_for_ref() (#4947) Bug fixes: * Update the SELinux module to explicitly permit the system helper have read access to /etc/passwd and systemd-userdbd, read and lock access to /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892) * Fix the error messages and the exit code of the 'uninstall' command when non-existent refs are specified (#4857) * Be more careful with errors when creating directories and deleting files, and address some memory errors (#4930) * Fix support for --noninteractive in the 'uninstall' command (#4947) Other changes: * Cosmetic improvements to end-of-life messages and other aspects of the CLI output (#4947) * Speed up the tests by not installing the polkit agent (#4942) * Disable fuzzy ref matching when ID has a period or a slash, or when the standard input or output is not a TTY (#4829, #4848) * Update the icon-validator to print the format and size for consumption by the dynamic launcher portal (#4803, #4808) * Remove a pointless test (#4856) * Improve various details of the GitHub workflows (#4870) * Prepare for the addition of a Meson build (#4842, #4871, #4888, #4889, #4890) * Only add the specified 'summary-arches' to the compat summary. This is important since we're nearing the 10MB size limit for Flathub's legacy summary files. (#4880) * Translation updates: id, pt, sv, tr, uk Changes in 1.13.2 ~~~~~~~~~~~~~~~~~ Released: 2022-03-14 Bug fixes: * Consistently pass relative subpaths to libostree, working around a bug in libostree < 2021.6 when used with GLib >= 2.71 (#4805) * Document have-kernel-module-* as having been added in 1.13.1 * Fix some memory leaks in GVariant data processing Changes in 1.13.1 ~~~~~~~~~~~~~~~~~ Released: 2022-03-01 Dependencies: * libappstream 0.12.0 or later is now required * appstream-glib is no longer required * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.5.0 is now required New features: * Create a directory for XDG_STATE_HOME and set the environment variable (#4477) - Apps requiring a state directory without a dependency on this updated Flatpak version can get similar functionality by using: --persist=.local/state --unset-env=XDG_STATE_HOME which will use the same storage location * Set HOST_XDG_STATE_HOME environment variable (#4477) * Add have-kernel-module-foo family of conditionals for extensions, a generalization of have-intel-gpu (which is now mostly equivalent to have-kernel-module-i915) (#4647) * Add `flatpak document-unexport --doc-id=...` (#1897) * Export Appstream metadata for host system to use (#4350, #4599) * Add command-line completion for the Fish shell (#3109) * Add FlatpakTransaction:no-interaction API (#4699) * We now allow networked access to X11 and PulseAudio services if that is configured, and the application has network access. (#397, #3908, #4702) * `flatpak build-init` automatically sets the build directory to be ignored by git (#4741) Other changes: * Updated bundled xdg-dbus-proxy to 0.1.3 (#4737) * Updated bundled bubblewrap to 0.6.1 (#4779) * The default branch in the Github repository is now named 'main' * Don't offer options in CLI tab completion unless the user typed a '-' (#4753) * Disable fancy output (e.g. progress bars that get redrawn) when G_MESSAGES_DEBUG is set in the environment (#4767) * Most commands now work if /var/lib/flatpak exists but /var/lib/flatpak/repo does not, and will automatically populate the repo directory if possible (#4111) * Disable session bus access for `flatpak-spawn --sandbox` as intended (#4630) * Make `sudo flatpak --user ...` fail with an error message, since acting on root's per-user installation is unlikely to be what was intended (#4638) * Don't mention "negative" permissions like !host in /.flatpak-info (#4691) * Improve performance when finding related refs * Use SHA256 instead of SHA1 to avoid false-positives from static analysis (in fact the use of SHA1 was not security-sensitive here) (#4716) * Create sandbox's XDG_RUNTIME_DIR with 0700 permissions (#3397) * Always create /.flatpak-info with 0600 permissions * Absolute paths in WAYLAND_DISPLAY now work (#4752) * Improve reliability of detecting the current GTK theme (#4754) * Fix some error code paths when deploying malformed apps * Improve some error messages * Use URN for fontconfig DTD, consistent with fontconfig itself (#4617) * Use `type -P` or `command -v` in preference to which(1) (#4696) * Improve measurement of test coverage (#4681) * Translation updates: de, fr, hi, hr, id, oc, pl, pt_BR, sv, uk, zh_CN Changes in 1.12.6 ~~~~~~~~~~~~~~~~~ Released: 2022-02-21 * Fix a bug that sometimes caused repo corruption in case downloads are interrupted or canceled, necessitating a "flatpak repair" to recover (#3479, #4258) * More reliably detect the GTK theme (#4754) * Fix history command unit test in some edge cases (#4764) * Improve NEWS for 1.12.5 * Translation update: pt_BR Changes in 1.12.5 ~~~~~~~~~~~~~~~~~ Released: 2022-02-11 * Fixed a case where temporary data was sometimes left in /var/lib/flatpak/appstream, and we now detect such leftover data and remove it. (#4735) * Fix regressions in `flatpak history` since 1.9.1 (#4121, #4332) - Don't display the appstream branch used internally - Don't display temporary repositories used internally - Warn instead of failing if other non-app, non-runtime refs are found - Don't set up an unnecessary polkit agent for `flatpak history` - Add test coverage * Don't propagate GStreamer-related environment variables into sandbox (#4728) * Fix a typo in an error message * Fix incorrect year in NEWS for 1.12.4 release * Translation update: pl Changes in 1.12.4 ~~~~~~~~~~~~~~~~~ Released: 2022-01-18 This is a regression fix update, reverting non-backwards-compatible behaviour changes in the solution previously chosen for CVE-2022-21682. Flatpak 1.12.3 and 1.10.6 changed the behaviour of `--nofilesystem=host` and `--nofilesystem=home` in a way that was not backwards-compatible in all cases. For example, some Flatpak users previously used a global `flatpak override --nofilesystem=home` or `flatpak override --nofilesystem=host`, but expected that individual apps would still be able to have finer-grained filesystem access granted by the app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With the changes in 1.12.3, this no longer had the intended result, because `--nofilesystem=home` was special-cased to disallow inheriting the finer-grained `--filesystem`. Flatpak 1.12.4 and 1.10.7 return to the previous behaviour of `--nofilesystem=host` and `--nofilesystem=home`. Instead, CVE-2022-21682 will be resolved by a new 1.2.2 release of flatpak-builder, which will use a new option `--nofilesystem=host:reset` introduced in Flatpak 1.12.4 and 1.10.7. In addition to behaving like `--nofilesystem=host`, the new option prevents filesystem permissions from being inherited from the app manifest. Other changes: * Clarify documentation of `--nofilesystem` * Improve unit test coverage around `--filesystem` and `--nofilesystem` * Restore compatibility with older appstream-glib versions, fixing a regression in 1.12.3 Changes in 1.12.3 ~~~~~~~~~~~~~~~~~ Released: 2022-01-12 This is a security update that fixes two issues that were found in flatpak: https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j (also known as CVE-2021-43860) This issue is about the possibility for a malicious repository to send invalid application metadata in a way that hides some of the app permissions displayed during installation. https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx (also known as CVE-2022-21682) This issue is a problem with how flatpak-builder uses flatpak, that can cause `flatpak-builder --mirror-screenshots-url` commands to be allowed to create directories outside of the build directory. The fix for this is done in flatpak by making the --nofilesystem=host and --nofilesystem=home more powerful. They previously only removed access to the particular location, i.e. `--nofilesystem=host` negated `--filesystem=host`, but not `--filesytem=/some/dir`. This is a minor change in behavior, as it may change the behavior of an override with these specific options, however it is likely that the new behavior was the expected one. Other changes: * Extra-data downloading now properly handles compressed content-encodings which fixes checksum verification (see #4415) Note: In some corner case server setups this may require the extra-data checksum to be changed * Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes * Better handling of updates of extensions that exist in multiple repositories * Fixed (initial) installation apps with renamed ids * Support more pulseaudio configuration, including the one used in WSL2 * Fixed regression in updates from no-enumerate remotes * We now verify checksums of summary caches, to better handle local file corruption * Improved cli output for non-terminal targets * Flatpak run --session-bus now works * Fix build with PyParsing >= 3.0.4 * Fixed "Since" annotations on FlatpakTransaction signals * bash auto completion now doesn't complete on command name aliases * Minor improvements to the search command * Minor improvements to the list command * Minor improvements to the repair command * Add more tests * Updated translations and docs Changes in 1.12.2 ~~~~~~~~~~~~~~~~~ Released: 2021-10-12 * Install translations referenced by LANG, LANGUAGE or LC_ALL * Fix error handling for the syscalls that are blocked when not using --devel * Improve diagnostic messages when seccomp rules cannot be applied * Update Polish translation Changes in 1.12.1 ~~~~~~~~~~~~~~~~~ Released: 2021-10-08 The security fix in the 1.12.0 release failed when used with some older versions of libseccomp (that don't know about the new syscalls). More specifically, installing modules that use extra-data would fail, and so would running applications with the --allow=multiarch feature, such as Steam. This release fixes those regressions. Changes in 1.12.0 ~~~~~~~~~~~~~~~~~ Released: 2021-10-08 This is the first stable release in the 1.12.x series. The major changes in this series is the support for better control of sub-sandboxes, as used by the Steam Flatpak app to run Windows games under Proton. In addition, this release fixes a security vulnerability in the portal support. Some recently added syscalls were not blocked by the seccomp rules which allowed the application to create sub-sandboxes which can confuse the sandboxing verification mechanisms of the portal. This has been fixed by extending the seccomp rules. (CVE-2021-41133) For details, see: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q Other changes in this version: * Some test fixes * Update translations * Support for specifying the flatpak binary to use during exports * Install translations for all languages in the locale, not just the ones in LC_MESSAGES. * Fix progress reporting in flatpak fsck * Handle cases where /var/tmp is a symlink * Expose /etc/gai.conf to the sandbox * Fix the parental control checks for root * Handle missing /etc/ld.so.cache (musl) Changes in 1.11.3 ~~~~~~~~~~~~~~~~~ Released: 2021-08-25 Dependencies: * For Linux distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, updating to version 0.5.0 is recommended, but not required. The minimal version is still 0.4.0. Bug fixes: * Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0 * Update the included copy of bubblewrap (flatpak-bwrap) to 0.5.0 - Better diagnostics when a --bind or other bind-mount fails - Create non-directories with safer permissions - Allow mounting an non-directory over an existing non-directory - Silence kernel messages for our bind-mounts - Improve ability to bind-mount directories on case-insensitive filesystems * Don't ask user which remote to download from if there is only one option * Improve robustness of autogen.sh Internal changes: * Improve test coverage * Spelling fixes Translation updates: Brazilian Portuguese, Russian, Spanish, Ukrainian Changes in 1.11.2 ~~~~~~~~~~~~~~~~~ Released: 2021-06-17 Bug fixes: * Fix logic error when migrating AppStream XML * Improve error-checking * Fix various memory and file descriptor leaks, in particular with flatpak-spawn --env=... * Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., which caused "Steam Linux Runtime" containers to fail to start * Avoid a crash when looking up summary for a ref without an arch * Improve handling of refs belonging to more than one architecture, e.g. for cross-compilation * Don't abort uninstall if deploy metadata is missing * Don't fail transaction if searching for dependencies fails in one remote * Fix test failure when running tests as root * Improve error message for 'sudo flatpak run' Internal changes: * Improve printf format string validation * Improve test coverage * Reduce risk of accidentally hard-coding x86 in the tests Translation updates: Danish, Indonesian, Russian Changes in 1.11.1 ~~~~~~~~~~~~~~~~~ Released: 2021-04-26 This is the first unstable release in the series that will lead to 1.12. New features: * All instances of the same app-ID share their /tmp directory * All instances of the same app-ID share their $XDG_RUNTIME_DIR * Instances of the same app-ID can optionally share their /dev/shm directory (enabled by a new --allow flag, --allow=per-app-dev-shm) * Allow a subsandbox to have a different /usr and/or /app. Steam will use this to launch games with its own container runtime as /usr (the "Steam Linux Runtime" mechanism). * enter: Improve support for TUI programs like gdb * build-update-repo: Add a higher-performance reimplementation of `ostree prune` specialized for archive-mode repositories Bug fixes: * Fix deploys of local remotes in system-helper * Fix test failures on non-x86_64 systems * Fix two intermittent test failures * Make polkit queries non-interactive when operating in non-interactive mode * Use a local main-context when using libsoup in a thread * create-usb: Skip copying extra-data flatpaks * OCI: Switch to pax-format tar archives * history: Handle transaction log entries with empty REF field * portal: Fix flatpak-spawn --clear-env on OSs where flatpak is not on the fallback PATH, such as NixOS * Fix various issues detected by scan-build Internal changes: * Use GNU bison to build parse-datetime.y * Add information about security support and security vulnerability reporting (see `SECURITY.md`) * Move all git submodules into subprojects/ directory * Several sockets are now created in /run/flatpak in the sandbox, with symbolic links in $XDG_RUNTIME_DIR Changes in 1.10.2 ~~~~~~~~~~~~~~~~~ Released: 2021-03-10 This is a security update which fixes a potential attack where a flatpak application could use custom formated .desktop files to gain access to files on the host system. Other changes: * Fix memory leaks * Some test fixes * Documentation updates * G_BEGIN/END_DECLS added to library headders for c++ use * Fix for X11 cookies on OpenSUSE * Spawn portal better handles non-utf8 filenames Changes in 1.10.1 ~~~~~~~~~~~~~~~~~ Released: 2021-01-21 * Fix flatpak build on systems with setuid bwrap * Fix some compiler warnings * Add --enable-asan configure option * Fix crash on updating apps with no deploy data * Update translations Changes in 1.10.0 ~~~~~~~~~~~~~~~~~ Released: 2021-01-14 This is the first stable release after the 1.9.x unstable series. The major new feature in this series compared to 1.8 is the support for the new repo format which should make updates faster and download less data. This release also contains the security fixes from 1.8.5, so everyone on the 1.9.x series should update immediately. (CVE-2021-21261) Other changes since 1.9.3: * The systemd generator snippets now call flatpak --print-updated-env in place of a bunch of shell for better login performance. * The .profile snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. * Build fixes for GCC 11. * Flatpak now finds the pulseaudio sockets better in uncommon configurations. * Sandboxes with network access it now also has access to the systemd-resolved socket to do dns lookups. * Flatpak supports unsetting env vars in the sandbox using --unset-env, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. * Similarly the spawn portal has an option to unset an env var. * The spawn portal now has an option to share the pid namespace with the sub-sandbox. Changes in 1.9.3 ~~~~~~~~~~~~~~~~ Released: 2020-12-22 I expect this to be the final 1.9.x release, and we can expect 1.10.0 early next year, containing basically whats in this release in terms of features. A minor change in the new indexed summary format in this release. The gpg signature of the summary index is now stored in a filename indexed by the checksum of the index rather than a static filename. This fixes an update race between clients accessing the two files during and update. It also helps in keeping mirrors and cached coherent. The old filename is still created/used for backwards compat with 1.9.1, but may go away in the future. Other changes: * --filesystem=host now exposed /var/usrlocal (as seen on ostree) * Better error messages in flatpak portal. * Rebases during update now install the new app before uninstalling the old, which means failure during the first doesn't leave the app uninstalled. * flatpak_installation_list_installed_refs_for_update() now handles some case better when apps in the user installation depends on runtimes in the system installation. * New version of the deploy files which guarantees the existance of a bit more data. This is useful for eol detection of apps that were installed with previous flatpak versions. * Some corner cases when installing an app with extra-data into a nonstandard installation were fixed. * Fixed crashed when killing and entering running instance that have was running a runtime, not an app. * The root user can now bypass parental controls. * Some fixes to library annotations. * Updated translations Changes in 1.9.2 ~~~~~~~~~~~~~~~~ Released: 2020-11-20 * Some build fixes on non-x86-64 arches * Fix permission issue in endless installer * Fixed a bug where flatpak was accidentally clearing the summary cache during updates in the user installation. * Fix handling of the multiarch permission., * Add back the commit timestamp to the summary file. Changes in 1.9.1 ~~~~~~~~~~~~~~~~ Released: 2020-11-19 This is the first unstable release in the series that will lead to 1.10. The main change in this version is a new format for the summary file used when accessing an OSTree repository on the network. For this reason we now require OSTree version 2020.8. The new format should make getting the initial metadata required for most flatpak operations much faster, and use less network bandwidth. This will allow repositories to scale to more apps and more architectures without affecting clients. The old format is still generated for compatibility with older clients. The new format also allows repositories to publish named subsets, and for clients to declare that they only want to see that subset. The goal here is to allow for example flathub to mark all FOSS apps, and make it possible for users to use a flathub-foss remote without flathub having to maintain two duplicated repositories. This is accessible by passing --subset=SUBSET to the build-commit-from and build-export commands. The new repo option `flatpak.summary-arches` controls which architectures are put in the old format summary. This can be used to avoid newly added architectures making old clients slower, at the cost of requiring a newer flatpak client version for the new architecture. Other major changes * There is a new `flatpak pin` command that lets you pin runtimes so that they are not considered unused. Also, we now by default pin runtimes that are installed explicitly (i.e. not as a dependency of an app). * During a regular update or uninstall of an app, if the operation makes a previously used runtime unused, and the runtime is marked as end-of-lifed, then the runtime is automatically uninstalled. * During `flatpak update` (i.e. with no specific app given) flatpak now automatically adds uninstall operations for end-of-life runtimes that are unused. * The end-of-life warnings in the flatpak CLI are now better, showing more useful details (like version and what apps are using the runtime) and less unuseful details. * Some changes was made in which dconf paths were considered "similar" to the app id, allowing for example `org.gnome.SoundJuicer` to migrate from `/org/gnome/sound-juicer`. * Flatpak run now implements the new standard for os-release in containers (https://www.freedesktop.org/software/systemd/man/os-release.html). * There is now a tcsh profile snippet * The origin remote for an app is now prioritized over other remotes with the same priority when looking for dependencies. * We now allow extra-data apply_extra processes to run multiarch code. * A new internal representation for ostree ref strings was added which is more efficient. This should not affect the behaviour of flatpak but the large amounts of changes to use this may have accidentally introduced regressions. * Some fixes to the in-memory summary cache make it more efficient. * --filesystem=/ is now explicitly forbidden as it doesn't work (and never did). * Flatpak install/update now only prints `(partial)` for an update that actually is partial (not just for all locales). * Flatpak remote-ls on a file: uri (for example a sideloaded repo) now correctly lists the refs in the repo. * New library APIS: flatpak_installation_list_pinned_refs, flatpak_transaction_set_disable_auto_pin, flatpak_transaction_set_include_unused_uninstall_ops, flatpak_transaction_operation_get_subpaths, flatpak_transaction_operation_get_requires_authentication. * flatpak_installation_list_installed_refs_for_update() now returns refs that have a end-of-life rebase that it could be updated to. * There is a new `ready-pre-auth` signal in FlatpakTransaction allowing clients new ways to handling authentication. * Fix bug where extension sources were sometimes auto-installed Changes in 1.8.3 ~~~~~~~~~~~~~~~~ Released: 2020-11-17 * Fixed progress reporting for OCI and extra-data * The in-memory summary cache is more efficient * Fixed authentication getting stuck in a loop in some cases * Fixed authentication error reporting * We now extract OCI info for runtimes as well as apps * Fixed crash if anonymous authentication fails and -y is specified * flatpak info now only looks at the specified installation if one is specified * Better error reporting for server HTTP errors during download * Uninstall now removes applications before the runtime it depends on * Fixed test-suite to pass with the latest OSTree version * Fixed dbus environment variables in flatpak enter * Avoid updating metadata from the remote when uninstalling * Fixed error message handling in various places * FlatpakTransaction now verifies all passed in refs to avoid potential issues with invalid names * Updated translations Changes in 1.8.2 ================ * Added validation of collection id settins for remotes * Fix seccomp filters on s390 * Robustness fixes to the spawn portal * Fix support for masking update in the system installation * Better support for distros with uncommon models of merged /usr * Cache responses from localed/AccoutService * Fix hangs in cases where xdg-dbus-proxy fails to start * Fix double-free in cups socket detection * OCI authenticator now doesn't ask for auth in case of http errors Changes in 1.8.1 ================ * Avoid calling authenticator in update if ref didn't change * Don't fail transaction if ref is already installed (after transaction start) * Fix flatpak run handling of userns in the --device=all case * Fix handling of extensions from different remotes * Fix flatpak run --no-session-bus * Updated translations Changes in 1.8.0 ================ New stable release series 1.8. Changes: * FlatpakTransaction has a new signal "install-authenticator" which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. * We now always expose the host timezone data, allowing us the expose the host /etc/localtime in a way that works better, fixing several apps that had timezone issues. * Fix flatpak enter which didn't work in some cases. * We now ship a systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. * By default we no longer install the gdm env.d file, as the systemd generators work better * create-usb now exports partial commits by default * Fix handling of docker media types in oci remotes * Fix subjects in remote-info --log output Changes in 1.7.3 ================ * Allow direct ALSA device access if app has pulseaudio access. * Flatpak now ships a sysusers.d file for allowing systemd to create the required users. * Fix issue in remote-delete where it failed to delete system remotes if it had to uninstall something first. * New library calls flatpak_transaction_operation_get_related_to_ops(), flatpak_transaction_operation_get_is_skipped() and flatpak_transaction_set_no_interaction(). * New options --[no-]follow-redirect in remote-add/modify * New spawn portal APIs to get real pid of launched app. * By default, all OCI remotes now use the flatpak-oci-authenticator. * Support flatpak remote-info and flatpak update --commit= to specific versions for OCI remotes. * Initial work in progress on using deltas for OCI remotes. * Fix race in the generation of ld.so.cache when starting copies of the same app at the same time. * Minor fix in what locales are installed on update. * Flatpak uninstall now doesn't fail if one ref (of many) was not installed. * Flatpak systemd transient units now have an app-prefix to match new XDG spec for cgroup names. * In some cases we previously downloaded the summary twice. * flatpak upgrade is now an alias for flatpak update. * Fix to selinux module to work without unconfined module. * Respect user XDG basedirs when finding users fonts and icons. * Fix issue where thread were sometimes initialized causing flatpak enter to fail. * Better error reporting when authentication goes wrong. Changes in 1.7.2 ================ This fixes some regressions in progress reporting in 1.7.1, where it would report > 100%. Other changes: * Completion support for fish shell * Properly handle migration of remotes with collection ids * The summary now has some extra-data download size info which can make downloads slightly more efficient Changes in 1.7.1 ================ This is the first release in the 1.7.x unstable release series. A major change is that the support for the ostree peer-to-peer installation has been simplified. Flatpak no longer supports installing from local network peers, and sideloading from local usb stick is no longer automatic. To enable sideloading you have to configure a sideload repository by creating a symlink to it from /var/lib/flatpak/sideload-repos or /run/flatpak/sideload-repos. Due to this the flatpak code has been simplified internally and the p2p support is more efficient. Other major changes * If an app has filesystem access, the host /lib is accessible as /run/host/lib, etc. * New filesystem permission "host-etc" and "host-os" give access to system /usr and /etc. * Flatpak now uses variant-schema-compiler to generate more efficient code for parsing GVariant files from ostreee. * libsystemd use is now optional in configure. * Journal sockets are mounted readonly * document-export now supports exporting directories (requires new portal version) * DConf migration now allows version numbers in object paths Changes in 1.6.3 ================ The main change in this version is a fix for a regression in the progress calculation for applications using extra-data. Additionally the bundled version of bubblewrap is updated to 0.4.1 which fixes a security issue in some cases. See https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj for details. Other changes: * Updated translations * Don't break if users primary gid is not in the nsswitch database * Fix crash in flatpak repair if no remotes are configured * Some updates to the oci authenticator * Retry downloads of extra data Changes in 1.6.2 ================ Due to a combination of some behaviour in flatpak and recent versions of ostree we at some point lost the use of deltas for the initial install case, instead always falling back to a full ostree operation which is a lot less efficient for pulls with many small files like a runtime. This caused some very slow installs from e.g. flathub, so I recommend everyone update to this version to get better install performance. Other changes are: * We now correctly handle TMPDIR env var overrides when bwrap is setuid * Disallow running "flatpak run" under sudo (as it doesn't work and causes issues) * Fix build with older versions of glib * Minor documentation updates * Updated translations Changes in 1.6.1 ================ This is a (mild) security update. Flatpak 1.6.0 added the ability for an application to request it to be updated, as long as the new version doesn't require new permissions. Unfortunately in some special cases, if an app had acces to the home directory, but not the rest of the filesystem it would still allow a self-update where the new version could access some files outside the home directory.. This is fixed in this version, and all users of 1.6.0 are recommended to update. Other changes are: * New permission --device=shm giving access to host /dev/shm, as needed for jack. * Generated correct download size in build-commit-from * sub-sandbox now allows the child to share the gpu of the caller has full device access * Fix crash with disabled remotes * Fix builds with older versions of glib * Update translations Changes in 1.6.0 ================ This is the first stable release in the 1.6 series, main changes since 1.4 is the support for protected content and improvements in the self-sandboxing support. There is one change in the support for OCI remotes, we now only support the use of labels, not annotations, as labels work with more registries. This means pre-existing OCI flatpak registries (like fedora) may need some changes. Changes since 1.5.2: * New permissions --socket=cups for direct cups access * Fix some leaks * Fix reporting of progress with latest version of ostree * New no-interaction flag for authenticators * Support for auto-installing authenticators from a flatpak remote * Warn less about unset XDG_DATA_DIRS * Don't poll for updates in the portal when on a metered connection Changes in 1.5.2 ================ This version has further changes to the protocol and API for handing authentication, in order to make it more flexible and futureproof. The sample authenticator has been updated to the new APIs. Flatpak now ships with a OCI authenticator that can be used to access private OCI registries. FlatpakTransaction now also has a callback for simple user/password authentication for an authenticator (the basic-auth-start signal) modeled on HTTP basic authentication. This is handled in the flatpak CLI by interactive prompts on the terminal. This is needed by the OCI authenticator, but can also be used by other authenticators that have simple authentication requirements. There were also some fixes to the new self-sandboxing support of the flatpak spawn portal, allowing webkit to use it. Other changes: * Show background status in flatpak ps * Improved docs and help output * Fix support for fd forwarding and the allow_a11y flag in the sandboxing portal * Some improvements to the new permission-set command * New remote option that allows settting the default token type (mostly for debugging) Changes in 1.5.1 ================ The major new feature of this is the support for protected applications and the system around authenticting downloads to it. This is not considered stable yet, but this release has the initial work to make it possible for developers to play around with this. I will send out a separate mail about this later. Other changes: * Flatpak now bundles bubblewrap 0.4.0, and requires 0.4.0 to use the system bubblewrap. * Optional support for parental controls using libmalcontent. * Transaction now installs extensions before apps to ensure we have a working app immediately after install. * Changes in temporary file use makes flatpak run work better in low disk space situations. * flatpak enter now works without sudo, and works better in general. * New features for the flatpak portal: * Support starting a sub-sandbox with the child processes visible in the original sandbox. * Support adding some kinds of permissions to sub-sandboxes * New commands flatpak permission-set and permission-remove * flatpak install CLI now always shows what kind of operations everything is. * libflatpak now returns apps as updatable if doing so would auto-download missing extensions or runtimes. * new API: flatpak_transaction_get_no_(deploy|pull). * We can now store locale info in the extra-languages key (in addition to the country code). * remote-ls and list --app-runtime now only shows apps, no runtimes. * Stop using mirror refs and delete any useless mirror refs you might have in your repo. * Fix busy-loop regression in revokefs-fuse in 1.5.0 Changes in 1.5.0 ================ * New options flatpak install --or-update operation. * New command flatpak mask allows pinning version and avoiding auto-downloads. * Support self-updates and update monitoring in the flatpak portal. * Fix updates of exported services with dbus-broken. * Don't show arch columns in terminal outout if all are the same. * Fix some cases where origin remotes were not properly removed. * flatpak-session-helper now links to more libraries. * OCI: Support images tagged with labels as well as annotations. * OCI: Alway generate a history for images. * OCI: Support docker mimetypes in addition to OCI mimetypes. * Uninstall now always work, even if the remote it came from was force removed. * New config key default-languages that allows additions to the system list instead of overriding it. * Various minor tweak to CLI behaviour and output. Changes in 1.4.3 ================ * Fix crash in revokefs. * Handle 'versions' extension key (in addition to 'version') when checking for local extensions, which was causing us to uninstall some actually used extensions with uninstall --unused. * The 'required-flatpak' metadata key now supports listing multiple versions to support backported features. * Fix crash with older versions of polkit. * Fix installation of bundles. * Fix crash on deploy error. * Support building bundles of apps installed from a remote. * OCI: Fix handling of locally cached icons. * Fix crash when listing unconfigured remotes. * Ignore differences in trailing slashes for repo uris. Changes in 1.4.2 ================ * Support extra_data in extensions. * Handle double slashes ("//")in XDG_DATA_DIRS. * Fix detection of local related refs. Changes in 1.4.1 ================ *WARNING* *WARNING* *WARNING* There was an accidental ABI break in libflatpak in 1.4.0 compared to the 1.2.x ABI which caused crashes in apps like gnome-software. This has been fixed in this release so it is now ABI compatible with 1.2.x, but *NOT* compatible with 1.4.0. It is recommended that all distributions that shipped 1.4.0 update to 1.4.1 and rebuild all dependencies of libflatpak. * Make ABI compatible with 1.2.x * Update translations * Fix some potential crashes * Fix some corner case where it was impossible to remove a remote * Restore support for file: uris in the RuntimeRepo key in flatpakref files Changes in 1.4.0 ================ This is the new stable series, ending the 1.3.x series. The major changes since the 1.2.x is the improved I/O use for system-installed applications, and the new format for pre-configured remotes. * Recalculate download-size when moving between repos in build-commit-from. * New library error FLATPAK_ERROR_REF_NOT_FOUND returned instead of G_IO_ERROR_NOT_FOUND. * Fix installed tests when running on a tty. * Fix a double-set of a GError. * Grant more permissions on the /run/host/monitor directory to work with e.g. toolbox on the host. Changes in 1.3.4 ================ This version changes how default remotes are configured. We still use files in /etc/flatpak/remotes.d, however instead of the old *.conf files we now use regular flatpakrepo files, and the first time you use flatpak these are automatically imported. The advantage of this new model is that the configuration is imported once, but then becomes writable and removable, just like a manually added remote. In the previous model the remote was always there and it was impossible to change or remove. However, this means that anyone currently shipping a .conf file with a distro needs to change this to a .flatpakrepo file. * Support for flatpakrepo files in /etc/flatpak/remotes.d * Support for client side filtering of a remote. This allows you to limit what apps are seen from a remote, using either a whitelist or a blacklist model. * Add library API to easily add remotes from flatpakref files. * Fix the dconf support. * Fix app updates in system-wide OCI remotes. * Fix CLI completion if G_MESSAGES_DEBUG is set * Add a docker seccomp profile for running flatpak inside a container. * Look for the new default dbus session socket at $XDG_RUNTIME_DIR/bus * Improve ability to pull from multiple p2p sources (needs latest ostree). Changes in 1.3.3 ================ * Fixed a crash in the system helper that made installation via the helper sometimes not work. * Fix build with older versions of glib * The list and remote-ls output is now less wide, not showing the appdata summary by default and only showing the archtecture and origin if necessary (i.e. not if its the same for all rows). * flatpak remote-ls now filters end-of-lifed apps by default. * flatpak permission-reset now supports --all * Flatpak now works will all set values of umask. * The flatpak profile.d snippet now works if flatpak is not installed (in case it gets left over after deletion). * Fixed flatpak install --noninteractive still asking questions in some cases. * flatpak now returns a failure exit status if you abort the operation early. * flatpak remote-ls and remote-info now supports --cached to prefer using locally cached data. * libflatpak grew a FLATPAK_QUERY_FLAGS_ONLY_CACHED that allows you to get at locally cached data about remotes without doing network i/o. * Documentation updates Changes in 1.3.2 ================ This release contains a major change in how flatpak does system-wide installation as a user. We used to pull into a temporary user-owned directory and then ask the flatpak system-helper to import from this directory. Unfortunately, since we can't trust the user directory it had to copy these files as they were being imported, which caused unnecessary i/o, as well as temporarily using more diskspace. The new setup uses a new custom fuse filesystem which the user writes to, and then when this is done we can safely revoke any access to this from the user, meaning the files can be directly imported into the system repository without needing to make a copy. However, this makes packaging flatpak a bit more complex, as we now require flatpak to have a user. By default flatpak will look for a user called "flatpak", and for the new feature to work you need to create it in your package. If you want to use a different name you can specify that in configure as --with-system-helper-user=USERNAME. Additionally, the new code passed a unix socket over the system bus, which is prohibited by the default selinux policy. To work around this flatpak now ships with a custom selinux module (enable with --enable-selinux-module). For the new feature to work you need to install this module and ensure the flatpak-system-helper binary gets the proper selinux context. Other changes: * We now support specifying a rebasing version of end-of-life, where the clients will be asked if they want to use the new version. At runtime any old per-user application data will be migrated to the new name. Note: This works for the CLI app, but needs some changes for installers to take advantage of the automatic rebasing. * New permission --socket=pcsc for access to smart cards. * We now store the description, comment, icon and homepage fields from the flatpakrepo files in the remote confiuration and have new library APIs to read these back. * The fields above are now also settable in a repo and changes to these can propagate to clients. * run now tries the determine what branch to use when you run a runtime. * Print maximum icon size when icon-validator fails. * flatpak override can now disallow access to a dbus name. * flatpak list now has a new runtime column Changes in 1.3.1 ================ This release fixes CVE-2019-10063. It has been discovered that the previous fix for CVE-2017-5226, which uses seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl was only incomplete on 64bit arches. This is now fixed. * seccomp: Only compare the low 32bit of the TIOCSTI ioctl args. * Fix the required runtime prompt during installation. * When installing, only check dependencies from the same installation. * flatpak list --arch now works correctly again. * Create origin symlinks in appstream branch for libappstream compat. Changes in 1.3.0 ================ This is the start of a new unstable series, targeting stable release as 1.4.0. Major changes: * Support systems with multiple nvidia devices * Checks are update output are green again * Fix support for systems like gentoo where /var/run is a symlink. * Initial support for sandboxed dconf support. * build-update-repo: New options --no-update-[summary,appstream] and --static-delta-ignore-ref=PATTERN. * Regenerating the appstream branch is now much faster for large repositories. * We no longer limit the size of svgs in the icon validator. Changes in 1.2.3 ================ This release fixes CVE-2019-8308. The CVE-2019-5736 runc vulnerability is about using /proc/self/exe to modify the host side binary from the sandbox. This mostly does not affect flatpak since the flatpak sandbox is not run with root permissions. However, there is one case (running the apply_extra script for system installs) where this happens, so this release contains a fix for that. * Don't expose /proc in apply_extra script sandbox. Changes in 1.2.2 ================ * Reverted green checkbox as they caused table alignment issues * Fix a division by zero if the terminal reports a zero terminal width (which happens in the flathub build environment). Changes in 1.2.1 ================ * Ensure flatpak builds with older versions of glib and appstream-glib. * build-commit-from: Fix the new --extra-id option. * build-export: Allow disabling the sandboxing of the icon validator and do so during the tests. * profile: Don't break if debug logging is enabled. * Better handling of the appdata release attribute. * Don't install polkit agent when not needed, avoiding some unnecessary log lines in some cases. * Fix the output of the sandboxed icon validator not being visible. * builld-init: Allow specifying a full ref for the sdk, which is used to select the branch name when checking sdk extensions. * Make the ok checks in the output green Changes in 1.2 ============== * Ensure DeployCollectionID works in flatpakrepo files in all cases. * Don't error out with empty installations in uninstall. * Add helper that validates icon files during export. * Don't allow root to modify the (non-root) per-user flatpak installation, as this risks causing problems later. * Remove some incorrect warnings from flatpak repair. * Allow multiple name segments after prefix when exporting files. * Allow specification of ellipsization in --colums options. * Handle dates as well as timestamps in appdata * Fixed a bug where flatpak remote-delete removed too many refs. * Now we use raw terminal mode during a transaction to a avoid problems with input during the operation causing problems with escape sequences. * Generate a fontconfig directory remapping snippet as will be needed for newer versions of fontconfig. * Support --extra-collection-id in build-commit-from to bind the commit to multiple collection ids. This is work in progress in ostree. Changes in 1.1.3 ================ * Various fixes to the CLI output changes * New flatpak --installations option to list all installations * Extract license info from appdata among with the other fields. This is shown in e.g. info and remote-info, and has library API. * install/update/uninstall now has --noninteractive option with less output that is useful when called from scripts, etc. * --devel is now properly forwarded to sub-sandboxes using the flatpak portal. * Drop dependency on libappstream-glib from libflatpak. * Initial support for exposing the system dconf defaults to the sandbox. * We now create deploy refs for the deployed commits to avoid a prune removing objects that are in use. * Ask about removing all refs when deleting a remote. * New environment generator that handles custom installations, replacing the old dbus service config file. * Documentation updates * More robust completion * Try to report out-of-space errors better. * Add more tests. * Various improvements to the repair command. Changes in 1.1.2 ================ * Refreshed the CLI output layout, in particular the install/update progress and application list/info commands. * The host XDG_{DATA,CONFIG,CACHE}_HOME env vars are now available as with the HOST_ prefix in the sandbox. * FLATPAK_ID is set to the app id in the sandbox (this previously only happened in flatpak build). * The spawn portal command now has a kill with parent option. * Flatpak shells now have custom prompts * New library APIs: Access to deployed appstream data, list unused refs. * Flatpak run now has --cwd option. * New option --static-delta-jobs to limit number of parallel delta generation jobs in build-update-repo. * Fixed critical warning with newer policykit versions. Changes in 1.1.1 ================ * New libflatpak function: flatpak_remote_get_main_ref() * Various changes to the policykit rules in order to cause less, and more understandable policykit authentication dialogs. * Give DRI apps access to more nvidia device nodes required for CUDA/OpenCL support. * search now doesn't search noenumerate remotes. * Renamed operations permission-list to permissions and document-list to documents. The old names are still supported as aliases. * New property 'non-interactive' for installations that allow frontends to do background updates without triggering policykit authentications. * New flag in HostCommand to allow killing the child process when the spawner exits the session bus. * Flatpak now authenticates on the terminal in case there is no desktop-wide policykit agent. * update with no arguments now updates all installations (i.e. also custom systemwide installations). * Use system helper to generate summary files for OCI remotes. * Better progress reporting for OCI downloads. * New conditional extension download feature, 'on-xdg-desktop-FOO' which downloads when XDG_CURRENT_DESKTOP matches FOO. * More sockets are now mounted read-only in the sandbox * Updated docs, error messages and translations Changes in 1.1 ============== This is the first release in the new unstable 1.1.x series, leading up to 1.2 which is expected around the end of the year. Changes in this version: * New command flatpak kill to kill running flatpak instances. * The remote argument is now optional in the flatpak install in interactive installs. Instead you are prompted for which remote to install from. * All commands printing tables now support --columns option to specify exactly what to output. * flatpak uninstall now supports --delete-data to delete the application data directory in your homedirectory. If no application is specified it will remove data from all uninstalled apps. * flatpak list now supports filtering by runtime with: --app-runtime=org.gnome.Platform//3.24 * flatpak remote-ls can now show the runtime used for each app. * flatpak repo now supports --info to show information about a repository, and it is the default operation for the flatpak repo. * flatpak repo now supports --commits to list commits in branch. * flatpak now logs transactions to the systemd journal if built against libsystemd. * libflatpak now exposed FlatpakInstance for a running instance. * Better error output if a flatpak command is misspelled * Drop support for migration from xdg-app (previous name for flatpak). * New library function flatpak_installation_get_min_free_space_bytes. * In interactive mode "yes" is now the default in most prompts. * Bumped ostree requirement to 2018.9 * Cleanups and improvements to the test suite. * Improvements to documentation. * buildsystem support for coverage generation. Changes in 1.0.6 ================ This release fixes an issue that lets system-wide installed applications create setuid root files inside their app dir (somewhere in /var/lib/flatpak/app). Setuid support is disabled inside flatpaks, so such files are only a risk if the user runs them manually outside flatpak. Installing a flatpak system-wide is needs root access, so this isn't a privilege elevation for non-root users, and allowing root to install setuid files is something all traditional packaging systems allow. However flatpak tries to be better than that, in order to make it easier to trust third party repositories. Thus, it is recommended that all distros update to this version, or backport commit b98e09b20dfab896616b4a65e15c31f684a5f9f2. Changes in this version: * The permissions of the files created by the apply_extra script is canonicalized and the script itself is run without any capabilities. * Better matching of existing remotes when the local and remote configuration differs wrt collection ids. * New flatpakrepo DeployCollectionID replaces CollectionID, doing the same thing. It is recommended to use this instead because older versions of flatpak has bugs in the support of collection ids, and this key will only be respected in versions where it works. * The X11 socket is now mounted read-only. Changes in 1.0.5 ================ There was a sandbox bug in the previous version where parts of the runtime /etc was not mounted read-only. In case the runtime was installed as the user (not the default) this means that the app could modify files on the runtime. Nothing in the host uses the runtime files, so this is not a direct sandbox escape, but it is possible that an app can confuse a different app that has higher permissions and so gain privileges. So, it is recommended that everyone shipping flatpak to update to 1.0.5, or at least backport the change in commit 6711d7ae99c50a9dca8e4e2e9e9989a8fa6c3f06. Changes in this version: * Make the /etc -> /usr/etc bind-mounts read-only. * Make various app-specific configuration files read-only. * flatpak is more picky about remote names to avoid problems with storing weird names in the ostree config. * A segfault in libflatpak handling of bundles was fixed. * Updated translations * Fixed a regression in flatpak run that caused problems running user-installed apps when the system installation was broken. Changes in 1.0.4 ================ * Flatpak 0.99.1 removed the inheritance of permissions from the runtime due to concerns with dynamic app permissions. Due to popular requests, this version re-introduces such inheritance, but does it instead at build time. This solved the issues with dynamic permissions while still allowing runtimes to have default permissions. Apps can disable this by passing --no-inherit-permissions to build-finish. * The sandbox now always includes a /etc/timezone file, following the (old) debian standard for this. This is needed, because the more modern way of exposing the timezone name by having /etc/localtime be a symlink into /usr/share/zoneinfo doesn't work when exposing the host timezone. * All apps now have automatic permissions to own their own app id as a subname of org.mpris.MediaPlayer2. * We now properly re-load remote state in FlatpakTransaction if the metadata was updated for the remote. * The signature of the FlatpakTransaction::operation-done signal was wrong in the header and has now been corrected to the signature that is actually emitted. * A crash was fixed when reading invalid .flatpakref files. * A crash during updates when a local ref was unexpectedly missing was fixed. * An error case on uninstalling was incorrectly returning success even thought there was an error. * flatpak_installation_modify_remote did not correctly save the nodeps state. * flatpak_installation_load_app_overrides() was improperly returning freed memory. * The tarball now ships with an icon (flatpak.png). Changes in 1.0.3 ================ * run: You can now use --system to run an app that otherwise would run the user version. * New permission --allow=canbus that filters out access to AF_CAN sockets. * lib: New install flags FLATPAK_INSTALL_FLAGS_NO_TRIGGERS and new function flatpak_installation_run_triggers() * lib: Better error reporting, including some new error values that replace the generic FAILED. * uninstall --unused: Improve handling of which .Locale extensions are used * run: Make flatpak run on systems where $XDG_RUNTIME_DIR contains a symlink beneath /var (commonly /var/run -> /run). * Don't export any desktop/dbus/mimetype files in subdirectories. * build-init: We now record the base ref (if used) in the metadata. Nothing uses this atm, but it can be used by tools. * We now respect the upstream ostree.deploy-collection-id instead of the flatpak-specific xa.collection-id metadata key to decide whether to switch to collection ids for a remote. This is useful, because if you use the new one, only new clients (that support it better) will use it. * create-usb: Fix assertion failure in some error cases * create-usb: Always create archive-z2 repos * create-usb: Don't create unnecessary summary in repo * permissions: Avoid errors if there is no permissions table * repo: Fix flatpak repo sometimes using the wrong ostree-metadata ref. * Avoid fsync when updating $installation/.changed. * Add the missing appstream2 ref to the xa.cache metadata * The test-suite got some modifications to make it easier to maintain. * Documentation updates * Translation updates Changes in 1.0.2 ================ * The dbus proxy is now available in a separate git module, xdg-dbus-portal, which is imported into flatpak as a submodule. It is possible to build flatpak against the system xdg-dbus-portal instead, but this is not currently very useful as no other applications yet depend on xdg-dbus-portal. * Build regressions with older versions of glib have been fixed. * Flatpak ps now also tracks the pid the main process inside the sandbox. * Added flatpak override --reset to reset overrides for an app. * Added flatpak override --show to show overrides for an app. * flatpak install now automatically pick user or system based on the remote name given (unless the remote exists in both). * flatpak uninstall --unused now does not remove SDKs if some installed app refers to them. * Fixed bug where flatpak uninstall --unused prompted for uninstall twice. * Set IO class on the system helper to "idle", which should cause backgroun updates to affect the system less. * Fixed regression in flatpak uninstall --no-related. * Better handling of empty collection ids in flatpak bundles. * Cleaned up some error messages. * Various documentation fixes and cleanups. * Updated translations. Changes in 1.0.1 ================ This fixes various build and test failures that were detected when packaging 1.0, as well as translations and doc updates. It also has some minor features, including a new subcommand "flatpak ps" to list the running flatpak instances for your user. * Print application tags in the prompt when installing/updating. * Make sure we don't accidentally leak the host /proc into the sandbox. * Translation updates. * Added a "flatpak ps" command that lists running flatpak instances. * Improve error reporting when exporting documents. * Improve detection of dynamic p2p remotes. * Build fixes for older versions of glib. * Fix threading issue in the OCI support that was causing the installed tests to sometimes fail. * Fix OCI AppStream support on 32bit architectures. * Fix utf8 issue in the dbus API description. * Some install fixes to make installed tests work * Make the tests work with python3 (as well as python2) * Improve introspection annotations in libflatpak * Improve libflatpak API docs Changes in 1.0 ============== Flatpak 1.0 is the first version in a new stable release series. This new 1.x series is the successor to the 0.10.x series, which was first introduced in October 2017. 1.0 is the new standard Flatpak version, and distributions are recommended to update to it as soon as possible. The following release notes describe the major changes since 0.10.0. For a complete overview of Flatpak, please see [docs.flatpak.org](http://docs.flatpak.org/en/latest/). ## For users, app developers and distributors Flatpak 1.0 marks a significant improvement in performance and reliability, and includes a big collection of bug fixes. 1.0 also includes a collection of new features, including: * Faster installation and updates. * Applications can now be marked as end-of-life. App centers and desktops can use this information to warn users who have an end-of-life version installed. * Permissions now use an up-front verification model: users are asked to confirm app permissions at install time, if an update requires additional permissions, the user must also confirm. * A [new portal](https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus-org.freedesktop.portal.Flatpak) allows apps to create sandboxes and restart themselves. This allows applications to restart themselves after they have been updated (to start using the new version), and to increase sandboxing for parts of the application. * `flatpak-spawn` is a new tool for running host commands (if permissions allow) and creating new sandboxes from an app (this uses the above portals APIs). * Apps can now export D-Bus services for all the D-Bus names they are privileged to own (rather than just the application ID). * Flatpak's support for OCI bundles has been updated to the latest specification. Also, AppData can now be distributed through OCI repositories. * Host TLS certificates are now exposed to applications, using p11-kit-server. This removes a point of friction when accessing network services in some environments. * Apps can now request access the host SSH agent to securely access remote servers or Git repositories. * A new application permission can be used to grant access to Bluetooth devices. * A new `fallback-x11` permission grants X11 access, but only if the user is running in a X11 session. For applications that support both Wayland and X11, this can be used to ensure that the app doesn't have unnecessary X11 access while in Wayland, but still works in an X11 session. * Peer-to-peer installation (via USB sticks or local network) is now enabled and supported by default in all builds. The Flatpak command line also introduces new commands and options, including: * `uninstall --unused` automatically removes unused runtimes and extensions (if you've removed all apps that depend on a runtime, or all the apps you had depending on it have upgraded to a newer version). * New `info` options, including `--show-permissions`, `--file-access`, `--show-location`, `--show-runtime`, `--show-sdk`. * `repair` - fixes broken installs by scanning for errors, removing invalid objects and reinstalling anything that's missing. * `permission-*` - allows interaction with the portals permissions store. This is useful for testing and for getting back to a clean state. * `create-usb` - can be used to prepare an repository to be used as a local updates source. Finally, the command line has a collection of other improvements, such as: * If `--system` or `--user` aren't specified, one is automatically picked if it is obvious (or it will ask if the correct option isn't obvious). * The `install`, `update` and `uninstall` commands now ask for confirmation of changes before proceeding, in order to prevent mistakes, and to show the required application permissions. * The `uninstall` command now does not allow you to remove a runtime if some installed application requires it. * `flatpak remove` is now an alias for `flatpak uninstall`. ## For Linux distributors, OS and platform developers * Flatpak no longer requires a filesystem that supports `xattr`. * Portals are now more cleanly separated from Flatpak, thanks to the document portal and permission store having been moved to `xdg-desktop-portal`. It is recommended that the flatpak package has a weak dependency on `xdg-desktop-portal`. * `libflatpak` now has a transaction API for install, update and uninstall operations. This means that it is much easier to use as the basis of app centers and other graphical app management software. * Flatpak now sets several HTTP headers when installing applications, which make it easier for Flatpak repositories to log things like app download statistics and Flatpak versions in use. * It is now recommended that Flatpak packages add a dependency on p11-kit-server, as this allows apps to access host certificates. However, this does not need to be a hard dependency. * Requires bubblewrap 0.2.1 or later, and comes bundled with 0.3.0. * Requires OSTree 2018.7. Major changes in 0.99.3 ======================= * Fixed case where system install would sometimes fail due to the system-helper idle exiting. * Support installing flatpakref files in FlatpakTransaction, including a new signal add-new-remote for when remotes might be added. * Added some new FlatpakError codes. * We now support .flatpakrepo files with no gpg signatures * Fix crash in system-helper when updating appstream * New command create-usb which can be used to prepare an repo for offline updates. * Fix some non-handled cases of the CLI not working when /var/lib/flatpak doesn't exist. * Fix crash when running with a gid that is not in /etc/groups. * Add new permission-* commands to interact with the permissions store from the portals. * Include appdata in OCI bundle. Major changes in 0.99.2 ======================= * Fix race condition on instance id allocation * Translation updates * Build fixes for new glibc versions * Build fixes for new libsoup versions * Build fixes for old glib versions Major changes in 0.99.1 ======================= This is the first pre-release before flatpak 1.0. This is considered feature-complete and we expect no features or major changes before 1.0, only bugfixes. Note: There were some (minor) API changes in the FlatpakTransaction APIs that were added in 0.11.8, so please don't use the old version. (Note: I know of no user of this API). Changes since last minor release: * Ostree 2018.6 is required, and with this, the p2p code in flatpak is made non-optional. * flatpak install/update/ininstall now lists all the operations that it will do and asks for confirmation before starting. * In the above confirmation the permissions (new permissions for updates) are shown for all applications. * The FlatpakTranscation API has a new ::ready signal that allows users to do similar confirmation prompts. * P2P updates are more efficient * system-wide installation uses less fsync calls so should installation should be faster. * New ssh agent permissions allows granting an app ssh access. Major changes in 0.11.8.3 ========================= * Fix a 25 second timeout on startup if using p11-kit < 0.23.10 * Minor change in dbus proxy default filter, now broadcasts are not accepted from portals. Major changes in 0.11.8.2 ========================= * Fix crash when building some apps * Allow multiple appstream components per app * Fix handling of gl drivers in uninstall --unused * Don't prompt if nothing changed in uninstall --unused * Longer timeouts in test suite * Updated translations Major changes in 0.11.8.1 ========================= * Fixed regression running apps with --own=* permissions Major changes in 0.11.8 ======================= * Flatpak uninstall now accepts --all to remove everything and --unused to remove unused runtimes. * New command "flatpak repair" allows checking and repairing a flatpak installation. * New permission --allow=bluetooth allows use of AF_BLUETOOTH sockets * If p11-kit-server is installed on the host, this is now used to forward the host certificate trust store to the sandboxed app. * New transaction API in libflatpak that makes it much easier to implement installation and updates in frontends. * Flatpak uninstall now does not allow you to remove a runtime if some installed app requires it. * We now have tab-completion for zsh. * New installations of flatpak now defaults to bare-user-only repos, which means that it works with filesystems that don't support xattrs. * New flatpak info options: --show-location, --show-runtime, --show-sdk * New flatpak remote-info options: --show-runtime, --show-sdk * p2p operations now work when offline. * Work around hanging on app startup on blocking autofs mounts. * The dbus proxy filtering now works matches the new dbus containers filtering API. * Various optimizations make installation and updates faster. In particular operations like running triggers and pruning only happens once per install/update operation. * We now respect multiple extension versions matches when auto-downloading extensions. * New http header Flatpak-Upgrade-From sent when upgrading. * Commands like "flatpak info/list/remotes/search" now work properly if /var/lib/flatpak doesn't exist. * The bubblewrap version required for system-bwrap is now 0.2.1. Major changes in 0.11.7 ======================= * Fix regression in installing .flatpak bundles Major changes in 0.11.6 ======================= * Further work on the export filename regression, now also fixes the same issue as in 0.11.5 but in flatpak build-finish. * Fix segfault when installing from .flatpakref in gnome-software * Build yacc parser from source. * Don't tab-complete Sources/Locale/Debug extension by default. * Fix tests on debian. Major changes in 0.11.5 ======================= * Fix a regression which caused installation of epiphany and other apps that export multiple .service files to fail. * Fix appstream updates in p2p mode. * Don't distribute generated gdbus code with tarball. * Add documentation for the flatpak portal Major changes in 0.11.4 ======================= * flatpak remove is now an alias for flatpak uninstall. * flatpak uninstall now picks system or user automatically if not specified * New appstream branch format which is more efficient to distribute, the old is still generated for backwards compat. * Appstream data now contains compatible arches (for applications that doesn't exist for the primary arch). For example, an i386-only app is now listed in the x86-64 appstream. * The flatpak version is included in the user agent when downloading. * The Flatpak-Ref http header is set to the currently installing ref when downloading. * New argument --timestamp in build-commit-from. * When updating many apps we now only prune the local repo when all updates are done, making multi-app updates faster. * flatpak build now always allows multiarch use. * flatpak build now mounts app extensions during build. * flatpak build-init now supports --extension to add extension points earlier than build-finish. Also build-finish now supports --remove-extension. * New flatpak portal allows applications to sandbox themselves and restart a newer version of themselves. * New flatpak run options: --no-a11y-bus, --no-documents-portal. * Initial support for end-of-life:ing applications. * New option X-Flatpak-RunOptions in exported desktop/files allow you to specify no-a11y-bus and no-documents-portal. * Support for tagged extension points, which is useful if you want to use the same extension id (but maybe different versions) multiple times in an app. * We now export .service files for names that the app is allowed to own on the session bus. * libflatpak got new methods for listing remotes by type. * libflatpak now has support in FlatpakRemoteRef for getting remote metadata such as end-of-life, download size, metadata etc. * There was some internal restructuring on how installs/updates are done which should improve performance and maintainability. Major changes in 0.11.3 ======================= * Fix "open with" and flatpak run --file-forwarding crash * Fix build with glibc 2.27 Major changes in 0.11.2 ======================= * Remove fuse dependency, since we don't ship document portal anymore * Fix various issues with /home being a symlink to /var/home (atomic) * Allow downgrades when using collection ids * Search on all supported architectures Major changes in 0.11.1 ======================= This release removes the document portal and the permission store as they have been added to xdg-desktop-portal 0.10. Packagers need to update these two in lock-step. Flatpak technically doesn't depend on xdg-desktop-portal, but it is recommended that the flatpak package depends on xdg-desktop-portal in some way, because most flatpaks will want it. * Remove document portal and permission store * Add --socket=fallback-x11 permission * Fix dbus proxy vulnerability in authentication phase * Allow personality syscall in devel mode * commit-from: Migrate static deltas with commit * Add "network" storage type for installations * Add flatpak info --show-permissions * Add flatpak info --file-access * search: Update appstream (if stale) before searching * Make libflatpak work when /var/lib/flatpak is empty * build-bundle: Add --from-commit option * Allow appstream ids that don't end in .desktop * Make permission handling ignore unknown permissions for forwards compatibility * Removed incorrect error message in update --appdata when there was no updates * Fix handling of abort in the duplicate remote prompt * Fix division by zero in progress calculation * Fix flatpak remote-info --show-metadata * Fixed crash when installing some flatpak bundle files * Fix installation of telegram * remote-ls -u only considers app from the origin remote * Fix assertion error in extra-data progress reporting * Report nicer errors when trying to downgrade as non-root * pulseaudio: Try to find pulseaudio socket better * Fixed some warnings reported by coverity * Cleaned up code by splitting up some large source files Major changes in 0.10.2 ======================= * Flatpak now requires OSTree 2017.14 * flatpak update now updates from both system and user installations by default. * flatpak update is less noisy when updating appstream info. * All the remote-* commands now by default automatically decide to use --user or --system based on the given remote name. * flatpak remote-ls with no remote lists the content of all remotes * Fixed regression that made xdg-user-dirs and theme selection for kde apps break. * flatpak override with no argument now overrides globally, i.e. for all apps. * flatpak override now supports --nofilesystem properly. For example flatpak override --nofilesystem=~/.ssh hides the ssh dir for all apps, even those who have homedir access. * flatpak install now takes a --reinstall argument which uninstalls a previously installed version if necessary. This is very useful when you want to install a new version from a different source. * flatpak install now allows you to pass an absolute pathname as remote name, which will create a temporary remote and install from that. The remote will be removed when the app is uninstalled. This is very useful during development and testing. * Flatpak now creates CLI wrappers for all installed apps, so if you add /var/lib/flatpak/exports/bin or ~/.local/share/flatpak/exports/bin to your PATH you can easily start flatpak apps by their application id. Major changes in 0.10.1 ======================= * New command "flatpak remote-info" shows information about applications in a remote. In particular the --log operation shows the history and can be used in combination with flatpak update --commit=XYZ to roll back to a previous version. * New command "flatpak search" which allows you to search the appstream data from the commandline. * flatpak update now updates appstream data for all confured remotes, which is important for search to work. * Allow automatic installation of gtk themes matching the active theme. * Handle the case when /etc/resolv.conf is a symlink * /usr an /etc are now expose in /run/host in the app if the app has full filesystem access. * flatpak remote-add now works as a user when /var/lib/flatpak is empty, allowing flatpak to work on stateless systems. * Add support for flatpak build --log-session/system-bus, similar to what flatpak run already does. * flatpak build --readonly runs with the target directory (normally /app) mounted read-only. * Fall back to LD_LIBRARY_PATH if a runtime doesn't have /usr/bin/ldconfig. * Updated the support for OCI remotes. This is work in progress and still disabled by default though. Major changes in 0.10 ===================== This is the first release in a new series of stable releases called 0.10.x. New features will be added to 0.11.x, and bugfixes will be backported to 0.10.x. During the early phase of the 0.10.x series we may also backport minor features, but we guarantee backwards compatibility. Changes since 0.9.99 * Added the flatpak config option which can set the language settings * Fix issue where sometimes ld.so.conf were not generated * /dev/mali0 is added to --device=dri * Work around ostree static delta issues in some cases Major changes in 0.9.99 ======================= * Requires ostree 2017.12 for important pull stability fix * New libflatpak API: flatpak_dir_cleanup_undeployed_refs, flatpak_installation_prune_local_repo, flatpak_installation_remove_local_ref_sync, flatpak_installation_cleanup_local_refs_sync * build: FLATPAK_ID and FLATPAK_ARCH are now set in the environment when building * update: Don't fail the entire update if some remote fails to update its metadata * run: /.flatpak-info now lists exact commits and extensions in use * run: We now use a per-app ld.so.cache file whenn running. This should speed things up, and allows ldconfig to report the correct results. * The verbose mode was changed into two levels, use -vv to show the more detailed info, which currently only contains the full bubblewrap argument lists. * run: Some common problematic host environment variables are now unset in the sandbox (PYTHONPATH, PERLLIB, PERL5LIB and XCURSOR_PATH) * run: Fixed failure when a higher prio extensions depended on a lower prio one. * run: The extension ld path order is now: app extensions, app, runtime extension, runtime. This was previously incorrect in that the app could override app extensions. * Extensions are now not downloaded if a matching unmaintained extension is already installed * Preemptive changes to handle new bubblewrap change which doesn't user /newroot * document portal: Disable debug spew that was accidentally enabled * build-finish: New --extension-priority option * run: Fix regression in --persist in 0.9.98 * run: Use sealed memfds (instead of just temporary files) when passing data to bubblewrap Major changes in 0.9.98.2 ========================= * Fix permission denied when using the system-helper Major changes in 0.9.98.1 ========================= * run: Fix homedir access if the app has --filesystem=host access * build-update: Fix appstream update in case one arch didn't change Major changes in 0.9.98 ======================= * libflatpak now correctly finds metadata for subset installations (like locale data) * flatpak build now supports --appdir which exposes the per-app directory in the user homedir. This is useful when testing builds. * The host fontconfig caches are exposed to the sandbox, next to the fonts in /run/host. This will (pending fontconfig work) allow sharing host fontconfig caches, allowing much faster initial startup for flatpak apps. * flatpak install now supports --no-pull * Added new extension property "locale-subset", which makes the extension point act like a locale extension (i.e. only install the subset configured by the locale). * flatpak remote-add --oci is disabled for now, as this is not up to date with the latest OCI work, and we don't want to break existing deployments if this has to change when this lands. * Parallel installation/updates are now safe because we take a filesystem lock whenever we prune the local ostree repo. * Flatpak run now works when important paths like $HOME, etc, are symlinks. * The ostree min-free-space property is is set to zero by default for the flatpak repos. This was causing a lot of problems for people, but the feature is still there if you manually enable it. Major changes in 0.9.12 ======================= * Fixed a regression in extra-data installation * Don't expose the a11y bus in flatpak build Major changes in 0.9.11 ======================= * You can now show all outstanding updates with: flatpak remote-ls --updates * The dbus filter "org.name.*" now means all subnames of org.name, not just the first level. This matches how dbus arg0namespace works, and how the coming dbus container support will work. * Fixed segfault on update * Better commandline tab completion * Flatpak now exposes host icons readonly as /run/host/share/icons to the sandbox. Major changes in 0.9.10 ======================= Fix regression in dbus proxy that causes some apps to not work in 0.9.9. Major changes in 0.9.9 ====================== flatpak-builder was split out into its own module: https://github.com/flatpak/flatpak-builder * When downloading to a temporary directory for later install to the system repo we now write to /var/tmp instead of $HOME. This is more likely to be the same filesystem as /var/lib/flatpak, and thus will not run into issues with e.g. filesystem full. * We now get the default language list from AccountService if possible. * A regression that made --devel crash was fixed. * New feature for flatpakrefs, SuggestRemoteName=remotename will cause flatpak to ask if you want to create a generic (not app specific) remote for the repo url. * flatpak build now does not die with the parent by default, you have to pass --die-with-parent. This was done because die-with-parent uses PR_SET_PDEATHSIG which does not work well if the parent is threaded, like e.g. gnome-software is. * We now always re-set the personality in the sandboxed process in order to avoid inheriting weird settings. * We now share a single dbus proxy instance for all proxies for a sandbox. * dbus-proxy now properly disallows old-style eavesdropping. * We now support accessibility by starting a customized dbus proxy for the a11y bus. Major changes in 0.9.8 ====================== Core: * Experimental support for peer2peer installation, enable with --enable-p2p * Add default language setting to flatpak config. Defaults to all locales for system installs and the users locale for per-user installs. * build-update-repo: Now always keeps the *two* latest deltas around to avoid race conditions with outstanding downloads at the time or running the update. * Support loading extra data from local lookaside cache. Flatpak-builder: * Set terminal title to the currently building module * Added ability to specify http url for sources mirror with --extra-sources-url. * --install-deps-from=REMOTE installs the dependencies needed for the manifest. * New option --delete-build-dirs to always delete build directories, even on a failed build. * New property "add-extension" makes it nicer to create extension points. Major changes in 0.9.7 ====================== * Don't re-download git repo when bundling sources * Build modules with no source if buildsystem is "simple" * Build cleanups Major changes in 0.9.6 ====================== This version requires the latest ostree version (2017.7) because it uses a new feature that hardens the security of flatpak. Previously, if you installed to a system-wide repository, the files created for an application were as specified by the remote repo, but owned by root, which could include problematic permissions like setuid or world-writable. We now never create such problematic files or directories on disk. Flatpak export was also changed to never create problematic files in new apps. Related to this, newly created flatpak installations also use the new "bare-user-only" mode for the repositories, which means you can now install applications even if your filesystem does not support extended attributes. Other changes: * flatpak info --show-metadata now only shows the metadata, in a machine parseable way. * build-export now records the flatpak version in the commit message * builder: The .pyc timestamp fixer now allows .pyc files with no corresponding .py file. * builder: New feature 'inherit-extensions' lets you copy extension info from the parent runtime. * builder: Set ExtensionOf in auto-created extensions (like Locale and Debug) * builder: Setting CPPFLAGS now works Major changes in 0.9.5 ====================== Changes in flatpak: * Fix installation of installed tests * Don't show an error when updating if a remote is disabled * Store the app id in the X-Flatpak key when exporting a desktop file. * flatpak run: Handle paths when rewriting %u urls during file forwarding. * builder: Always assume separate builddir when using meson, as meson only works with this. * document-portal: The app-specific directory is always accessible to the app, take this into consideration for AddFull. * builder: Don't warn for unknown keys if they start with x- * Fix a race condition when restarting the document portal * build-update-repo: Don't list removed deltas in the summary * list: Don't show .Locale/.Debug/.Sources by default. Show with -a. * remote-ls: Don't show .Locale/.Debug/.Sources, or non-primary arches (unless the primary does not exist) by default. Show with -a. * dbus-portal: Fix handling of NameHasOwner * builder: Add --export-only to export a previous build. * run: Allow regular files for --filesystem=xdg-config/path * run: Allow --filesystem=xdg-config/subdir:ro (previously it needed to be writable). * build-commit-from: Properly handle xa.ref when rewriting refnames. Major changes in 0.9.4 ====================== Changes in flatpak: * Now requires ostree 2017.6 and bubblewrap 0.1.8 * Better progress reporting in CLI and UI * Improved output from commands info, list, remotes, remote-ls: More detail, colors, nicer table formatting. * New command flatpak repo that lets you show information about local repositories. * When launching exported desktop files, the paths passed to it are automatically created as documents to allow access to the arguments, if needed. * Flatpak install of an already installed application is now a warning, not an error. * flatpak build now kills all the processes in the sandbox when it exits. * flatpak update --subpath=... now updates the app event if there is no new upstream version, but the subpath is different from what is currently installed. * Exports are now whitelisted, and the only thing you can export are: desktop files, icons, dbus services, mime definitions, and gnome-shell search providers * Exported gnome-shell search providers are automatically disabled by default. * Exported mimetypes are rewritten to only allow globs, and to make the globs have a low priority vs system mime info. * A remote can now redirect to a new URL and/or a new GPG key, by using build-update-repo --redirect-url=URL --gpg-import=FILE. When clients see this they permanently change the local configuration. This is very useful when migrating official repositories. * flatpak caches in the homedir are now stored in ~/.cache (or $XDG_CACHE_HOME) instead of ~/.local/share/flatpak/system-cache. * Added version field to all exported dbus interfaces. * New AddFull method in the Document Portal, which allows exporting multiple files, as-needed by a particular target app. This is useful for implementations of dbus activation for desktop files. * New flag --no-static-deltas for install/update without using static deltas. Mostly useful for debugging. * TMPDIR is now unset in the sandbox, if set on the host. Each sandbox has a personal /tmp that is used. * Flatpak run now works if /tmp is a symlink on the host. * /etc/hosts and /etc/hosts.conf from the host are now exposed in the sandbox in addition to /etc/resolv.conf. * Titles and default branches are now automatically updated from the remote unless they are explicitly set. You no longer have to run flatpak remote-modify --update. * Some performance inprovements when installing apps. * When exporting a build, the commit objects now always include the branchname, the metadata and install/download size. The sizes are reused for faster summary building, and the others changes are for future use. The fields are verified against the deployed metadata during installation, so it is trusted. * Fixed minor race condition in portal application identification. * lib: New flatpak_installation_update_appstream_full_sync method that allows progress reporting. * bash-completion: Fix out-of-bounds read that could produce weird completion at times. Changes in flatpak-builder: * Added support for appdata screenshot mirroring. * New property "install-rule" lets you change what Makefile rule to use in the install phase. * The git "commit" property can now specify both a tag object and the commit object it refers to. * New cppflags property, similar to e.g. cflags. * The "env" property now overrides the cflags/cxxflags/ldflags properties, to allow these to be reset. * Initial checkout of git/bzr to a temporary directory so that errors during checkout do not persist. * Properly take the "buildsystem" field into account when calculating cache freshness. * Don't crash if appstream-compose fails. * "ldflags" property now works correctly. Major changes in 0.9.3 ====================== Changes in flatpak-builder: * "rename-icon" renames in translated icons too * Moved manifest format docs to own manpage, "flatpak-manifest". * "bootstrap.sh" is now recognized as an autogen.sh alternative * Fall back to not using rofiles-fuse if it is not available. * Make sure flatpak-builder --run grants the app access to dbus. * Make paths paths for module includes and module dependencies relative to the included module rather than the "base" json file. * When cross-compiling 32bit apps on 64bit arches (like i386 on x86-64) then we automatically set a linux32 personallity. * Print warnings for unhandled json properties. * Make sure flatpak-builder --run works if --extra-data is in the finish args. * Take build-commands into consideration when considering if the build cache is stale. * Support for --extra-sources= to pre-seed downloaded sources. * Support for --bundle-sources which creates a runtime with the sources that were used to build the app. * Handle trailing whitespace in git submodule uris * Progress reporting while downloading files. Other changes: * build-export now always exports directories as readable and executable. * build-update-repo --generate-static-deltas now fork the work process rather than using threads, which avoids problems with this using a lot of memory in a single process in some cases. * Report flatpak version in HTTP request user agent. * New "flatpak repo" command added that has some options for maintaining a repository. * flatpak info can now report more information and handles multiple installed branches better. * Support non-default WAYLAND_DISPLAY environment var. * Handle application ids that end with .desktop when generating appstream data. * Documentation updates Major changes in 0.9.2 ====================== * Fixed a use-after-free and some leaks in the dbus-proxy. This is not currently believed to be exploitable, but the proxy is a security boundary, so we still recommend to update. * Regular updates now never allow updates to an older version than what is currently installed (unless you explicitly specify an old commit id). This closes a hole where a MITM attacker can force clients to downgrade to an earlier (gpg-signed) version of the application. * The automatic detection of --from in flatpak install now detects flatpakref extensions even in URIs that end in a query string such as https://git.gnome.org/browse/gnome-apps-nightly/plain/gedit.flatpakref?h=stable * OCI support now supports GPG signatures * OCI support now works with the system-helper for unprivileged systemwide installation. * Experimental support for the new ostree bare-user-only repo mode that allows flatpak to run on filesystems without xattrs. Set FLATPAK_OSTREE_REPO_MODE=user-only in the environment to use this. * builder: New property disable-fsckobjects for git sources * builder: New property commit for git sources. This lets you specify both a tag (for readability) and a commit id (to ensure the tag doesn't change). * builder: The manifest file format docs have been split out into its own manpage. * builder: App manifests now support specifying sdk-extensions that has to be installed for the app to build. * builder: When creating the platform, remove all sdk-specific extensions, allowing creation of sdk-specific extensions. * builder: Correctly handle absolute pathnames in the specified command. * builder: Support --default-branch which defined the branch to build in case the manifest doesn't specify one. * When exporting builds to ostree we now use the canonical permissions for bare-user files, which means the resulting builds can safely be used with the new ostree bare-user-only repository type. * The detection of "unmaintained" system extensions was broken, and in some cases these extensions were not found. This now always works. * Flatpak now builds with latest OSTree. This required some fixing for multiple definitions of the g_auto* macros as OSTree now exports those. * We no longer rely on ostree trivial-httpd for the tests, because this is optional in later versions of ostree. Instead we use they python SimpleHTTPServer. * The minimum glib version has been corrected to 2.44. * The minimum automake version has been increased to 1.13.4 because some older version didn't work. Major changes in 0.9.1 ====================== This release mostly has changes to flatpak-builder and the build machinery. All flatpaks built with this version can run on flatpak 0.8.x, but there has been additions and minor changes in flatpak-builder that may require minor changes to existing builder manifests, see below. The flatpak-builder build cache now uses an ostree feature called rofiles-fuse. This allows the build to work directly against hardlinked checkouts of the cache, because rofiles-fuse disallows writes to the hardlinked files (but allows replacing them). This makes cache commits and checkouts much faster. However, it also means that installation cannot do in-place modification of files in the installation directory. There is a new per-module property called "ensure-writable" that takes a list of patterns and ensures all files matching them are writable (by manually breaking the hardlinks). This may need to be added to some manifests to keep them building in the new version. The cflags and cxxflags module properties now work by appending, rather that replacing, when there are multiple values specified. For instance, the per-arch or per-module cflags will be appended to the base cflags. This may cause old json files do duplicate cflags in some cases. Normally compiler flags are repeatable without problems though, so it is unlikely to cause problems. Here are a short summary of the rest of the flatpak-builder changes: * The build cache was changed so that it is not invalidated if the installed version of the SDK changed. This means that the app will not rebuilt if you updated the SDK. This is generally the right thing to do, as SDKs are meant to be compatible. If you want to avoid this (for instance when building against an unstable sdk) you can use the --rebuild-on-sdk-change argument. * The build cache is now per-arch, so building on one arch doesn't invalidate the cache for another arch. * New buildsystem "cmake-ninja" which works like "cmake", but builds using ninja, rather than make. * New buildsystem "simple" which doesn't use configure or make, it just runs a set of shell commands specified in the "build-commands" property. Note: build-commands is also available to other buildsystems and are run between make and make install. * flatpak-builder now has build-runtime and build-extension properties that makes it easier to build runtimes and extensions. * FLATPAK_DEST is set in the build environment to the installation destination (i.e. typically /app). It is particularly useful when building an extension where the destination is more complex. * flatpak-builder now supports --from-git=URL which pulls the json manifest and related files directly from a git repo. * modules have a new no-make-install property which skips the make install step. * Modules and sources have only-arches and skip-arches properties, which lets you enable/disable them based on the build architecture. * build-options has a new property ldflags, which is similar to cflags and cxxflags. * flatpak build (and thus flatpak-builder --run) now supports dbus proxies when needed. * All git repos are cloned with fsckObjects=true, which means we verify that the repos are valid. * New flatpak-builder argument --build-shell=MODULE extracts and prepares the sources for a specified module and then starts a build sandbox inside it. There are also some other changes: * build-export: Now supports --timestamp=ISO-8601-TIMESTAMP, which allows you to create reproducible commits. * The OCI support has been updated to the latest version of the OCI image specification format. * There is a new flatpak-bisect script that can be used to bisect flatpak applications, looking for regressions. * flatpak list got a revamp. It now shows more information, and shows both apps and runtimes by default. * flatpak remote-list was renamed flatpak remotes in order to minimize confusion with flatpak remote-ls. The old name is deprecated but still works. Major changes in 0.8.4 ====================== In addition to the regular list of bugfixes this stable release include backports of one more feature required for making OpenGL work well. Now extra-data using extensions (such as the nvidia driver) can specify that it doesn't need a runtime to run its apply script. We use this in the nvidia driver by making the script a static binary, which lets us use the nvidia driver for multiple runtimes without requering that a particular one is installed. We also support an extension point supporting multiple versions, which will be use for sharing the nvidia driver between different runtime versions. Additional fixes: * Documentation fixes * Crash fixes * Fix xauth propagation in some cases * Don't remove origin remotes on uninstall if some other app is installed from it. * Don't reset what locales are installed when updating a locale extension * Disable splice for the documentation portal as it seems to be broken in fuse * Append, don't override XDG_DATA_DIRS in profile script * Fix progress reporting in libflatpak to go from 0 to 100% once, merging the various phases. Major changes in 0.8.3 ====================== In addition to the regular list of bugfixes this stable release include backports of a the updated OpenGL support from master. This, in combination with the work in the runtime allows flatpak to work out of the box with out-of-tree OpenGL drivers, including the nvidia driver. Additionally, due to some complicated issues wrt ptrace and user namespaces this version disables the use of user namespaces if bubblewrap is setuid, as it cause problems for the way flatpak portals identifies applications. (See issue #557 for details) * Better handling of errors for extra-data * Handle extra-data properly for runtimes (as well as apps) * Respect required version for runtimes (as well as apps) * flatpak list: Don't break if some local ref is not deployed * builder: Look for appstream data in /app/share/metadata also * builder: Fix buildsystem=cmake builds * Add progress reporting to extra-data download * Fix uid/gid for directories in document portal Major changes in 0.8.2 ====================== This is a bugfix and security update. Some of the bind-mounts that flatpak sets up were not read-only as they should have. This includes: extensions, system fonts, resolv.conf, localtime and machine-id. Many of thse are typically only writable by root, but some, like the user-specific fonts and user-installed extensions could be modified from the sandbox. Everyone using 0.8.x is recommended to update to this version. Other fixes: * There are new configure options for where to install dbus configuration * Broken symlinks in the root directory no longer break flatpak run * flatpak run with HOME in /var now works * dri access now also handles mali devices * install handles --arch when installing flatpakrefs * system-helper activation fixed on systemd-less setups * dbus-proxy now works without /run * During installation, failing to update a dependency is now not fatal. * /etc is now fully writable when building runtimes * --filesystem=xdg-config/foo now sets up the bind-mount from the host dir even when not using :create. Major changes in 0.8.1 ====================== This is a bugfix and security update (CVE-2017-5226). Flatpak now uses seccomp to disallow the TIOCSTI ioctl in the sandbox, which works around the possibility to inject text on the controlling tty (CVE-2017-5226). This was previously fixed in bubblewrap in 0.1.6, but that change has now been reverted as it introduced other problems for flatpak. * Update bundled bubblewrap to 0.1.7 * Fix writing new file with O_EXCL in the document portal. * Allow appstream data that doesn't have .desktop in the component id, such as data for runtimes. * Drop json-glib dependency from 1.2 to 1.0 * Builder: Fail if unable to read included file * OCI: Ensure exported layers are readable by everyone * Fix extra-data download in gnome-software * Fix update-mime-database trigger when installing via the system helper. * Updating an app by installing a newer bundle now works again. * Make /var/tmp not be on a tmpfs (it is now in ~/.var/app/$appid/cache/tmp). * Documentation / translation updates Major changes in 0.8.0 ====================== This is the first release in a new series of stable releases called 0.8.x. New features will be added to 0.9.x, and only bugfixes will be backported to 0.8.x. The featureset of this release is a good base to target if you're creating flatpaks that should be widely usable. This release technically requires only OSTree 2016.14, and it build fine with this, but we recommend using OSTree 2016.15, because of the change in how it verifies the checksums of commits in delta files. * Flatpakrepo files now support a RuntimeRepo= key which points to a flatpakrepo file. This means the user don't have to manually configure a remote for the runtime, just reply to the prompt to automatically do this when installing the app. * We now support dependencies when installing bundles. This includes required runtimes, related refs, and the equivalent of RuntimeRepo. * The support for OCI in flatpak has been updated to the latest OCI spec version, and support has been added to directly install flatpak applications from an OCI image. * In flatpak install, the --from and --bundle options are now optional if the argument has the correct suffix (.flatpakref and .flatpak) * Flatpak install now supports -y to let you avoid interactive prompts. * build-finish: We now export mime type files with the right name. * build-finish: New --require-version option let you specify a particular version of flatpak, and older version of flatpak will not install or update to the new version. * build-sign: Allow signing all apps by omitting the id. * Fix regression in the document portal when adding named files. * build-import-bundle now signs the commit if you specify a gpg key. * Flatpak now reads configuration from /etc/flatpak/installations.d which lets you support multiple system-level installation paths. These can be accessed with new --installation=... arguments to most of the commands. * flatpak-builder: Support --jobs=N to limit parallel builds * flatpak-builder: Patch source got new options property that lets you pass arguments to patch. * flatpak-builder: New generic "buildsystem: type" option that replace the (now deprecated) "cmake: true" option. This supports "autotools", "cmake" and "meson". Major changes in 0.6.14 ======================= * Update bundled bubblewrap to 0.1.4 which has some nice bugfixes. If you are using an external bubblewrap it is recommended, but not required to update. * Requires OSTree 2016.14, which allows us to drop some old workarounds. * When installing an application system-wide, don't consider dependencies that are installed for the user only. * Flatpak install --from now tries to re-use existing remotes to avoid creating unnecessary origin remotes. * Using --filesystem=$dir when $dir is a symlink-to-directory now works. * Using --filesystem=$file to expose unix sockets to the app is now allowed. * By default all the directories in ~/.var/app (except the app), as well as ~/.local/share/flatpak are hidden in the sandbox. * New option --filesystem=$dir:create which will create the destination if it did not previously exist. * --filesystem= now supports for xdg-[config|cache|data]. This allows you access to the host versions of these xdg dirs. Additionally if you use these with a subdirectory, like: --filesystem=xdg-config/subdir then that subdirectory on the host will be shared with the per-app instance of the xdg-dir. * Builder now correctly handles app-ids that have dashes in them. Previously this generated invalid ids for the debuginfo and locale extensions. * The experimental OCI file format support was changed from creating an OCI container to creating an OCI image. * Fix regression where "flatpak update --appstream remotename" broke Major changes in 0.6.13 ======================= * The command line arguments for install/update/uninstall changed These used to take an application id and an optional branch name as two arguments. This meant you could not specify multiple apps to install in a single command. So, instead of having the branch as a separate argument we now support partial references. If you only specify an id we try to match the rest as best we can depending on what is installed/available, but if this matches multiple things you have to specify more details. For example you can use: * org.my.App//stable - Any compatible arch, stable branch * org.my.App/x86_64 - x86-64, look for available branch * org.my.App/x86_64/stable - exact reference This means install/update/uninstall can now install multiple apps in a single operation. * Application runtime depencenies are checked/downloaded Whenever you install or update an application we check that the required runtime is installed. If not, we check if it is available in any configured remote, and if found asks the user if/where to install it from. If it is not found, the install/update fails. You can mark remotes as --no-use-for-deps, which means flatpak will never search for runtime dependencies in such remotes. This makes the dependency search faster if you have app-only remotes. It is recommended that app-only .flatpakrepo file define this by specifying NoDeps=true. * remote-add and install --from now supports uris This means you can install flatpakrefs and flatpakrepos in a single command like so: * flatpak remote-add --from gnome https://sdk.gnome.org/gnome.flatpakrepo * flatpak install --from https://sdk.gnome.org/gedit.flatpakref * flatpak run can now launch a runtime directly For example, "flatpak run org.gnome.Platform//3.22" will launch a shell inside a sandboxy with the gnome 3.22 runtime and an empty /app. This is useful for development and testing. * included bubblewrap was bumped to 0.1.3 which has a security fix * Support for defining the default branch per remote * remote-add/modify: --update-metadata pulls current title and default branch from remote summary file * Applications can now list a set of URIs that will be downloaded with the application. The app can then extract these and use as a part of the application data. This is useful for applications using freely downloadable parts that can't be redistributed elsewhere. * flatpak-builder: Support --finish-only and --allow-missing-runtimes * flatpak-builder: Support app layering An app can define a "base" application which is used for the initial content before the application is built. This way applications can be built in a layered fashion. * dbus proxy: The filtering has been tightened up * build-finish: Now exports icons for themes other than hicolor too * There is support in the app metadata for generic policies. These are read and propagated and supports overriding, but are not otherwise interpreted by flatpak. They can be used by other host services as static permissions for the application. * Support for extensions directories In addition to using flatpak maintained runtime as an extensions flatpak can now use raw directories in ~/.local/share/flatpak/extension and /var/lib/flatpak/extension. For example, if you create a directory called org.freedesktop.Platform.GStreamer.MyPlugins/x86_64/1.4 there it will be used as a source for gstreamer plugins for all runtimes based on the freedesktop 1.4 runtime. Major changes in 0.6.12 ======================= * Partial revert in application id rules. Application ids can now only have dashes in the last element. This allows apps to export files such as org.my.App-extra.desktop which was used by the libreoffice builds. * By default the kernel keyring is not accessible, as it is not containable. * Some robustness fixes for build-commit-from * Better error messages * flatpak update --appstream now updates for all remotes * Made flatpak enter work, and you can now use any pid in the sandbox. However, it requires root permissions. * Support for --device=kvm for /dev/kvm access * Support for --allow=multiarch to support non-primary arch support. For example running i686 code in an x86_64 app. * Add new default-branch setting for the remote configuration Major changes in 0.6.11 ======================= * Dashes are now allowed in application ids. However, to still work with symbolic icon names, they may not end with "-symbolic". * HostCommand now handles ptys correctly * Various documentation updates * New FLATPAK_CHECK_VERSION macro in libflatpak * HostCommand now returns the real PID rather than a fake one. * Fix regression in flatpak update --appstream * Fix regression installing bundles without origin urls * New flatpak-builder option --show-deps lists all the files the manifest depends on. Major changes in 0.6.10 ======================= * Dropped requirement for systemd --user. The way we detect if an process we're talking to is sandboxed, and what application id it has doesn't use cgroups anymore, which means that the dependency on systemd in the user session is now optional. This also means the --no-desktop argument is not needed any more. (It is still accepted but does nothing.) * Initial support has been added for .flatpakref files. These are simple key value files similar to .flatpakrepo files, however they specify an application to install in addition to the repo information. For example, gedit can be installed by downloading https://sdk.gnome.org/gedit.flatpakref and running: flatpak install --from gedit.flatpakref There is also library support for this so it can be added to graphical installers (such as gnome-software). * Requires OSTree 2016.10. The change in how OSTree handles mtimes in checkouts that was introduced in 2016.7 has been reverted, and the required changes in Flatpak has been made. This means that flatpak now depends on OSTree 2016.10. * Requires Bubblewrap 0.1.2 for builds using the system bubblewrap. Builds using the included copy need no changes. * The $XDG_RUNTIME_DIR/flatpak-info file has added information about the running application, and is now also securely available for a running application from the host as "/proc/$fd/root/.flatpak-info". This is what is used to identify remote apps instead of the cgroup info. * A new run permission --allow=devel has been added. An application with this permission is allowed to use ptrace and perf. This was previously only available during "flatpak build" and "flatpak run -d". This is useful if you're packaging e.g. an IDE. * When an application is updated or removed a /app/.updated or /app/.removed file is created for running instances. This can be used by applications to trigger e.g. a restart for the new version. * A new dbus request "HostCommand" has been added to org.freedesktop.Flatpak. This lets you run any command on the host, and is therefore clearly not sandboxed, so access to this should be limited. However, it is very useful if you're using flatpak mainly as a distribution mechanism, for a non-sandboxed application. * flatpak-builder now supports running from inside a flatpak, by auto-detecting this and using the HostCommand service to run recursive flatpaks. * Consecutive calls to flatpak build-update-repo has been speed up. * The document portal now allows sandboxed applications to create references to files in /app and /usr (in the app/runtime). * The update process noew doesn't stop at the first failure. Major changes in 0.6.9 ====================== * Dropped dependency on libgsystem * Allow passing partial refs whenever a CLI command takes an app or runtime name. * New command build-commit-from creates a new commit based on the contents of another commit (optionally from another local repo). * The sandbox now contains $XDG_RUNTIME_DIR/app/$APPID from the host (and the directory is created if needed). * update: Better output, and faster for the no updates case * build-export: Don't make most validation errors fail, instead just print a warning. * builder: Support local path references for git sources * builder: Better handling of recursive git submodules * builder: Fixed issues with the .pyc mtime rewriting * builder: Handle symbolic icons for rename-icon * builder: Add --stop-at=$module to do partial builds * builder: Add --sandbox flag to disable the build from escaping from the sandbox via build-args. Major changes in 0.6.8 ====================== * Requires OSTree 2016.7, allowing us to enable use of static delta for system downloads again. * Support --no-desktop which allows you to run a flatpak app outside a desktop, with some loss of functionality (for example, there will be no systemd --user scope created for the app).. * More documentation. * Memory leak fixes. * Initial support for rpms as flatpak-builder archive sources. * Start work on translating the CLI. * Install systemd config snippet to set the right XDG_DATA_DIRS path. * Support --arch in flatpak list. * Support access() in the document portal. * Validate exported desktop files. Major changes in 0.6.7 ====================== * Automatically download and update related references such as locales when using the CLI. * lib: Support for getting related references * Document metadata format * Support build using system-installed bwrap * Allow access to the journal socket in the sandbox * builder: Support applying patches with git (useful for binary diffs) * Require ostree 2016.6 Major changes in 0.6.6 ====================== * Better support for multi-arch (for instance, will automatically install i386-only app on x86_64 without user having to specify --arch). * Support --device=all to access the full host /dev * More command line support for managing exported documents * Extended API for the document portal: Lookup, Info, List * flatpak-builder: Support initializing /var from a runtime extension. * Disable static deltas when updating via the system helper to work around bug in ostree. Major changes in 0.6.5 ====================== * Documentation improvements * builder: Check that the specified command exists after build is done * builder: Fix up mtime in headers for python precompiled files * builder: Allow submodules and including modules from other json files * system-helper builds are optional (--disable-system-helper) * system-helper: Support installing from local remotes and bundles * Improved support for --subpath installs, including libflatpak support * Improved command line completion Major changes in 0.6.4 ====================== * Fix an issue where flatpak sometimes created empty "repo" directories in the CWD Major changes in 0.6.3 ====================== * Fix resolv.conf regression in `flatpak build` * Fix LD_LIBRARY_PATH override support in `flatpak build` * Support forwarding app permissions in `flatpak-builder --run` * Flatpak is now smarter about the default branch to use in most operations * update will not fail on the first error if updating several things * New much more complete bash completion system * Faster installations * Support new keyfile format for remote-add --from=file Major changes in 0.6.2 ====================== * Fixed no-network support regression in setuid mode. * Fixed creation of root-owned file in home dir when using sudo in some cases * New --with-privileged-group configure option Major changes in 0.6.1 ====================== * Fixed support for systems without user namespaces (default for Arch) or unprivileged support for user namespaces (default for Debian). * Fix memory leak during install/update. * update: Fix support for --arch. * Set the right location for the system directory in the environment. * system-helper: Support updating without deploying (needed for gnome-software support). * lib: Fix support for updates Major changes in 0.6.0 ====================== Renamed from xdg-app to Flatpak. Existing repositories should keep working, and locally user installed apps/runtime will be migrated automatically. However, there are some things that you have to be aware of: * The command names are now flatpak/flatpak-builder * System-wide installed apps/runtimes need to be reinstalled * flatpak-builder uses a ".flatpak-builder" subdirectory instead of ".xdg-app-builder". * The bus name and interface name for the permission store is changed, it was in org.freedesktop.XdgApp, but is now in org.freedesktop.impl.portal.DesktopPortal. * The installation migration is a one-time operation so you can't go back to xdg-app after updating. * The library API (and name) changed due to the rename. Other changes: * Flatpak now hard-requires ostree 2016.5 * Switch from using xdg-app-helper to an included version of bubblewrap: https://github.com/projectatomic/bubblewrap * Added a policykit-based system helper that allows you to authenticate via polkit to install into the system repository. * Added an experimental command to export/import applications and runtimes as an OCI tarball. * builder: Fix creation of locale extensions if there was no locale data in the build. * It is now possible to disable/enable configured remotes. * A lot of new tests where added, and we now support installed tests. * builder now has an optional --arch argument for multiarch building. * Builder modules can be disabled with "disabled": true. * Using --filesystem=/tmp now hides the system X11 sockets. Major changes in 0.5.2 ====================== * The way locale extensions work has changed. Now we build a single extension for all locales, but we allow you to specify a subset of it during installation and update time using the --subpath commandline flag. The main reason for this is that the many extensions didn't scale, both in technical terms (large ostree summary file size), but also in terms of the UI listing hundreds of uninteresting things. * We no longer use sizes in the commit objects to get installed and download size, instead we store some extra metadata in the summary file. This allows us to get much faster access to these, as with recent ostree versions we can cache the summary file. * New command xdg-app build-sign that lets you sign a commit at any time. * New argument xdg-app build --force-clean that removes pre-existing build dirs. * xdg-app run now uses the "current" version as the default if you specify no branch or arch. It used to default to the "master" branch. This will default to the last installed version, but can be changed with xdg-app make-current. * Added config-opts to the build-options in xdg-app-builder. This allows you to extend the configure flags in an arch dependent way. * Documentation updates Major changes in 0.5.1 ======================= * Make xdg-app-builder --build-only not export the results * Create all-in-one Locale extension that combines all the locale extensions * Extract icons for all appdata nodes when creating appstream * Documentation updates * Better handling of metadata in xdg-app-builder cache * Respect the specified branch when exporting in xdg-app-builder * Fix support for multi-arch with i386 userspace and 64bit kernel * Avoid deprecated 32bit capabilities syscalls Major changes in 0.5.0 ======================= * Some libxdg-app API additions for handling bundles * Default to /bin/sh as user shell in sandbox * Fix detection of which apps are in use during uninstall * New implementation of fuse filesystem for document portal. It is now cleaner and works on 32bit. * Honor the noenumerate flag on remotes in CLI and libxdg-app. * Add change notification for permissions store * Require signed summaries for gpg-signed remotes * Fix summary signatures of deltas in xdg-app build-update. Major changes in 0.4.13 ======================= * Fix misgeneration of appdata xml in some cases * Various improvements to bundles, and support in libxdgapp * Add sources to Debug extensions created by xdg-app-builder * Allow specifying subdirs of xdg-* dirs, for instance: --filesystem=xdg-download/some-dir * Add support for --filesystem=xdg-run/subdir which means XDG_RUNTIME_DIR dir, rather than xdg-user-dirs. * Add --generate-static-deltas option to build-update-repo. Major changes in 0.4.12 ======================= * Fix crashes. * Update exports when removing apps. * Remove appstream and repo refs when removing a remote. * Add some build options to make libxdg-app usable inside a sandbox. * xdg-app-builder builds are now in the .xdg-app-builder/build subdir. * Make system repo bare-user to avoid creating any setuid binaries. * Add xdg-app-builder --run operation that runs a command with the build environment set up. * Support creating locale extensions with xdg-app-builder. * Add support for tags to metadata. * Put runtime info and tags in the appstream data Major changes in 0.4.11 ======================= * Fix assertion when installing runtime Major changes in 0.4.10 ======================= * App desktop files and icons were not being exported to the desktop Major changes in 0.4.9 ====================== * Fix crash at end of runtime install. * xdg-app-builder has a new source type "shell" which lets you run arbitrary shell commands. * Allow apps with writable homedir access to modify the xdg-app repos. * New xdg-app info command gives you status of an installed app or runtime. * The xdg-app-builder cache now contains the sdk commit id, so that a new version of the sdk invalidates the cache. * Fixed a regression in the xdg-app install-app backwards compatibility handling. * xdg-app now gives the application access to the deployment path, which can be used to give host-side services access to app files (such as help documents). * build-export no longer exports appstream files, and when generating appstream files we don't need them to be. * The default architecture tag used by xdg-app is now made canonical when needed (i.e. on arm/x86/mips). Major changes in 0.4.8 ====================== * Changed global installation directory to /var/lib/xdg-app (not /var/xdg-app). * Add support for a dbus filtering on the system bus. * Choosing user namespaces or setuid is now a runtime option, not build time. * Fix xml-escaping in the appstream generation. * Various build fixes. * Added some more documentation for the library. * Disable support for running apps on systems without a systemd user session. * Fix uninitialized memory read in xdg-app-builder during git checkouts. * Correctly handle disabled git submodules in xdg-app-builder * Fix hiding of non-exported symbols in libxdgapp Major changes in 0.4.7 ====================== * Enabled build of libxdg-app by default, now the API is stable enough for e.g. gnome-software to use it. * Restructured the command line interface to xdg-app, it is now more streamlined and easy to use. For instance, to install both apps or runtimes, now use "xdg-app install $name". The old commands still work, but are deprecated and not in the docs. * xdg-app-builder has gotten a bunch of new features that makes it easier to build apps, and some initial work to make it possible to create runtimes using it * build-export now finds and export any app-info installed by the app, and build-update-repo collects all such exports into a per-repo branch for appstream and icons. * The client (and libs) support for locally mirroring the appstream branch for each remote. This allows use to create graphical appstores with user-readable information and icons. * On the client side one can now specify priorities for each remote. Major changes in 0.4.6 ====================== * Added an initial version of libxdg-app, a highlevel library intended to be used by user interface frontends to xdg-app. It is not yet API stable, so it is disabled by default. Enable with --enable-libxdgapp * Added xdg-app-builder, a separate tool that makes it easier to build applications with external dependencies. * Add support for single-file bundles, which can be a useful way to distribute apps on e.g. a usb stick. Only works with the latest version of ostree. * Always allow apps to talk to the built-in portals * Support granting read-only access to the filesystem with e.g. --filesystem=host:ro * Add /run/user/$uid/xdg-app-info file that contains the current permissions of the app * Add --writable-sdk option to xdg-app build-init * Add file locking to better handle concurrent xdg-app operations like update and install * Various fixes Major changes in 0.4.5 ====================== * Support signing commits in build-export * Correctly handle symlinks in host root when app has host-fs access * Always regenerate summary after build-export * Make uninstall a bit more robust * Install the dbus introspection files * Add human readable size to build-export report * Add /dev/ptmx symlink in app * Fix apps not getting SIGCHILD * Only expose minimal /etc/[passwd|group] in app Major changes in 0.4.4 ====================== * Fix race condition in fuse fs * Don't save uid/gid/xattrs in build-export * run: Handle existing mounts with spaces in them * propagate xauth cookies to sandbox Major changes in 0.4.3 ====================== * Build with older ostree * Add --nofilesystem flag to e.g. xdg-app run * Add xdg-app dump-runtime command Major changes in 0.4.2.1 ====================== * Fix dbus proxy Major changes in 0.4.2 ====================== * Fix build with older versions of glib * Fix regression in filesystem access configuration * Make seccomp use optional (for arches without it) * Add xdg-app enter command to enter a running sandbox * Fix /var/cache being readonly * Add /var/data and /var/config shortcuts for per-app data * Minor fixes to bash completion Major changes in 0.4.1 ====================== * Fixed a parallel build issue * Fixed a build issue where openat() didn't get a mode passed * Don't block ptrace and perf in debug and build runs * Put nvidia drivers in sandbox if DRI allowed * Support specifying a version for runtime extensions Major changes in 0.4.0 ====================== * A new permissions store was added to the dbus api. This can be used by portal implementations that want to store per-app permissions for objects. * The document portal was added. This is a dbus api which you can use to create document ids and assign apps permissions to see these documents. The documents themselves are accessed via a custom fuse filesystem. * perf and strace are now blocked via the seccomp filters * You can now override application metadata on a system and per-user level, giving apps more or less access than what they request. * New command modify-remote added which lets you change configuration of a remote after it has been added with add-remote. * Support for adding trusted gpg keys on a per-remote basis has been added to add-remote and modify-remote. * The repo-contents command has been renamed to ls-remote to better match the other commands. * The list-remotes command can now show more information about the remotes. * The bash completion implementation has been improved. Major changes in 0.3.6 ====================== * Fix a typo in the socket seccomp rules that made ipv6 not work * Export the users fonts (~/.local/share/fonts or ~/.fonts) in the sandbox * Fix seccomp rules to work on i386 * Make exposing xdg user dirs work right