This mirrors the one for flatpak.git. There are bits of the
flatpak-builder code which are P2P-specific and which couldn’t be
enabled before.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #68
Approved by: alexlarsson
This lets you modify the project_license field in the appdata file.
This is useful because appdata files from upstream generally only
contain license information for the app itself, whereas the
bundled app may contain other code with additional licenses.
Closes: #41
Approved by: alexlarsson
A series of following commits will introduce a peer to peer feature for
pulling apps and runtimes from LAN peers and USB sticks without needing
an internet connection. This requires experimental API in libostree
(which needs to have been configured with --enable-experimental-api), so
needs to be hidden behind a configure option in flatpak too. It’s called
--enable-p2p, and bumps our libostree dependency to 2017.8 with
experimental API required too.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This includes a change in how ostree reports missing gpg signatures
which makes the test-suite pass. Additionally that change requires
us to change how we detect such missing gpg signatures in one place.
We could try to support both versions, but the easiest fix is to just
require the latest ostree.
This uses the new libostree APIs that landed recently to ensure
that we reject any files with mode outside of `0775` for system
helper pulls, and we also mask directory modes during checkout.
However, this does *not* fix up any already downloaded content.
For that, one could uninstall/reinstall; or a future patch could
do a one-time fixup pass.
Note that I am not aware of a way for flatpak applications to escalate their
privileges directly with this flaw; the bubblewrap `PR_SET_NO_NEW_PRIVS` turns
of setuid. However, in combination with code execution on the host via another
mechanism (e.g. unsandboxed app), a setuid app injected could be used to gain
full host privileges.
At this time we're not aware of any flatpak content exploiting this issue.
Closes: https://github.com/flatpak/flatpak/issues/845