It seems OSTree switched back to 0 for mtimes, so we have to switch
back too. We need to depend on this release to ensure that all
created repos gets things right.
Arrange for stdout and stderr to be redirected to the systemd
journal, before exec'ing bwrap. This is under the control of
a pair of run flags. By default, we try to be smart and only
redirect if stderr is not a tty.
Drop the gettext requirement to something that is available in
Enterprise distributions. Gettext older than 0.19.7 won't support
merging translations back into xml with msgfmt, but the fallback
code to install the untranslated policy file should work for
that case.
Drop the intltool dependency that was recently added, and use
upstream gettext and its its features for the same purpose.
Note that polkit currently does not install .its files (I've
sent a patch). Until that is in place, this change has the
effect of installing the untranslated policy file.
The build system did not have any minimum requirements on GLib, which is
somewhat optimistic. We rely on ostree, so the minimum version is the
same as ostree's minimum requirement, 2.40.
This has some important pull fixes that we want people to have.
Also it changed the mtime of checkouts from 0 to 1, so we want
to require only one of those (as flatpak has some special code for mtimes).
This lets distributors share a system copy of bubblewrap (>= 0.1.0)
between Flatpak and any other projects that benefit from it, if they are
careful to keep new versions in sync. The default is still to use the
bundled submodule, ensuring compatibility and simplifying dependencies.
Enable $PATH search everywhere that runs bwrap, so that $BWRAP doesn't
necessarily need to be a fully-qualified path.
Signed-off-by: Simon McVittie <smcv@debian.org>
This lets you export and import a runtime or an application into a tarball
that explodes to match the oci runtime spec. This goal of this is to interchange
xdg-app apps with other systems that support OCI.
Note that this is highly experimental, because the oci specs are in flux, and
in fact we should probably use the OCI image spec instead of the runtime spec,
but its not yet finished enough for us to use it. So, don't rely on this for
now other than to experiment with it.
Add a --with-dwarf-header argument for supplying the path containing the
dwarf.h header from libdwarf. Either a path must be provided, or a fallback
location of $includedir/libdwarf will be tested.
https://bugs.freedesktop.org/show_bug.cgi?id=94308
We know the documentation is incomplete, so there seems little value
in having 'make check' tell us that. Everything except the documentation
check is expected to succeed, so it's now more useful to report test
failures in continuous integration systems, making functional
regressions more visible.
Signed-off-by: Simon McVittie <smcv@debian.org>
We now check at runtime if we have raised privs, and only if not so do we try
to use unprivileged user namespaces. This means you can build xdg-app however,
and then setuid/setcap the binary however you want afterwards.
This is a highlevel library for working with xdg-app without using
the commandline interface. The primary usecase for this is for
creating a graphical frontend for app installation/update.
Some xservers out there (like xorg 1.17.1) have a broken server interpreted
local xauth, which causes apps to fail to connect to the xserver.
This fixes that by propagating Xauthority data such as the MIT-MAGIC-COOKIE-1.
This moves a all source code into separate subdirs per binary. The
helper and the generic stuff goes into lib/ which is then used by all
the others. For now this is a completely internal library, but at
some point we will probably clean it up and expose some subset.
Also, we move the dbus proxy to libexecdir.
We disallow any network family but inet, inet6, unix and netlink
as the rest are generally weird old unused things.
We also have a blacklist of syscalls, some are just old unnecessary
things, some are things that are "risky", like NUMA/VM control, and
setting up custom sub-namespaces.