Releases: flatpak/flatpak-builder
Releases · flatpak/flatpak-builder
1.2.3
1.2.2
This is a security update to resolve CVE-2022-21682.
Upgrading both Flatpak and flatpak-builder is required.
CVE-2022-21682 is a vulnerability in how flatpak-builder uses flatpak,
which can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside the build directory.
flatpak-builder >= 1.2.2 uses a new option --nofilesystem=host:reset
to cancel out filesystem permissions in the application manifest and
overrides. This is only effective when using Flatpak >= 1.12.4, or a
version that has a backport of the --nofilesystem=host:reset feature
(such as 1.10.x versions >= 1.10.7).
When using an older version of Flatpak, this version of flatpak-builder
will still work, but it will show a warning: "Unexpected filesystem
suffix reset, ignoring". In this situation, it is still vulnerable
to CVE-2022-21682.
Other changes:
- Make FUSE 2 optimizations opt-in.
By default, this version of flatpak-builder is compatible with versions
of ostree that have been compiled against either FUSE 2 or FUSE 3.
Older distributions that use FUSE 2 can configure --with-fuse=2 for better
performance, but the resulting flatpak-builder executable will not work
with versions of ostree >= 2022.1 that have been compiled with FUSE 3
(this is the same behaviour as in 1.2.1). - Make the JSON schema introduced in 1.2.1 more complete
sha256:
89fda68e537c1e9de02352690bd89c3217a729164558d35f35b08f79ad84e03e *flatpak-builder-1.2.2.tar.xz
Release 1.2.1
- Fix debuginfo being re-processed multiple times in a manifest
- Change manifest parsing issues from warnings to fatal errors
- Add
.tar.zstarchive support - Fix auto-detection of
.7zarchives - Install a JSON schema for manifest format
- Documentation updates
$ sha256sum flatpak-builder-1.2.1.tar.xz
f4bc0c7dbff4b536545c17bd36e71b5e93c75f48d6bd95f662f22f90a2d2920b flatpak-builder-1.2.1.tar.xz
Release 1.2.0
1.2.0
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
Changes in 1.2.0
- Documentation updates
- Add missing newlines in some output
- Fix missing error check in the new inline data support
$ sha256sum flatpak-builder-1.2.0.tar.xz
dfcb6a3ca38d61e0775b70a469ab505285e129361462df09004e6d4251c246a8 flatpak-builder-1.2.0.tar.xz
Release 1.1.2
1.1.2
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
Changes in 1.1.2
- New secret-opts feature lets you pass e.g. CI secrets into the build.
- Support content-encoding when downloading.
- New inline data source allowing easy creation of files from embedded content from
the manifest.
Release 1.1.1
1.1.1
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
This is the first unstable relase in preparation for 1.2.0
- We now use the external debugedit project instead of using an internal copy.
The system version can be used, or if not an internal version is used
built using git submodules.
Note, this needs libdw 0.172, which may not be available on older distributions.
Release 1.0.14
1.0.14
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
Changes in 1.0.14
- Ensure that sources cannot create files outside the build directory.
- If --sandbox is enabled, ensure sources can't real files outside the
manifest directory.
$ sha256sum flatpak-builder-1.0.14.tar.xz
69b65af4f63804127518c545184f9dfc9a9358cdedaabef2b1e50623ae2b8d8b flatpak-builder-1.0.14.tar.xz
Release 1.0.13
Changes in 1.0.13
- Fix a bug where git submodules were bundled even when disabled (whereas in
the previous release this issue was fixed for the extraction phase) - For bundled extensions, use the specified version as the branch rather than
using the branch of the parent app
$ sha256sum flatpak-builder-1.0.13.tar.xz
a4a51a6e8d5cedcf43067ab491d7b9437f5ee05b8df3e103be6e426c91993891 flatpak-builder-1.0.13.tar.xz
Release 1.0.12
1.0.12
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
Changes in 1.0.12
- Make --run work if manifest has --metadata in build-finish
- Don't try to extract git submodules if they were disabled
$ sha256sum flatpak-builder-1.0.12.tar.xz
4780c1b8e0838ffb64e9639bd7801417964fd818c7c6d5e9afca4d5511ded2c8 flatpak-builder-1.0.12.tar.xz
Release 1.0.11
1.0.11
This tag was signed with the committer’s verified signature.
alexlarsson
Alexander Larsson
Changes in 1.0.11
- Use brz instead of bzr fom bzr repos (if available)
- Fix
run-testswith --sandbox and empty test-args
$ sha256sum flatpak-builder-1.0.11.tar.xz
11834b76bbd2b3c4bf182632d231ac9cfd7e0bdf3ccb58fb5b370b7dccccd44c flatpak-builder-1.0.11.tar.xz