NEWS

Changes in 1.14.10
~~~~~~~~~~~~~~~~~~
Released: 2024-08-14

Dependencies:

 * In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
   executable, either version 0.10.0, version 0.6.x ≥ 0.6.3, or a version
   with a backport of the --bind-fd option is required.
   These versions add a new feature which is required by the security fix
   in this release.

Security fixes:

 * Don't follow symbolic links when mounting persistent directories
   (--persist option). This prevents a sandbox escape where a malicious or
   compromised app could edit the symlink to point to a directory that
   the app should not have been allowed to read or write.
   (CVE-2024-42472, GHSA-7hgv-f2j8-xw87)

Documentation:

 * Mark the 1.12.x and 1.10.x branches as end-of-life (#5352)

Version 1.14.9 was not released due to an incompatibility with older
versions of GLib. Version 1.14.10 replaces it.

Changes in 1.14.8
~~~~~~~~~~~~~~~~~
Released: 2024-04-30

No changes. This release is rolling out to correct mismatching submodule versions
in the release tarball.

Changes in 1.14.7
~~~~~~~~~~~~~~~~~
Released: 2024-04-29

New features:

 * Automatically reload D-Bus session bus configuration after installing
   or upgrading apps, to pick up any exported D-Bus services (#3342)

Bug fixes:

 * Expand the list of environment variables that Flatpak apps do not
   inherit from the host system (#5765, #5785)

 * Don't refuse to start apps when there is no D-Bus system bus available
   (#5076)

 * Don't try to repeat migration of apps whose data was migrated to a new
   name and then deleted (#5668)

 * Fix warnings from newer GLib versions (#5660)

 * Always set the `container` environment variable (#5610)

 * In `flatpak ps`, add xdg-desktop-portal-gnome to the list of backends
   we'll use to learn which apps are running in the background (#5729)

 * Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into
   the shell environment (#5574)

 * Avoid undefined behaviour of signed left-shift when storing object IDs
   in a hash table (#5738)

 * Fix Docbook validity in documentation (#5719)

 * Skip more tests when FUSE isn't available (#5611)

 * Fix a misleading comment in the test for CVE-2024-32462 (#5779)

Internal changes:

 * Fix Github Workflows recipes

Changes in 1.14.6
~~~~~~~~~~~~~~~~~
Released: 2024-04-18

Security fixes:

 * Don't allow an executable name to be misinterpreted as a command-line
   option for bwrap(1). This prevents a sandbox escape where a malicious
   or compromised app could ask xdg-desktop-portal to generate a .desktop
   file with access to files outside the sandbox. (CVE-2024-32462)

Other bug fixes:

 * Don't parse `<developer><name/></developer>` as the application name
   (#5700)

Changes in 1.14.5
~~~~~~~~~~~~~~~~~
Released: 2023-12-08

Features:

 * Stop http transfers if a download in progress becomes very slow (#5519)

 * Add anchors to link to sections of flatpak-metadata documentation (#5582)

Bug fixes:

 * Avoid warnings processing symbolic links with GLib >= 2.77.0, and
   with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings)

 * Bypass page cache for backend requests in revokefs, fixing installation
   errors with libostree 2023.4 (#5452)

 * Show AppStream metadata in `flatpak remote-info` as intended
   (#5523; regression in 1.9.1)

 * Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES
   from the host system, which would be wrong for the sandbox (#5553)

 * Fix build failure with prereleases of libappstream 0.17.x (#5472)

 * Forward-compatibility with libappstream 1.0 (#5563)

 * Fix a memory leak (#5329)

 * Fix compiler warnings (#5362, #5366)

 * Make the tests fail more comprehensibly if a required tool is missing
   (#5020)

 * Clean up `/var/tmp/flatpak-cache-*` directories on boot (#1119)

 * Don't force `GIO_USE_VFS=local` for programs launched via flatpak-spawn
   (#5567)

 * Clarify documentation for D-Bus name ownership (#5582)

Internal changes:

 * CI improvements (#5381)

Changes in 1.14.4
~~~~~~~~~~~~~~~~~
Released: 2023-03-16

Security fixes:

* Escape special characters when displaying permissions and metadata,
  preventing malicious apps from manipulating the appearance of the
  permissions list using crafted metadata (CVE-2023-28101).

* If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
  don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100).
  Note that this is specific to virtual consoles: Flatpak is not
  vulnerable to this if run from a graphical terminal emulator such as
  xterm, gnome-terminal or Konsole.

Other bug fixes:

* Translation update: pl

Changes in 1.14.3
~~~~~~~~~~~~~~~~~
Released: 2023-02-27

Bug fixes:

* When splitting an upgrade into two steps (download without installing, and
  then upgrade without allowing further downloads) like GNOME Software does,
  if an app is marked EOL and superseded by a replacement, don't remove the
  superseded app in the first step, which would result in the replacement
  incorrectly not being installed (#5172)
* Fix a crash when --socket=gpg-agent is used (#5095)
* Fix a crash when listing apps if one of them is broken or misconfigured
  (#5293)
* If an app has invalid syntax in its overrides or metadata, mention the
  filename in the error message (#5293)
* Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11
  can work (#5303)
* Never try to export a parent of reserved directories as a --filesystem,
  for example /run, which would prevent the app from starting (#5205, #5207)
* Never try to export a --filesystem below /run/flatpak or /run/host,
  which could similarly prevent the app from starting
* The above change also fixes apps not starting if a --filesystem is a
  symlink to the root directory (#1357)
* Show a warning when the --filesystem exists but cannot be shared with
  the sandbox (#1357, #5035, #5205, #5207)

Changes in 1.14.2
~~~~~~~~~~~~~~~~~
Released: 2023-02-06

Bug fixes:

* Display the intended messages for `flatpak repair` (#5204)
* Exporting an app to an existing repository on a CIFS filesystem
  now works as intended (#5257)
* Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib
  apps when set to a path on the host (#5206)
* Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps
  under Wayland when this variable is set to a path not available in the
  sandbox (#5194)
* Unset $KRB5CCNAME for apps
* When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the
  profile script is sourced more than once (#5198)

Internal changes:

* The INFO log level is now treated the same as the DEBUG log level
  by `flatpak -v`, to make backports from 1.15.x simpler

Changes in 1.14.1
~~~~~~~~~~~~~~~~~
Released: 2022-11-18

New features:

* Add a httpbackend variable to flatpak.pc, allowing dependent projects
  like GNOME Software to detect whether they are compatible with libflatpak
  (#5054)

Bug fixes:

* Terminate the flatpak-session-helper and flatpak-portal services when the
  session ends, so that applications will not inherit outdated Wayland
  and X11 socket addresses (#5068)
* When using `fish` shell, don't overwrite a previously-set XDG_DATA_DIRS
  (#5123)
* Don't try to enable HTTP 2 if linked to a libcurl version that doesn't
  support it (#5074)
* Stop systemd reporting the session-helper as failed when terminated by
  a signal (#5129)
* Fix a warning when listing a document with no permissions (#5055)
* Fix compilation with GLib 2.66.x (as used in Debian 11) (#5062)
* Fix compilation with GLib 2.58.x (as used in Debian 10) (#5066)
* Fix a compiler warning on 32-bit architectures (#5148)
* If an app update is blocked by parental controls policies, clean up the
  temporary deploy directory (#5146)
* Fix Autotools build with versions of gpgme that no longer provide
  gpgme-config(1) (#5173)
* When building with Autotools, be more consistent about applying compiler
  warning flags (#5149)
* Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168)
* Treat /efi the same as /boot/efi (#5155)
* Make generated files more reproducible (#5085)
* Translation updates: cs, id, pl, pt_BR (#5052, #5056, #5059, #5126)

Internal changes:

* Update project logo in README (#5119)

Changes in 1.14.0
~~~~~~~~~~~~~~~~~
Released: 2022-08-22

Known issues:
* There may be an issue where non-primary architecture builds don't show up
  (https://github.com/flatpak/flatpak/issues/5045)
* There is a new security advisory on Flatpak but all supported versions are
  not affected due to using new enough versions of libostree
  (https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x)

Dependencies:

* Conditional on a build time option, revokefs will now use version 3 of the
  FUSE API rather than version 2 (#4326)
* Libappstream should be updated to at least 0.15.3 to avoid critical warning
  messages when using the "flatpak search" command
  (https://github.com/ximion/appstream/issues/384)

New features:

* A new key "DeploySideloadCollectionID" is now supported in flatpakref and
  flatpakrepo files, to allow setting a collection ID at the time a remote is
  added from one of those files, rather than when metadata is pulled from the
  remote, and without affecting versions of Flatpak with the older pre-sideload
  P2P implementation (#4826)
* Allow sub-sandboxes to own MPRIS names on the session bus (#5023)
* Commands that accept "--user" will now also take "-u" as an alias for that
  (#5014)
* The CLI now properly informs the user of which apps are (indirectly) using
  end-of-life runtime extensions in end-of-life info messages (#4835)
* The CLI now takes into account operations in the pending transaction when
  printing end-of-life messages (#4835)
* The uninstall command now asks for confirmation before removing in-use
  runtimes or runtime extensions (#4835)
* A "--socket=gpg-agent" option is now recognized by "flatpak run" and related
  commands (#4958)

Bug fixes:

* Fix a memory corruption issue caused by use of libcurl in an unsafe way
  (#5046)
* Update selinux policy to cover symbolic links in /var/lib/flatpak (#4992)
* Fix a crash in case a .desktop file processed by the build-export command has
  no Exec= key, and some related fixes for handling such .desktop files (#4817)
* Preserve the X11 display number rather than redirecting it to :99 (#5034)

Other changes:

* Various improvements to the unit tests, CI infra, and documentation
* Some changes were made to ensure translators can work on full sentences
  rather than fragments in several places
* Translation updates: de, ru, sv, tr, uk, zh_CN

Changes in 1.13.3
~~~~~~~~~~~~~~~~~
Released: 2022-06-16

Dependencies:

 * Support curl 7.29 or later as an additional, and the default, HTTP backend
   alongwith libsoup 2.x (#4943)
 * Clarify that glib 2.46 or later is now required (#4944)

New features:

 * Implement support for rewriting dynamic launchers when an app is renamed
   (#4703)
 * Add --include-sdk/debug options to install command to install SDK/debuginfo
   along with a ref (#4777)
 * Improve --sideload-repo option to take create-usb dirs (#4843)
 * Add a new library API flatpak_transaction_get_operation_for_ref() (#4947)

Bug fixes:

 * Update the SELinux module to explicitly permit the system helper have read
   access to /etc/passwd and systemd-userdbd, read and lock access to
   /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892)
 * Fix the error messages and the exit code of the 'uninstall' command when
   non-existent refs are specified (#4857)
 * Be more careful with errors when creating directories and deleting files,
   and address some memory errors (#4930)
 * Fix support for --noninteractive in the 'uninstall' command (#4947)

Other changes:

 * Cosmetic improvements to end-of-life messages and other aspects of the CLI
   output (#4947)
 * Speed up the tests by not installing the polkit agent (#4942)
 * Disable fuzzy ref matching when ID has a period or a slash, or when the
   standard input or output is not a TTY (#4829, #4848)
 * Update the icon-validator to print the format and size for consumption by
   the dynamic launcher portal (#4803, #4808)
 * Remove a pointless test (#4856)
 * Improve various details of the GitHub workflows (#4870)
 * Prepare for the addition of a Meson build (#4842, #4871, #4888, #4889, #4890)
 * Only add the specified 'summary-arches' to the compat summary. This is
   important since we're nearing the 10MB size limit for Flathub's legacy
   summary files. (#4880)
 * Translation updates: id, pt, sv, tr, uk

Changes in 1.13.2
~~~~~~~~~~~~~~~~~
Released: 2022-03-14

Bug fixes:

 * Consistently pass relative subpaths to libostree, working around a bug
   in libostree < 2021.6 when used with GLib >= 2.71 (#4805)
 * Document have-kernel-module-* as having been added in 1.13.1
 * Fix some memory leaks in GVariant data processing

Changes in 1.13.1
~~~~~~~~~~~~~~~~~
Released: 2022-03-01

Dependencies:

 * libappstream 0.12.0 or later is now required
 * appstream-glib is no longer required
 * In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
   executable, version 0.5.0 is now required

New features:

 * Create a directory for XDG_STATE_HOME and set the environment variable
   (#4477)
   - Apps requiring a state directory without a dependency on this updated
     Flatpak version can get similar functionality by using:
     --persist=.local/state --unset-env=XDG_STATE_HOME
     which will use the same storage location
 * Set HOST_XDG_STATE_HOME environment variable (#4477)
 * Add have-kernel-module-foo family of conditionals for extensions, a
   generalization of have-intel-gpu (which is now mostly equivalent to
   have-kernel-module-i915) (#4647)
 * Add `flatpak document-unexport --doc-id=...` (#1897)
 * Export Appstream metadata for host system to use (#4350, #4599)
 * Add command-line completion for the Fish shell (#3109)
 * Add FlatpakTransaction:no-interaction API (#4699)
 * We now allow networked access to X11 and PulseAudio services
   if that is configured, and the application has network access.
   (#397, #3908, #4702)
 * `flatpak build-init` automatically sets the build directory to be
   ignored by git (#4741)

Other changes:

 * Updated bundled xdg-dbus-proxy to 0.1.3 (#4737)
 * Updated bundled bubblewrap to 0.6.1 (#4779)
 * The default branch in the Github repository is now named 'main'
 * Don't offer options in CLI tab completion unless the user typed a '-'
   (#4753)
 * Disable fancy output (e.g. progress bars that get redrawn) when
   G_MESSAGES_DEBUG is set in the environment (#4767)
 * Most commands now work if /var/lib/flatpak exists but /var/lib/flatpak/repo
   does not, and will automatically populate the repo directory if
   possible (#4111)
 * Disable session bus access for `flatpak-spawn --sandbox` as intended
   (#4630)
 * Make `sudo flatpak --user ...` fail with an error message, since acting
   on root's per-user installation is unlikely to be what was intended
   (#4638)
 * Don't mention "negative" permissions like !host in /.flatpak-info (#4691)
 * Improve performance when finding related refs
 * Use SHA256 instead of SHA1 to avoid false-positives from static analysis
   (in fact the use of SHA1 was not security-sensitive here) (#4716)
 * Create sandbox's XDG_RUNTIME_DIR with 0700 permissions (#3397)
 * Always create /.flatpak-info with 0600 permissions
 * Absolute paths in WAYLAND_DISPLAY now work (#4752)
 * Improve reliability of detecting the current GTK theme (#4754)
 * Fix some error code paths when deploying malformed apps
 * Improve some error messages
 * Use URN for fontconfig DTD, consistent with fontconfig itself (#4617)
 * Use `type -P` or `command -v` in preference to which(1) (#4696)
 * Improve measurement of test coverage (#4681)
 * Translation updates: de, fr, hi, hr, id, oc, pl, pt_BR, sv, uk, zh_CN

Changes in 1.12.6
~~~~~~~~~~~~~~~~~
Released: 2022-02-21

 * Fix a bug that sometimes caused repo corruption in case downloads are
   interrupted or canceled, necessitating a "flatpak repair" to recover
   (#3479, #4258)
 * More reliably detect the GTK theme (#4754)
 * Fix history command unit test in some edge cases (#4764)
 * Improve NEWS for 1.12.5
 * Translation update: pt_BR

Changes in 1.12.5
~~~~~~~~~~~~~~~~~
Released: 2022-02-11

 * Fixed a case where temporary data was sometimes left in
   /var/lib/flatpak/appstream, and we now detect such leftover data and
   remove it. (#4735)
 * Fix regressions in `flatpak history` since 1.9.1 (#4121, #4332)
   - Don't display the appstream branch used internally
   - Don't display temporary repositories used internally
   - Warn instead of failing if other non-app, non-runtime refs are found
   - Don't set up an unnecessary polkit agent for `flatpak history`
   - Add test coverage
 * Don't propagate GStreamer-related environment variables into
   sandbox (#4728)
 * Fix a typo in an error message
 * Fix incorrect year in NEWS for 1.12.4 release
 * Translation update: pl

Changes in 1.12.4
~~~~~~~~~~~~~~~~~
Released: 2022-01-18

This is a regression fix update, reverting non-backwards-compatible
behaviour changes in the solution previously chosen for CVE-2022-21682.

Flatpak 1.12.3 and 1.10.6 changed the behaviour of `--nofilesystem=host`
and `--nofilesystem=home` in a way that was not backwards-compatible in
all cases. For example, some Flatpak users previously used a global
`flatpak override --nofilesystem=home` or
`flatpak override --nofilesystem=host`, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's `--filesystem=~/Documents/Zoom:create`. With
the changes in 1.12.3, this no longer had the intended result, because
`--nofilesystem=home` was special-cased to disallow inheriting the
finer-grained `--filesystem`.

Flatpak 1.12.4 and 1.10.7 return to the previous behaviour of
`--nofilesystem=host` and `--nofilesystem=home`. Instead, CVE-2022-21682
will be resolved by a new 1.2.2 release of flatpak-builder, which will
use a new option `--nofilesystem=host:reset` introduced in Flatpak 1.12.4
and 1.10.7. In addition to behaving like `--nofilesystem=host`, the new
option prevents filesystem permissions from being inherited from the
app manifest.

Other changes:

 * Clarify documentation of `--nofilesystem`
 * Improve unit test coverage around `--filesystem` and `--nofilesystem`
 * Restore compatibility with older appstream-glib versions, fixing a
   regression in 1.12.3

Changes in 1.12.3
~~~~~~~~~~~~~~~~~
Released: 2022-01-12

This is a security update that fixes two issues that were found in flatpak:

https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.

https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
(also known as CVE-2022-21682)

This issue is a problem with how flatpak-builder uses flatpak, that
can cause `flatpak-builder --mirror-screenshots-url` commands to be
allowed to create directories outside of the build directory.

The fix for this is done in flatpak by making the --nofilesystem=host
and --nofilesystem=home more powerful. They previously only removed
access to the particular location, i.e. `--nofilesystem=host` negated
`--filesystem=host`, but not `--filesytem=/some/dir`. This is a minor
change in behavior, as it may change the behavior of an override
with these specific options, however it is likely that the new
behavior was the expected one.

Other changes:

 * Extra-data downloading now properly handles compressed content-encodings
   which fixes checksum verification (see #4415)
   Note: In some corner case server setups this may require the extra-data
   checksum to be changed
 * Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes
 * Better handling of updates of extensions that exist in multiple repositories
 * Fixed (initial) installation apps with renamed ids
 * Support more pulseaudio configuration, including the one used in WSL2
 * Fixed regression in updates from no-enumerate remotes
 * We now verify checksums of summary caches, to better handle local file
   corruption
 * Improved cli output for non-terminal targets
 * Flatpak run --session-bus now works
 * Fix build with PyParsing >= 3.0.4
 * Fixed "Since" annotations on FlatpakTransaction signals
 * bash auto completion now doesn't complete on command name aliases
 * Minor improvements to the search command
 * Minor improvements to the list command
 * Minor improvements to the repair command
 * Add more tests
 * Updated translations and docs

Changes in 1.12.2
~~~~~~~~~~~~~~~~~
Released: 2021-10-12

 * Install translations referenced by LANG, LANGUAGE or LC_ALL
 * Fix error handling for the syscalls that are blocked when not using --devel
 * Improve diagnostic messages when seccomp rules cannot be applied
 * Update Polish translation

Changes in 1.12.1
~~~~~~~~~~~~~~~~~
Released: 2021-10-08

The security fix in the 1.12.0 release failed when used with some
older versions of libseccomp (that don't know about the new syscalls).

More specifically, installing modules that use extra-data would fail, and so
would running applications with the --allow=multiarch feature, such as Steam.
This release fixes those regressions.

Changes in 1.12.0
~~~~~~~~~~~~~~~~~
Released: 2021-10-08

This is the first stable release in the 1.12.x series. The major changes
in this series is the support for better control of sub-sandboxes, as
used by the Steam Flatpak app to run Windows games under Proton.

In addition, this release fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuse
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules. (CVE-2021-41133)
For details, see:
  https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q

Other changes in this version:
 * Some test fixes
 * Update translations
 * Support for specifying the flatpak binary to use during exports
 * Install translations for all languages in the locale, not just the ones in
   LC_MESSAGES.
 * Fix progress reporting in flatpak fsck
 * Handle cases where /var/tmp is a symlink
 * Expose /etc/gai.conf to the sandbox
 * Fix the parental control checks for root
 * Handle missing /etc/ld.so.cache (musl)

Changes in 1.11.3
~~~~~~~~~~~~~~~~~
Released: 2021-08-25

Dependencies:

* For Linux distributions that compile Flatpak to use a separate
    bubblewrap (bwrap) executable, updating to version 0.5.0 is recommended,
    but not required. The minimal version is still 0.4.0.

Bug fixes:

* Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing
  a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
* Update the included copy of bubblewrap (flatpak-bwrap) to 0.5.0
    - Better diagnostics when a --bind or other bind-mount fails
    - Create non-directories with safer permissions
    - Allow mounting an non-directory over an existing non-directory
    - Silence kernel messages for our bind-mounts
    - Improve ability to bind-mount directories on case-insensitive filesystems
* Don't ask user which remote to download from if there is only one option
* Improve robustness of autogen.sh

Internal changes:

* Improve test coverage
* Spelling fixes

Translation updates: Brazilian Portuguese, Russian, Spanish, Ukrainian

Changes in 1.11.2
~~~~~~~~~~~~~~~~~
Released: 2021-06-17

Bug fixes:

* Fix logic error when migrating AppStream XML
* Improve error-checking
* Fix various memory and file descriptor leaks, in particular with
  flatpak-spawn --env=...
* Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., which
  caused "Steam Linux Runtime" containers to fail to start
* Avoid a crash when looking up summary for a ref without an arch
* Improve handling of refs belonging to more than one architecture,
  e.g. for cross-compilation
* Don't abort uninstall if deploy metadata is missing
* Don't fail transaction if searching for dependencies fails in one remote
* Fix test failure when running tests as root
* Improve error message for 'sudo flatpak run'

Internal changes:

* Improve printf format string validation
* Improve test coverage
* Reduce risk of accidentally hard-coding x86 in the tests

Translation updates: Danish, Indonesian, Russian

Changes in 1.11.1
~~~~~~~~~~~~~~~~~
Released: 2021-04-26

This is the first unstable release in the series that will lead to 1.12.

New features:

* All instances of the same app-ID share their /tmp directory
* All instances of the same app-ID share their $XDG_RUNTIME_DIR
* Instances of the same app-ID can optionally share their /dev/shm directory
  (enabled by a new --allow flag, --allow=per-app-dev-shm)
* Allow a subsandbox to have a different /usr and/or /app.
  Steam will use this to launch games with its own container runtime
  as /usr (the "Steam Linux Runtime" mechanism).
* enter: Improve support for TUI programs like gdb
* build-update-repo: Add a higher-performance reimplementation of
  `ostree prune` specialized for archive-mode repositories

Bug fixes:

* Fix deploys of local remotes in system-helper
* Fix test failures on non-x86_64 systems
* Fix two intermittent test failures
* Make polkit queries non-interactive when operating in non-interactive mode
* Use a local main-context when using libsoup in a thread
* create-usb: Skip copying extra-data flatpaks
* OCI: Switch to pax-format tar archives
* history: Handle transaction log entries with empty REF field
* portal: Fix flatpak-spawn --clear-env on OSs where flatpak is not on
  the fallback PATH, such as NixOS
* Fix various issues detected by scan-build

Internal changes:

* Use GNU bison to build parse-datetime.y
* Add information about security support and security vulnerability
  reporting (see `SECURITY.md`)
* Move all git submodules into subprojects/ directory
* Several sockets are now created in /run/flatpak in the sandbox, with
  symbolic links in $XDG_RUNTIME_DIR

Changes in 1.10.2
~~~~~~~~~~~~~~~~~
Released: 2021-03-10

This is a security update which fixes a potential attack where
a flatpak application could use custom formated .desktop files to
gain access to files on the host system.

Other changes:

* Fix memory leaks
* Some test fixes
* Documentation updates
* G_BEGIN/END_DECLS added to library headders for c++ use
* Fix for X11 cookies on OpenSUSE
* Spawn portal better handles non-utf8 filenames

Changes in 1.10.1
~~~~~~~~~~~~~~~~~
Released: 2021-01-21

 * Fix flatpak build on systems with setuid bwrap
 * Fix some compiler warnings
 * Add --enable-asan configure option
 * Fix crash on updating apps with no deploy data
 * Update translations

Changes in 1.10.0
~~~~~~~~~~~~~~~~~
Released: 2021-01-14

This is the first stable release after the 1.9.x unstable series.
The major new feature in this series compared to 1.8 is the support
for the new repo format which should make updates faster and download
less data.

This release also contains the security fixes from 1.8.5, so everyone
on the 1.9.x series should update immediately. (CVE-2021-21261)

Other changes since 1.9.3:

 * The systemd generator snippets now call flatpak --print-updated-env
   in place of a bunch of shell for better login performance.
 * The .profile snippets now disable GVfs when calling flatpak to
   avoid spawning a gvfs daemon when logging in via ssh.
 * Build fixes for GCC 11.
 * Flatpak now finds the pulseaudio sockets better in uncommon
   configurations.
 * Sandboxes with network access it now also has access to the
   systemd-resolved socket to do dns lookups.
 * Flatpak supports unsetting env vars in the sandbox using --unset-env,
   and `--env=FOO=` now sets FOO to the empty string instead of
   unsetting it.
 * Similarly the spawn portal has an option to unset an env var.
 * The spawn portal now has an option to share the pid namespace
   with the sub-sandbox.

Changes in 1.9.3
~~~~~~~~~~~~~~~~
Released: 2020-12-22

I expect this to be the final 1.9.x release, and we can expect 1.10.0
early next year, containing basically whats in this release in terms
of features.

A minor change in the new indexed summary format in this release. The
gpg signature of the summary index is now stored in a filename indexed
by the checksum of the index rather than a static filename. This fixes
an update race between clients accessing the two files during and update.
It also helps in keeping mirrors and cached coherent. The old filename
is still created/used for backwards compat with 1.9.1, but may go
away in the future.

Other changes:

 * --filesystem=host now exposed /var/usrlocal (as seen on ostree)
 * Better error messages in flatpak portal.
 * Rebases during update now install the new app before uninstalling
   the old, which means failure during the first doesn't leave the app
   uninstalled.
 * flatpak_installation_list_installed_refs_for_update() now handles
   some case better when apps in the user installation depends on
   runtimes in the system installation.
 * New version of the deploy files which guarantees the existance of
   a bit more data. This is useful for eol detection of apps that were
   installed with previous flatpak versions.
 * Some corner cases when installing an app with extra-data into a nonstandard
   installation were fixed.
 * Fixed crashed when killing and entering running instance that have
   was running a runtime, not an app.
 * The root user can now bypass parental controls.
 * Some fixes to library annotations.
 * Updated translations

Changes in 1.9.2
~~~~~~~~~~~~~~~~
Released: 2020-11-20

 * Some build fixes on non-x86-64 arches
 * Fix permission issue in endless installer
 * Fixed a bug where flatpak was accidentally clearing the summary cache
   during updates in the user installation.
 * Fix handling of the multiarch permission.,
 * Add back the commit timestamp to the summary file.

Changes in 1.9.1
~~~~~~~~~~~~~~~~
Released: 2020-11-19

This is the first unstable release in the series that will lead to
1.10. The main change in this version is a new format for the summary
file used when accessing an OSTree repository on the network. For this
reason we now require OSTree version 2020.8.

The new format should make getting the initial metadata required for
most flatpak operations much faster, and use less network
bandwidth. This will allow repositories to scale to more apps and more
architectures without affecting clients. The old format is still
generated for compatibility with older clients.

The new format also allows repositories to publish named subsets, and
for clients to declare that they only want to see that subset. The
goal here is to allow for example flathub to mark all FOSS apps, and
make it possible for users to use a flathub-foss remote without
flathub having to maintain two duplicated repositories. This is
accessible by passing --subset=SUBSET to the build-commit-from and
build-export commands.

The new repo option `flatpak.summary-arches` controls which architectures
are put in the old format summary. This can be used to avoid newly added
architectures making old clients slower, at the cost of requiring a newer
flatpak client version for the new architecture.

Other major changes
 * There is a new `flatpak pin` command that lets you pin runtimes
   so that they are not considered unused. Also, we now by default pin
   runtimes that are installed explicitly (i.e. not as a dependency of an
   app).
 * During a regular update or uninstall of an app, if the operation
   makes a previously used runtime unused, and the runtime is marked
   as end-of-lifed, then the runtime is automatically uninstalled.
 * During `flatpak update` (i.e. with no specific app given) flatpak
   now automatically adds uninstall operations for end-of-life runtimes
   that are unused.
 * The end-of-life warnings in the flatpak CLI are now better, showing
   more useful details (like version and what apps are using the runtime)
   and less unuseful details.
 * Some changes was made in which dconf paths were considered "similar"
   to the app id, allowing for example `org.gnome.SoundJuicer` to
   migrate from `/org/gnome/sound-juicer`.
 * Flatpak run now implements the new standard for os-release in containers
   (https://www.freedesktop.org/software/systemd/man/os-release.html).
 * There is now a tcsh profile snippet
 * The origin remote for an app is now prioritized over other remotes with
   the same priority when looking for dependencies.
 * We now allow extra-data apply_extra processes to run multiarch code.
 * A new internal representation for ostree ref strings was added which
   is more efficient. This should not affect the behaviour of flatpak
   but the large amounts of changes to use this may have accidentally
   introduced regressions.
 * Some fixes to the in-memory summary cache make it more efficient.
 * --filesystem=/ is now explicitly forbidden as it doesn't work (and never
   did).
 * Flatpak install/update now only prints `(partial)` for an update that
   actually is partial (not just for all locales).
 * Flatpak remote-ls on a file: uri (for example a sideloaded repo) now
   correctly lists the refs in the repo.
 * New library APIS: flatpak_installation_list_pinned_refs,
   flatpak_transaction_set_disable_auto_pin,
   flatpak_transaction_set_include_unused_uninstall_ops,
   flatpak_transaction_operation_get_subpaths,
   flatpak_transaction_operation_get_requires_authentication.
 * flatpak_installation_list_installed_refs_for_update() now returns
   refs that have a end-of-life rebase that it could be updated to.
 * There is a new `ready-pre-auth` signal in FlatpakTransaction allowing
   clients new ways to handling authentication.
 * Fix bug where extension sources were sometimes auto-installed

Changes in 1.8.3
~~~~~~~~~~~~~~~~
Released: 2020-11-17

  * Fixed progress reporting for OCI and extra-data
  * The in-memory summary cache is more efficient
  * Fixed authentication getting stuck in a loop in some cases
  * Fixed authentication error reporting
  * We now extract OCI info for runtimes as well as apps
  * Fixed crash if anonymous authentication fails and -y is specified
  * flatpak info now only looks at the specified installation
    if one is specified
  * Better error reporting for server HTTP errors during download
  * Uninstall now removes applications before the runtime it depends on
  * Fixed test-suite to pass with the latest OSTree version
  * Fixed dbus environment variables in flatpak enter
  * Avoid updating metadata from the remote when uninstalling
  * Fixed error message handling in various places
  * FlatpakTransaction now verifies all passed in refs to avoid
    potential issues with invalid names
  * Updated translations

Changes in 1.8.2
================

 * Added validation of collection id settins for remotes
 * Fix seccomp filters on s390
 * Robustness fixes to the spawn portal
 * Fix support for masking update in the system installation
 * Better support for distros with uncommon models of merged /usr
 * Cache responses from localed/AccoutService
 * Fix hangs in cases where xdg-dbus-proxy fails to start
 * Fix double-free in cups socket detection
 * OCI authenticator now doesn't ask for auth in case of http errors

Changes in 1.8.1
================

 * Avoid calling authenticator in update if ref didn't change
 * Don't fail transaction if ref is already installed (after transaction start)
 * Fix flatpak run handling of userns in the --device=all case
 * Fix handling of extensions from different remotes
 * Fix flatpak run --no-session-bus
 * Updated translations

Changes in 1.8.0
================

New stable release series 1.8.

Changes:
 * FlatpakTransaction has a new signal "install-authenticator" which clients can handle to
   install authenticators needed for the transaction. This is done in the CLI commands.
 * We now always expose the host timezone data, allowing us the expose the host /etc/localtime
   in a way that works better, fixing several apps that had timezone issues.
 * Fix flatpak enter which didn't work in some cases.
 * We now ship a systemd unit (not installed by default) to automatically detect plugged in
   usb sticks with sideload repos.
 * By default we no longer install the gdm env.d file, as the systemd generators work better
 * create-usb now exports partial commits by default
 * Fix handling of docker media types in oci remotes
 * Fix subjects in remote-info --log output

Changes in 1.7.3
================

 * Allow direct ALSA device access if app has pulseaudio access.
 * Flatpak now ships a sysusers.d file for allowing systemd to create the required users.
 * Fix issue in remote-delete where it failed to delete system remotes if it had to uninstall
   something first.
 * New library calls flatpak_transaction_operation_get_related_to_ops(), flatpak_transaction_operation_get_is_skipped() and
   flatpak_transaction_set_no_interaction().
 * New options --[no-]follow-redirect in remote-add/modify
 * New spawn portal APIs to get real pid of launched app.
 * By default, all OCI remotes now use the flatpak-oci-authenticator.
 * Support flatpak remote-info and flatpak update --commit= to specific versions for OCI remotes.
 * Initial work in progress on using deltas for OCI remotes.
 * Fix race in the generation of ld.so.cache when starting copies of the same app at the same time.
 * Minor fix in what locales are installed on update.
 * Flatpak uninstall now doesn't fail if one ref (of many) was not installed.
 * Flatpak systemd transient units now have an app-prefix to match new XDG spec for
   cgroup names.
 * In some cases we previously downloaded the summary twice.
 * flatpak upgrade is now an alias for flatpak update.
 * Fix to selinux module to work without unconfined module.
 * Respect user XDG basedirs when finding users fonts and icons.
 * Fix issue where thread were sometimes initialized causing flatpak enter to fail.
 * Better error reporting when authentication goes wrong.

Changes in 1.7.2
================

This fixes some regressions in progress reporting in 1.7.1, where it would report > 100%.

Other changes:
 * Completion support for fish shell
 * Properly handle migration of remotes with collection ids
 * The summary now has some extra-data download size info which can make downloads slightly more efficient

Changes in 1.7.1
================

This is the first release in the 1.7.x unstable release series.

A major change is that the support for the ostree peer-to-peer installation has been
simplified. Flatpak no longer supports installing from local network peers, and sideloading
from local usb stick is no longer automatic. To enable sideloading you have to configure
a sideload repository by creating a symlink to it from /var/lib/flatpak/sideload-repos or
/run/flatpak/sideload-repos. Due to this the flatpak code has been simplified internally
and the p2p support is more efficient.

Other major changes
 * If an app has filesystem access, the host /lib is accessible as /run/host/lib, etc.
 * New filesystem permission "host-etc" and "host-os" give access to system /usr and /etc.
 * Flatpak now uses variant-schema-compiler to generate more efficient code for
   parsing GVariant files from ostreee.
 * libsystemd use is now optional in configure.
 * Journal sockets are mounted readonly
 * document-export now supports exporting directories (requires new portal version)
 * DConf migration now allows version numbers in object paths

Changes in 1.6.3
================

The main change in this version is a fix for a regression in the progress calculation
for applications using extra-data. Additionally the bundled version of bubblewrap
is updated to 0.4.1 which fixes a security issue in some cases. See
  https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
for details.

Other changes:
 * Updated translations
 * Don't break if users primary gid is not in the nsswitch database
 * Fix crash in flatpak repair if no remotes are configured
 * Some updates to the oci authenticator
 * Retry downloads of extra data

Changes in 1.6.2
================

Due to a combination of some behaviour in flatpak and recent versions of ostree we at some
point lost the use of deltas for the initial install case, instead always falling back
to a full ostree operation which is a lot less efficient for pulls with many small files
like a runtime. This caused some very slow installs from e.g. flathub, so I recommend
everyone update to this version to get better install performance.

Other changes are:
 * We now correctly handle TMPDIR env var overrides when bwrap is setuid
 * Disallow running "flatpak run" under sudo (as it doesn't work and causes issues)
 * Fix build with older versions of glib
 * Minor documentation updates
 * Updated translations

Changes in 1.6.1
================

This is a (mild) security update. Flatpak 1.6.0 added the ability for an application to request it to be
updated, as long as the new version doesn't require new permissions. Unfortunately in some special cases,
if an app had acces to the home directory, but not the rest of the filesystem it would still allow a
self-update where the new version could access some files outside the home directory..

This is fixed in this version, and all users of 1.6.0 are recommended to update.

Other changes are:

 * New permission --device=shm giving access to host /dev/shm, as needed for jack.
 * Generated correct download size in build-commit-from
 * sub-sandbox now allows the child to share the gpu of the caller has full device access
 * Fix crash with disabled remotes
 * Fix builds with older versions of glib
 * Update translations

Changes in 1.6.0
================

This is the first stable release in the 1.6 series, main changes
since 1.4 is the support for protected content and improvements
in the self-sandboxing support.

There is one change in the support for OCI remotes, we now
only support the use of labels, not annotations, as labels
work with more registries. This means pre-existing OCI flatpak
registries (like fedora) may need some changes.

Changes since 1.5.2:
 * New permissions --socket=cups for direct cups access
 * Fix some leaks
 * Fix reporting of progress with latest version of ostree
 * New no-interaction flag for authenticators
 * Support for auto-installing authenticators from a flatpak remote
 * Warn less about unset XDG_DATA_DIRS
 * Don't poll for updates in the portal when on a metered connection

Changes in 1.5.2
================

This version has further changes to the protocol and API for handing
authentication, in order to make it more flexible and futureproof. The
sample authenticator has been updated to the new APIs. Flatpak now
ships with a OCI authenticator that can be used to access private OCI
registries.

FlatpakTransaction now also has a callback for simple user/password
authentication for an authenticator (the basic-auth-start signal)
modeled on HTTP basic authentication. This is handled in the flatpak
CLI by interactive prompts on the terminal. This is needed by the OCI
authenticator, but can also be used by other authenticators that have
simple authentication requirements.

There were also some fixes to the new self-sandboxing support of the
flatpak spawn portal, allowing webkit to use it.

Other changes:
 * Show background status in flatpak ps
 * Improved docs and help output
 * Fix support for fd forwarding and the allow_a11y flag in the sandboxing portal
 * Some improvements to the new permission-set command
 * New remote option that allows settting the default token type (mostly for debugging)



Changes in 1.5.1
================

The major new feature of this is the support for protected applications and the system
around authenticting downloads to it. This is not considered stable yet, but this release
has the initial work to make it possible for developers to play around with this. I
will send out a separate mail about this later.

Other changes:
 * Flatpak now bundles bubblewrap 0.4.0, and requires 0.4.0 to use the system bubblewrap.
 * Optional support for parental controls using libmalcontent.
 * Transaction now installs extensions before apps to ensure we have a working app immediately after install.
 * Changes in temporary file use makes flatpak run work better in low disk space situations.
 * flatpak enter now works without sudo, and works better in general.
 * New features for the flatpak portal:
   * Support starting a sub-sandbox with the child processes visible in the original sandbox.
   * Support adding some kinds of permissions to sub-sandboxes
 * New commands flatpak permission-set and permission-remove
 * flatpak install CLI now always shows what kind of operations everything is.
 * libflatpak now returns apps as updatable if doing so would auto-download missing extensions or runtimes.
 * new API: flatpak_transaction_get_no_(deploy|pull).
 * We can now store locale info in the extra-languages key (in addition to the country code).
 * remote-ls and list --app-runtime now only shows apps, no runtimes.
 * Stop using mirror refs and delete any useless mirror refs you might have in your repo.
 * Fix busy-loop regression in revokefs-fuse in 1.5.0

Changes in 1.5.0
================

 * New options flatpak install --or-update operation.
 * New command flatpak mask allows pinning version and avoiding auto-downloads.
 * Support self-updates and update monitoring in the flatpak portal.
 * Fix updates of exported services with dbus-broken.
 * Don't show arch columns in terminal outout if all are the same.
 * Fix some cases where origin remotes were not properly removed.
 * flatpak-session-helper now links to more libraries.
 * OCI: Support images tagged with labels as well as annotations.
 * OCI: Alway generate a history for images.
 * OCI: Support docker mimetypes in addition to OCI mimetypes.
 * Uninstall now always work, even if the remote it came from was force removed.
 * New config key default-languages that allows additions to the system list
  instead of overriding it.
 * Various minor tweak to CLI behaviour and output.

Changes in 1.4.3
================
 * Fix crash in revokefs.
 * Handle 'versions' extension key (in addition to 'version') when
   checking for local extensions, which was causing us to uninstall
   some actually used extensions with uninstall --unused.
 * The 'required-flatpak' metadata key now supports listing multiple
   versions to support backported features.
 * Fix crash with older versions of polkit.
 * Fix installation of bundles.
 * Fix crash on deploy error.
 * Support building bundles of apps installed from a remote.
 * OCI: Fix handling of locally cached icons.
 * Fix crash when listing unconfigured remotes.
 * Ignore differences in trailing slashes for repo uris.

Changes in 1.4.2
================

 * Support extra_data in extensions.
 * Handle double slashes ("//")in XDG_DATA_DIRS.
 * Fix detection of local related refs.

Changes in 1.4.1
================

*WARNING* *WARNING* *WARNING*

There was an accidental ABI break in libflatpak in 1.4.0 compared to
the 1.2.x ABI which caused crashes in apps like gnome-software.

This has been fixed in this release so it is now ABI compatible with
1.2.x, but *NOT* compatible with 1.4.0. It is recommended that all
distributions that shipped 1.4.0 update to 1.4.1 and rebuild all
dependencies of libflatpak.

 * Make ABI compatible with 1.2.x
 * Update translations
 * Fix some potential crashes
 * Fix some corner case where it was impossible to remove a remote
 * Restore support for file: uris in the RuntimeRepo key in flatpakref files

Changes in 1.4.0
================

This is the new stable series, ending the 1.3.x series. The major changes
since the 1.2.x is the improved I/O use for system-installed applications,
and the new format for pre-configured remotes.

 * Recalculate download-size when moving between repos in
   build-commit-from.
 * New library error FLATPAK_ERROR_REF_NOT_FOUND returned instead of
   G_IO_ERROR_NOT_FOUND.
 * Fix installed tests when running on a tty.
 * Fix a double-set of a GError.
 * Grant more permissions on the /run/host/monitor directory to
   work with e.g. toolbox on the host.

Changes in 1.3.4
================

This version changes how default remotes are configured. We still
use files in /etc/flatpak/remotes.d, however instead of the old
*.conf files we now use regular flatpakrepo files, and the first
time you use flatpak these are automatically imported.

The advantage of this new model is that the configuration is imported
once, but then becomes writable and removable, just like a manually
added remote. In the previous model the remote was always there and it
was impossible to change or remove.

However, this means that anyone currently shipping a .conf file with
a distro needs to change this to a .flatpakrepo file.

 * Support for flatpakrepo files in /etc/flatpak/remotes.d
 * Support for client side filtering of a remote. This allows you
   to limit what apps are seen from a remote, using either a whitelist
   or a blacklist model.
 * Add library API to easily add remotes from flatpakref files.
 * Fix the dconf support.
 * Fix app updates in system-wide OCI remotes.
 * Fix CLI completion if G_MESSAGES_DEBUG is set
 * Add a docker seccomp profile for running flatpak inside a container.
 * Look for the new default dbus session socket at $XDG_RUNTIME_DIR/bus
 * Improve ability to pull from multiple p2p sources (needs latest ostree).

Changes in 1.3.3
================

 * Fixed a crash in the system helper that made installation via
   the helper sometimes not work.
 * Fix build with older versions of glib
 * The list and remote-ls output is now less wide, not showing the
   appdata summary by default and only showing the archtecture and
   origin if necessary (i.e. not if its the same for all rows).
 * flatpak remote-ls now filters end-of-lifed apps by default.
 * flatpak permission-reset now supports --all
 * Flatpak now works will all set values of umask.
 * The flatpak profile.d snippet now works if flatpak is not installed
   (in case it gets left over after deletion).
 * Fixed flatpak install --noninteractive still asking questions in some cases.
 * flatpak now returns a failure exit status if you abort the operation early.
 * flatpak remote-ls and remote-info now supports --cached to prefer
   using locally cached data.
 * libflatpak grew a FLATPAK_QUERY_FLAGS_ONLY_CACHED that allows you to
   get at locally cached data about remotes without doing network i/o.
 * Documentation updates

Changes in 1.3.2
================

This release contains a major change in how flatpak does system-wide
installation as a user. We used to pull into a temporary user-owned
directory and then ask the flatpak system-helper to import from this
directory. Unfortunately, since we can't trust the user directory
it had to copy these files as they were being imported, which caused
unnecessary i/o, as well as temporarily using more diskspace.

The new setup uses a new custom fuse filesystem which the user writes
to, and then when this is done we can safely revoke any access to this
from the user, meaning the files can be directly imported into the
system repository without needing to make a copy.

However, this makes packaging flatpak a bit more complex, as we now
require flatpak to have a user. By default flatpak will look for a user
called "flatpak", and for the new feature to work you need to create
it in your package. If you want to use a different name you can specify
that in configure as --with-system-helper-user=USERNAME.

Additionally, the new code passed a unix socket over the system bus, which
is prohibited by the default selinux policy. To work around this flatpak
now ships with a custom selinux module (enable with --enable-selinux-module).
For the new feature to work you need to install this module and ensure
the flatpak-system-helper binary gets the proper selinux context.

Other changes:

 * We now support specifying a rebasing version of end-of-life, where
   the clients will be asked if they want to use the new version. At
   runtime any old per-user application data will be migrated to the
   new name. Note: This works for the CLI app, but needs some changes
   for installers to take advantage of the automatic rebasing.
 * New permission --socket=pcsc for access to smart cards.
 * We now store the description, comment, icon and homepage fields from
   the flatpakrepo files in the remote confiuration and have new library
   APIs to read these back.
 * The fields above are now also settable in a repo and changes to these
   can propagate to clients.
 * run now tries the determine what branch to use when you run a runtime.
 * Print maximum icon size when icon-validator fails.
 * flatpak override can now disallow access to a dbus name.
 * flatpak list now has a new runtime column

Changes in 1.3.1
================

This release fixes CVE-2019-10063.

It has been discovered that the previous fix for CVE-2017-5226, which uses
seccomp to prevent sandboxed apps from using the (dangerous) TIOCSTI ioctl
was only incomplete on 64bit arches. This is now fixed.

 * seccomp: Only compare the low 32bit of the TIOCSTI ioctl args.
 * Fix the required runtime prompt during installation.
 * When installing, only check dependencies from the same installation.
 * flatpak list --arch now works correctly again.
 * Create origin symlinks in appstream branch for libappstream compat.

Changes in 1.3.0
================

This is the start of a new unstable series, targeting stable release
as 1.4.0.

Major changes:

 * Support systems with multiple nvidia devices
 * Checks are update output are green again
 * Fix support for systems like gentoo where /var/run is a symlink.
 * Initial support for sandboxed dconf support.
 * build-update-repo: New options --no-update-[summary,appstream] and
   --static-delta-ignore-ref=PATTERN.
 * Regenerating the appstream branch is now much faster for large
   repositories.
 * We no longer limit the size of svgs in the icon validator.

Changes in 1.2.3
================

This release fixes CVE-2019-8308.

The CVE-2019-5736 runc vulnerability is about using /proc/self/exe
to modify the host side binary from the sandbox. This mostly does not
affect flatpak since the flatpak sandbox is not run with root permissions.
However, there is one case (running the apply_extra script for system
installs) where this happens, so this release contains a fix for that.

 * Don't expose /proc in apply_extra script sandbox.

Changes in 1.2.2
================

 * Reverted green checkbox as they caused table alignment issues
 * Fix a division by zero if the terminal reports a zero terminal
   width (which happens in the flathub build environment).

Changes in 1.2.1
================

 * Ensure flatpak builds with older versions of glib and appstream-glib.
 * build-commit-from: Fix the new --extra-id option.
 * build-export: Allow disabling the sandboxing of the icon validator and
   do so during the tests.
 * profile: Don't break if debug logging is enabled.
 * Better handling of the appdata release attribute.
 * Don't install polkit agent when not needed, avoiding some unnecessary
   log lines in some cases.
 * Fix the output of the sandboxed icon validator not being visible.
 * builld-init: Allow specifying a full ref for the sdk, which is used to
   select the branch name when checking sdk extensions.
 * Make the ok checks in the output green

Changes in 1.2
==============

 * Ensure DeployCollectionID works in flatpakrepo files in all cases.
 * Don't error out with empty installations in uninstall.
 * Add helper that validates icon files during export.
 * Don't allow root to modify the (non-root) per-user flatpak installation,
   as this risks causing problems later.
 * Remove some incorrect warnings from flatpak repair.
 * Allow multiple name segments after prefix when exporting files.
 * Allow specification of ellipsization in --colums options.
 * Handle dates as well as timestamps in appdata
 * Fixed a bug where flatpak remote-delete removed too many refs.
 * Now we use raw terminal mode during a transaction to a avoid problems with input
   during the operation causing problems with escape sequences.
 * Generate a fontconfig directory remapping snippet as will be needed
   for newer versions of fontconfig.
 * Support --extra-collection-id in build-commit-from to bind the commit
   to multiple collection ids. This is work in progress in ostree.

Changes in 1.1.3
================

 * Various fixes to the CLI output changes
 * New flatpak --installations option to list all installations
 * Extract license info from appdata among with the other fields.
   This is shown in e.g. info and remote-info, and has library API.
 * install/update/uninstall now has --noninteractive option with less output
   that is useful when called from scripts, etc.
 * --devel is now properly forwarded to sub-sandboxes using the flatpak portal.
 * Drop dependency on libappstream-glib from libflatpak.
 * Initial support for exposing the system dconf defaults to the sandbox.
 * We now create deploy refs for the deployed commits to avoid a prune removing
   objects that are in use.
 * Ask about removing all refs when deleting a remote.
 * New environment generator that handles custom installations,
   replacing the old dbus service config file.
 * Documentation updates
 * More robust completion
 * Try to report out-of-space errors better.
 * Add more tests.
 * Various improvements to the repair command.

Changes in 1.1.2
================

 * Refreshed the CLI output layout, in particular the install/update progress
   and application list/info commands.
 * The host XDG_{DATA,CONFIG,CACHE}_HOME env vars are now available as
   with the HOST_ prefix in the sandbox.
 * FLATPAK_ID is set to the app id in the sandbox (this previously
   only happened in flatpak build).
 * The spawn portal command now has a kill with parent option.
 * Flatpak shells now have custom prompts
 * New library APIs: Access to deployed appstream data, list unused refs.
 * Flatpak run now has --cwd option.
 * New option --static-delta-jobs to limit number of parallel delta
   generation jobs in build-update-repo.
 * Fixed critical warning with newer policykit versions.

Changes in 1.1.1
================

 * New libflatpak function: flatpak_remote_get_main_ref()
 * Various changes to the policykit rules in order to cause less, and
   more understandable policykit authentication dialogs.
 * Give DRI apps access to more nvidia device nodes required for CUDA/OpenCL support.
 * search now doesn't search noenumerate remotes.
 * Renamed operations permission-list to permissions and document-list to
   documents. The old names are still supported as aliases.
 * New property 'non-interactive' for installations that allow frontends
   to do background updates without triggering policykit authentications.
 * New flag in HostCommand to allow killing the child process when
   the spawner exits the session bus.
 * Flatpak now authenticates on the terminal in case there is no desktop-wide
   policykit agent.
 * update with no arguments now updates all installations (i.e. also custom
   systemwide installations).
 * Use system helper to generate summary files for OCI remotes.
 * Better progress reporting for OCI downloads.
 * New conditional extension download feature, 'on-xdg-desktop-FOO'  which downloads
   when XDG_CURRENT_DESKTOP matches FOO.
 * More sockets are now mounted read-only in the sandbox
 * Updated docs, error messages and translations


Changes in 1.1
==============

This is the first release in the new unstable 1.1.x series, leading up to 1.2
which is expected around the end of the year.

Changes in this version:
 * New command flatpak kill to kill running flatpak instances.
 * The remote argument is now optional in the flatpak install in
   interactive installs. Instead you are prompted for which
   remote to install from.
 * All commands printing tables now support --columns option to specify
   exactly what to output.
 * flatpak uninstall now supports --delete-data to delete the application
   data directory in your homedirectory. If no application is specified
   it will remove data from all uninstalled apps.
 * flatpak list now supports filtering by runtime with:
   --app-runtime=org.gnome.Platform//3.24
 * flatpak remote-ls can now show the runtime used for each app.
 * flatpak repo now supports --info to show information
   about a repository, and it is the default operation
   for the flatpak repo.
 * flatpak repo now supports --commits to list commits in branch.
 * flatpak now logs transactions to the systemd journal if built
   against libsystemd.
 * libflatpak now exposed FlatpakInstance for a running instance.
 * Better error output if a flatpak command is misspelled
 * Drop support for migration from xdg-app (previous name for flatpak).
 * New library function flatpak_installation_get_min_free_space_bytes.
 * In interactive mode "yes" is now the default in most prompts.
 * Bumped ostree requirement to 2018.9
 * Cleanups and improvements to the test suite.
 * Improvements to documentation.
 * buildsystem support for coverage generation.

Changes in 1.0.6
================

This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir (somewhere
in /var/lib/flatpak/app). Setuid support is disabled inside flatpaks,
so such files are only a risk if the user runs them manually outside
flatpak.

Installing a flatpak system-wide is needs root access, so this isn't a
privilege elevation for non-root users, and allowing root to install
setuid files is something all traditional packaging systems
allow. However flatpak tries to be better than that, in order to make
it easier to trust third party repositories. Thus, it is recommended
that all distros update to this version, or backport commit
b98e09b20dfab896616b4a65e15c31f684a5f9f2.

Changes in this version:
 * The permissions of the files created by the apply_extra script is
   canonicalized and the script itself is run without any capabilities.
 * Better matching of existing remotes when the local and remote configuration
   differs wrt collection ids.
 * New flatpakrepo DeployCollectionID replaces CollectionID, doing the
   same thing. It is recommended to use this instead because older versions
   of flatpak has bugs in the support of collection ids, and this key
   will only be respected in versions where it works.
 * The X11 socket is now mounted read-only.

Changes in 1.0.5
================

There was a sandbox bug in the previous version where parts of the runtime
/etc was not mounted read-only. In case the runtime was installed as the
user (not the default) this means that the app could modify files on the
runtime. Nothing in the host uses the runtime files, so this is not a direct
sandbox escape, but it is possible that an app can confuse a different app
that has higher permissions and so gain privileges.

So, it is recommended that everyone shipping flatpak to update to
1.0.5, or at least backport the change in commit
6711d7ae99c50a9dca8e4e2e9e9989a8fa6c3f06.

Changes in this version:

 * Make the /etc -> /usr/etc bind-mounts read-only.
 * Make various app-specific configuration files read-only.
 * flatpak is more picky about remote names to avoid problems with storing weird
   names in the ostree config.
 * A segfault in libflatpak handling of bundles was fixed.
 * Updated translations
 * Fixed a regression in flatpak run that caused problems running user-installed
   apps when the system installation was broken.

Changes in 1.0.4
================

 * Flatpak 0.99.1 removed the inheritance of permissions from the runtime due
   to concerns with dynamic app permissions. Due to popular requests, this
   version re-introduces such inheritance, but does it instead at build time.
   This solved the issues with dynamic permissions while still allowing runtimes
   to have default permissions. Apps can disable this by passing
   --no-inherit-permissions to build-finish.
 * The sandbox now always includes a /etc/timezone file, following the (old)
   debian standard for this. This is needed, because the more modern way
   of exposing the timezone name by having /etc/localtime be a symlink
   into /usr/share/zoneinfo doesn't work when exposing the host timezone.
 * All apps now have automatic permissions to own their own app id as a
   subname of org.mpris.MediaPlayer2.
 * We now properly re-load remote state in FlatpakTransaction if the
   metadata was updated for the remote.
 * The signature of the FlatpakTransaction::operation-done signal was wrong
   in the header and has now been corrected to the signature that is actually
   emitted.
 * A crash was fixed when reading invalid .flatpakref files.
 * A crash during updates when a local ref was unexpectedly missing was fixed.
 * An error case on uninstalling was incorrectly returning success even
   thought there was an error.
 * flatpak_installation_modify_remote did not correctly save the nodeps state.
 * flatpak_installation_load_app_overrides() was improperly returning freed
   memory.
 * The tarball now ships with an icon (flatpak.png).

Changes in 1.0.3
================

 * run: You can now use --system to run an app that otherwise would run the
   user version.
 * New permission --allow=canbus that filters out access to AF_CAN sockets.
 * lib: New install flags FLATPAK_INSTALL_FLAGS_NO_TRIGGERS and new function
   flatpak_installation_run_triggers()
 * lib: Better error reporting, including some new error values that
   replace the generic FAILED.
 * uninstall --unused: Improve handling of which .Locale extensions are used
 * run: Make flatpak run on systems where $XDG_RUNTIME_DIR contains a symlink
   beneath /var (commonly /var/run -> /run).
 * Don't export any desktop/dbus/mimetype files in subdirectories.
 * build-init: We now record the base ref (if used) in the metadata. Nothing
   uses this atm, but it can be used by tools.
 * We now respect the upstream ostree.deploy-collection-id instead of the
   flatpak-specific xa.collection-id metadata key to decide whether to switch
   to collection ids for a remote. This is useful, because if you use the
   new one, only new clients (that support it better) will use it.
 * create-usb: Fix assertion failure in some error cases
 * create-usb: Always create archive-z2 repos
 * create-usb: Don't create unnecessary summary in repo
 * permissions: Avoid errors if there is no permissions table
 * repo: Fix flatpak repo sometimes using the wrong ostree-metadata ref.
 * Avoid fsync when updating $installation/.changed.
 * Add the missing appstream2 ref to the xa.cache metadata
 * The test-suite got some modifications to make it easier to maintain.
 * Documentation updates
 * Translation updates

Changes in 1.0.2
================

 * The dbus proxy is now available in a separate git module, xdg-dbus-portal,
   which is imported into flatpak as a submodule. It is possible to build
   flatpak against the system xdg-dbus-portal instead, but this is not currently
   very useful as no other applications yet depend on xdg-dbus-portal.
 * Build regressions with older versions of glib have been fixed.
 * Flatpak ps now also tracks the pid the main process inside the sandbox.
 * Added flatpak override --reset to reset overrides for an app.
 * Added flatpak override --show to show overrides for an app.
 * flatpak install now automatically pick user or system based on the remote
   name given (unless the remote exists in both).
 * flatpak uninstall --unused now does not remove SDKs if some installed app
   refers to them.
 * Fixed bug where flatpak uninstall --unused prompted for uninstall twice.
 * Set IO class on the system helper to "idle", which should cause backgroun
   updates to affect the system less.
 * Fixed regression in flatpak uninstall --no-related.
 * Better handling of empty collection ids in flatpak bundles.
 * Cleaned up some error messages.
 * Various documentation fixes and cleanups.
 * Updated translations.

Changes in 1.0.1
================

This fixes various build and test failures that were detected when
packaging 1.0, as well as translations and doc updates. It also
has some minor features, including a new subcommand "flatpak ps"
to list the running flatpak instances for your user.

 * Print application tags in the prompt when installing/updating.
 * Make sure we don't accidentally leak the host /proc into
   the sandbox.
 * Translation updates.
 * Added a "flatpak ps" command that lists running flatpak instances.
 * Improve error reporting when exporting documents.
 * Improve detection of dynamic p2p remotes.
 * Build fixes for older versions of glib.
 * Fix threading issue in the OCI support that was causing the
   installed tests to sometimes fail.
 * Fix OCI AppStream support on 32bit architectures.
 * Fix utf8 issue in the dbus API description.
 * Some install fixes to make installed tests work
 * Make the tests work with python3 (as well as python2)
 * Improve introspection annotations in libflatpak
 * Improve libflatpak API docs

Changes in 1.0
==============

Flatpak 1.0 is the first version in a new stable release series. This
new 1.x series is the successor to the 0.10.x series, which was first
introduced in October 2017. 1.0 is the new standard Flatpak version,
and distributions are recommended to update to it as soon as possible.

The following release notes describe the major changes since
0.10.0. For a complete overview of Flatpak, please see
[docs.flatpak.org](http://docs.flatpak.org/en/latest/).

## For users, app developers and distributors

Flatpak 1.0 marks a significant improvement in performance and
reliability, and includes a big collection of bug fixes. 1.0 also
includes a collection of new features, including:

 * Faster installation and updates.
 * Applications can now be marked as end-of-life. App centers and
   desktops can use this information to warn users who have an end-of-life
   version installed.
 * Permissions now use an up-front verification model: users are
   asked to confirm app permissions at install time, if an update
   requires additional permissions, the user must also confirm.
 * A [new portal](https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus-org.freedesktop.portal.Flatpak)
   allows apps to create sandboxes and restart themselves. This allows
   applications to restart themselves after they have been updated (to
   start using the new version), and to increase sandboxing for parts
   of the application.
 * `flatpak-spawn` is a new tool for running host commands (if
   permissions allow) and creating new sandboxes from an app (this
   uses the above portals APIs).
 * Apps can now export D-Bus services for all the D-Bus names they are
   privileged to own (rather than just the application ID).
 * Flatpak's support for OCI bundles has been updated to the latest
   specification. Also, AppData can now be distributed through OCI
   repositories.
 * Host TLS certificates are now exposed to applications, using
   p11-kit-server. This removes a point of friction when accessing
   network services in some environments.
 * Apps can now request access the host SSH agent to securely access
   remote servers or Git repositories.
 * A new application permission can be used to grant access to
   Bluetooth devices.
 * A new `fallback-x11` permission grants X11 access, but only if the
   user is running in a X11 session. For applications that support
   both Wayland and X11, this can be used to ensure that the app
   doesn't have unnecessary X11 access while in Wayland, but still
   works in an X11 session.
 * Peer-to-peer installation (via USB sticks or local network) is now
   enabled and supported by default in all builds.

The Flatpak command line also introduces new commands and options, including:

 * `uninstall --unused` automatically removes unused runtimes and
   extensions (if you've removed all apps that depend on a runtime, or
   all the apps you had depending on it have upgraded to a newer
   version).
 * New `info` options, including `--show-permissions`,
   `--file-access`, `--show-location`, `--show-runtime`, `--show-sdk`.
 * `repair` - fixes broken installs by scanning for errors, removing
   invalid objects and reinstalling anything that's missing.
 * `permission-*` - allows interaction with the portals permissions
   store. This is useful for testing and for getting back to a clean
   state.
 * `create-usb` - can be used to prepare an repository to be used as a
   local updates source.

Finally, the command line has a collection of other improvements, such as:

 * If `--system` or `--user` aren't specified, one is automatically
   picked if it is obvious (or it will ask if the correct option isn't
   obvious).
 * The `install`, `update` and `uninstall` commands now ask for
   confirmation of changes before proceeding, in order to prevent
   mistakes, and to show the required application permissions.
 * The `uninstall` command now does not allow you to remove a runtime
   if some installed application requires it.
 * `flatpak remove` is now an alias for `flatpak uninstall`.

## For Linux distributors, OS and platform developers

 * Flatpak no longer requires a filesystem that supports `xattr`.
 * Portals are now more cleanly separated from Flatpak, thanks to the
   document portal and permission store having been moved to
   `xdg-desktop-portal`. It is recommended that the flatpak package has
   a weak dependency on `xdg-desktop-portal`.
 * `libflatpak` now has a transaction API for install, update and
   uninstall operations. This means that it is much easier to use as
   the basis of app centers and other graphical app management
   software.
 * Flatpak now sets several HTTP headers when installing applications,
   which make it easier for Flatpak repositories to log things like
   app download statistics and Flatpak versions in use.
 * It is now recommended that Flatpak packages add a dependency on
   p11-kit-server, as this allows apps to access host
   certificates. However, this does not need to be a hard dependency.
 * Requires bubblewrap 0.2.1 or later, and comes bundled with 0.3.0.
 * Requires OSTree 2018.7.

Major changes in 0.99.3
=======================

 * Fixed case where system install would sometimes fail
   due to the system-helper idle exiting.
 * Support installing flatpakref files in FlatpakTransaction,
   including a new signal add-new-remote for when remotes
   might be added.
 * Added some new FlatpakError codes.
 * We now support .flatpakrepo files with no gpg signatures
 * Fix crash in system-helper when updating appstream
 * New command create-usb which can be used to prepare
   an repo for offline updates.
 * Fix some non-handled cases of the CLI not working when
   /var/lib/flatpak doesn't exist.
 * Fix crash when running with a gid that is not in
   /etc/groups.
 * Add new permission-* commands to interact with the
   permissions store from the portals.
 * Include appdata in OCI bundle.

Major changes in 0.99.2
=======================

 * Fix race condition on instance id allocation
 * Translation updates
 * Build fixes for new glibc versions
 * Build fixes for new libsoup versions
 * Build fixes for old glib versions

Major changes in 0.99.1
=======================

This is the first pre-release before flatpak 1.0. This is considered
feature-complete and we expect no features or major changes before
1.0, only bugfixes.

Note: There were some (minor) API changes in the FlatpakTransaction
APIs that were added in 0.11.8, so please don't use the old
version. (Note: I know of no user of this API).

Changes since last minor release:
 * Ostree 2018.6 is required, and with this, the p2p code in
   flatpak is made non-optional.
 * flatpak install/update/ininstall now lists all the operations
   that it will do and asks for confirmation before starting.
 * In the above confirmation the permissions (new permissions
   for updates) are shown for all applications.
 * The FlatpakTranscation API has a new ::ready signal that
   allows users to do similar confirmation prompts.
 * P2P updates are more efficient
 * system-wide installation uses less fsync calls so should
   installation should be faster.
 * New ssh agent permissions allows granting an app
   ssh access.

Major changes in 0.11.8.3
=========================

 * Fix a 25 second timeout on startup if using p11-kit < 0.23.10
 * Minor change in dbus proxy default filter, now broadcasts are
   not accepted from portals.

Major changes in 0.11.8.2
=========================

 * Fix crash when building some apps
 * Allow multiple appstream components per app
 * Fix handling of gl drivers in uninstall --unused
 * Don't prompt if nothing changed in uninstall --unused
 * Longer timeouts in test suite
 * Updated translations

Major changes in 0.11.8.1
=========================

 * Fixed regression running apps with --own=* permissions

Major changes in 0.11.8
=======================

 * Flatpak uninstall now accepts --all to remove everything and --unused to remove unused
   runtimes.
 * New command "flatpak repair" allows checking and repairing a flatpak installation.
 * New permission --allow=bluetooth allows use of AF_BLUETOOTH sockets
 * If p11-kit-server is installed on the host, this is now used to forward the host
   certificate trust store to the sandboxed app.
 * New transaction API in libflatpak that makes it much easier to implement
  installation and updates in frontends.
 * Flatpak uninstall now does not allow you to remove a runtime if some installed app requires it.
 * We now have tab-completion for zsh.
 * New installations of flatpak now defaults to bare-user-only repos, which means
   that it works with filesystems that don't support xattrs.
 * New flatpak info options: --show-location, --show-runtime, --show-sdk
 * New flatpak remote-info options: --show-runtime, --show-sdk
 * p2p operations now work when offline.
 * Work around hanging on app startup on blocking autofs mounts.
 * The dbus proxy filtering now works matches the new dbus containers filtering API.
 * Various optimizations make installation and updates faster. In particular
   operations like running triggers and pruning only happens once per
   install/update operation.
 * We now respect multiple extension versions matches when auto-downloading extensions.
 * New http header Flatpak-Upgrade-From sent when upgrading.
 * Commands like "flatpak info/list/remotes/search" now work properly if /var/lib/flatpak doesn't exist.
 * The bubblewrap version required for system-bwrap is now 0.2.1.

Major changes in 0.11.7
=======================

 * Fix regression in installing .flatpak bundles

Major changes in 0.11.6
=======================

 * Further work on the export filename regression, now also fixes the
   same issue as in 0.11.5 but in flatpak build-finish.
 * Fix segfault when installing from .flatpakref in gnome-software
 * Build yacc parser from source.
 * Don't tab-complete Sources/Locale/Debug extension by default.
 * Fix tests on debian.

Major changes in 0.11.5
=======================

 * Fix a regression which caused installation of epiphany and
   other apps that export multiple .service files to fail.
 * Fix appstream updates in p2p mode.
 * Don't distribute generated gdbus code with tarball.
 * Add documentation for the flatpak portal

Major changes in 0.11.4
=======================

 * flatpak remove is now an alias for flatpak uninstall.
 * flatpak uninstall now picks system or user automatically if not specified
 * New appstream branch format which is more efficient to distribute,
   the old is still generated for backwards compat.
 * Appstream data now contains compatible arches (for applications
   that doesn't exist for the primary arch). For example, an
   i386-only app is now listed in the x86-64 appstream.
 * The flatpak version is included in the user agent when downloading.
 * The Flatpak-Ref http header is set to the currently installing ref when
   downloading.
 * New argument --timestamp in build-commit-from.
 * When updating many apps we now only prune the local repo when all
   updates are done, making multi-app updates faster.
 * flatpak build now always allows multiarch use.
 * flatpak build now mounts app extensions during build.
 * flatpak build-init now supports --extension to add extension points earlier
   than build-finish. Also build-finish now supports --remove-extension.
 * New flatpak portal allows applications to sandbox themselves and restart a
   newer version of themselves.
 * New flatpak run options: --no-a11y-bus, --no-documents-portal.
 * Initial support for end-of-life:ing applications.
 * New option X-Flatpak-RunOptions in exported desktop/files allow you to specify
   no-a11y-bus and no-documents-portal.
 * Support for tagged extension points, which is useful if you want to use
   the same extension id (but maybe different versions) multiple times in an app.
 * We now export .service files for names that the app is allowed to own on
   the session bus.
 * libflatpak got new methods for listing remotes by type.
 * libflatpak now has support in FlatpakRemoteRef for getting remote metadata
   such as end-of-life, download size, metadata etc.
 * There was some internal restructuring on how installs/updates are done
   which should improve performance and maintainability.

Major changes in 0.11.3
=======================

 * Fix "open with" and flatpak run --file-forwarding crash
 * Fix build with glibc 2.27

Major changes in 0.11.2
=======================

 * Remove fuse dependency, since we don't ship document portal anymore
 * Fix various issues with /home being a symlink to /var/home (atomic)
 * Allow downgrades when using collection ids
 * Search on all supported architectures

Major changes in 0.11.1
=======================

This release removes the document portal and the permission store as they
have been added to xdg-desktop-portal 0.10. Packagers need to update
these two in lock-step. Flatpak technically doesn't depend on
xdg-desktop-portal, but it is recommended that the flatpak package
depends on xdg-desktop-portal in some way, because most flatpaks will
want it.

 * Remove document portal and permission store
 * Add --socket=fallback-x11 permission
 * Fix dbus proxy vulnerability in authentication phase
 * Allow personality syscall in devel mode
 * commit-from: Migrate static deltas with commit
 * Add "network" storage type for installations
 * Add flatpak info --show-permissions
 * Add flatpak info --file-access
 * search: Update appstream (if stale) before searching
 * Make libflatpak work when /var/lib/flatpak is empty
 * build-bundle: Add --from-commit option
 * Allow appstream ids that don't end in .desktop
 * Make permission handling ignore unknown permissions for forwards
   compatibility
 * Removed incorrect error message in update --appdata when there
   was no updates
 * Fix handling of abort in the duplicate remote prompt
 * Fix division by zero in progress calculation
 * Fix flatpak remote-info --show-metadata
 * Fixed crash when installing some flatpak bundle files
 * Fix installation of telegram
 * remote-ls -u only considers app from the origin remote
 * Fix assertion error in extra-data progress reporting
 * Report nicer errors when trying to downgrade as non-root
 * pulseaudio: Try to find pulseaudio socket better
 * Fixed some warnings reported by coverity
 * Cleaned up code by splitting up some large source files

Major changes in 0.10.2
=======================

 * Flatpak now requires OSTree 2017.14
 * flatpak update now updates from both system and user installations
   by default.
 * flatpak update is less noisy when updating appstream info.
 * All the remote-* commands now by default automatically decide to use
   --user or --system based on the given remote name.
 * flatpak remote-ls with no remote lists the content of all remotes
 * Fixed regression that made xdg-user-dirs and theme selection
   for kde apps break.
 * flatpak override with no argument now overrides globally, i.e. for
   all apps.
 * flatpak override now supports --nofilesystem properly. For example
   flatpak override --nofilesystem=~/.ssh hides the ssh dir for all
   apps, even those who have homedir access.
 * flatpak install now takes a --reinstall argument which uninstalls
   a previously installed version if necessary. This is very useful
   when you want to install a new version from a different source.
 * flatpak install now allows you to pass an absolute pathname as
   remote name, which will create a temporary remote and install
   from that. The remote will be removed when the app is uninstalled.
   This is very useful during development and testing.
 * Flatpak now creates CLI wrappers for all installed apps, so if you
   add /var/lib/flatpak/exports/bin or ~/.local/share/flatpak/exports/bin
   to your PATH you can easily  start flatpak apps by their application id.

Major changes in 0.10.1
=======================

 * New command "flatpak remote-info" shows information about applications
   in a remote. In particular the --log operation shows the history and
   can be used in combination with flatpak update --commit=XYZ to roll
   back to a previous version.
 * New command "flatpak search" which allows you to search the appstream
   data from the commandline.
 * flatpak update now updates appstream data for all confured remotes, which
   is important for search to work.
 * Allow automatic installation of gtk themes matching the active theme.
 * Handle the case when /etc/resolv.conf is a symlink
 * /usr an /etc are now expose in /run/host in the app if the app has
   full filesystem access.
 * flatpak remote-add now works as a user when /var/lib/flatpak is empty,
   allowing flatpak to work on stateless systems.
 * Add support for flatpak build --log-session/system-bus, similar to
   what flatpak run already does.
 * flatpak build --readonly runs with the target directory (normally /app)
   mounted read-only.
 * Fall back to LD_LIBRARY_PATH if a runtime doesn't have /usr/bin/ldconfig.
 * Updated the support for OCI remotes. This is work in progress and still
   disabled by default though.

Major changes in 0.10
=====================

This is the first release in a new series of stable releases called
0.10.x. New features will be added to 0.11.x, and bugfixes will be
backported to 0.10.x. During the early phase of the 0.10.x series we
may also backport minor features, but we guarantee backwards
compatibility.

Changes since 0.9.99
 * Added the flatpak config option which can set the language settings
 * Fix issue where sometimes ld.so.conf were not generated
 * /dev/mali0 is added to --device=dri
 * Work around ostree static delta issues in some cases

Major changes in 0.9.99
=======================

 * Requires ostree 2017.12 for important pull stability fix
 * New libflatpak API: flatpak_dir_cleanup_undeployed_refs, flatpak_installation_prune_local_repo,
    flatpak_installation_remove_local_ref_sync, flatpak_installation_cleanup_local_refs_sync
 * build: FLATPAK_ID and FLATPAK_ARCH are now set in the environment when building
 * update: Don't fail the entire update if some remote fails to update its metadata
 * run: /.flatpak-info now lists exact commits and extensions in use
 * run: We now use a per-app ld.so.cache file whenn running. This should speed things up,
   and allows ldconfig to report the correct results.
 * The verbose mode was changed into two levels, use -vv to show the more detailed info, which
   currently only contains the full bubblewrap argument lists.
 * run: Some common problematic host environment variables are now unset in the sandbox
   (PYTHONPATH, PERLLIB, PERL5LIB and XCURSOR_PATH)
 * run: Fixed failure when a higher prio extensions depended on a lower prio one.
 * run: The extension ld path order is now: app extensions, app, runtime extension, runtime.
   This was previously incorrect in that the app could override app extensions.
 * Extensions are now not downloaded if a matching unmaintained extension is already installed
 * Preemptive changes to handle new bubblewrap change which doesn't user /newroot
 * document portal: Disable debug spew that was accidentally enabled
 * build-finish: New --extension-priority option
 * run: Fix regression in --persist in 0.9.98
 * run: Use sealed memfds (instead of just temporary files) when passing data to bubblewrap

Major changes in 0.9.98.2
=========================

 * Fix permission denied when using the system-helper

Major changes in 0.9.98.1
=========================

 * run: Fix homedir access if the app has --filesystem=host access
 * build-update: Fix appstream update in case one arch didn't change

Major changes in 0.9.98
=======================

 * libflatpak now correctly finds metadata for subset installations (like locale data)
 * flatpak build now supports --appdir which exposes the per-app directory in the
   user homedir. This is useful when testing builds.
 * The host fontconfig caches are exposed to the sandbox, next to the fonts in /run/host.
   This will (pending fontconfig work) allow sharing host fontconfig caches, allowing
   much faster initial startup for flatpak apps.
 * flatpak install now supports --no-pull
 * Added new extension property "locale-subset", which makes the extension point
   act like a locale extension (i.e. only install the subset configured by the
   locale).
 * flatpak remote-add --oci is disabled for now, as this is not up to date with
   the latest OCI work, and we don't want to break existing deployments if this
   has to change when this lands.
 * Parallel installation/updates are now safe because we take a filesystem lock
   whenever we prune the local ostree repo.
 * Flatpak run now works when important paths like $HOME, etc, are symlinks.
 * The ostree min-free-space property is is set to zero by default for the
   flatpak repos. This was causing a lot of problems for people, but the feature
   is still there if you manually enable it.

Major changes in 0.9.12
=======================

 * Fixed a regression in extra-data installation
 * Don't expose the a11y bus in flatpak build

Major changes in 0.9.11
=======================

 * You can now show all outstanding updates with: flatpak remote-ls --updates
 * The dbus filter "org.name.*" now means all subnames of org.name, not just
   the first level. This matches how dbus arg0namespace works, and how the
   coming dbus container support will work.
 * Fixed segfault on update
 * Better commandline tab completion
 * Flatpak now exposes host icons readonly as /run/host/share/icons to the sandbox.

Major changes in 0.9.10
=======================

 Fix regression in dbus proxy that causes some apps to not
 work in 0.9.9.

Major changes in 0.9.9
======================

flatpak-builder was split out into its own module:
  https://github.com/flatpak/flatpak-builder

 * When downloading to a temporary directory for later install to the
   system repo we now write to /var/tmp instead of $HOME. This is more
   likely to be the same filesystem as /var/lib/flatpak, and thus will
   not run into issues with e.g. filesystem full.
 * We now get the default language list from AccountService if possible.
 * A regression that made --devel crash was fixed.
 * New feature for flatpakrefs, SuggestRemoteName=remotename will cause
   flatpak to ask if you want to create a generic (not app specific)
   remote for the repo url.
 * flatpak build now does not die with the parent by default, you have
   to pass --die-with-parent. This was done because die-with-parent
   uses PR_SET_PDEATHSIG which does not work well if the parent is
   threaded, like e.g. gnome-software is.
 * We now always re-set the personality in the sandboxed process
   in order to avoid inheriting weird settings.
 * We now share a single dbus proxy instance for all proxies for a sandbox.
 * dbus-proxy now properly disallows old-style eavesdropping.
 * We now support accessibility by starting a customized dbus proxy for the
   a11y bus.

Major changes in 0.9.8
======================

Core:

 * Experimental support for peer2peer installation, enable with --enable-p2p
 * Add default language setting to flatpak config. Defaults to all locales for
   system installs and the users locale for per-user installs.
 * build-update-repo: Now always keeps the *two* latest deltas around to avoid
   race conditions with outstanding downloads at the time or running the update.
 * Support loading extra data from local lookaside cache.

Flatpak-builder:

 * Set terminal title to the currently building module
 * Added ability to specify http url for sources mirror with --extra-sources-url.
 * --install-deps-from=REMOTE installs the dependencies needed for the
   manifest.
 * New option --delete-build-dirs to always delete build directories,
   even on a failed build.
 * New property "add-extension" makes it nicer to create extension points.

Major changes in 0.9.7
======================

 * Don't re-download git repo when bundling sources
 * Build modules with no source if buildsystem is "simple"
 * Build cleanups

Major changes in 0.9.6
======================

This version requires the latest ostree version (2017.7) because it
uses a new feature that hardens the security of flatpak. Previously,
if you installed to a system-wide repository, the files created for an
application were as specified by the remote repo, but owned by root,
which could include problematic permissions like setuid or
world-writable. We now never create such problematic files or
directories on disk. Flatpak export was also changed to never
create problematic files in new apps.

Related to this, newly created flatpak installations also use the
new "bare-user-only" mode for the repositories, which means you
can now install applications even if your filesystem does not
support extended attributes.

Other changes:

 * flatpak info --show-metadata now only shows the metadata, in
   a machine parseable way.
 * build-export now records the flatpak version in the commit message
 * builder: The .pyc timestamp fixer now allows .pyc files with no
   corresponding .py file.
 * builder: New feature 'inherit-extensions' lets you copy extension
   info from the parent runtime.
 * builder: Set ExtensionOf in auto-created extensions (like Locale
   and Debug)
 * builder: Setting CPPFLAGS now works

Major changes in 0.9.5
======================

 Changes in flatpak:

 * Fix installation of installed tests
 * Don't show an error when updating if a remote is disabled
 * Store the app id in the X-Flatpak key when exporting a
   desktop file.
 * flatpak run: Handle paths when rewriting %u urls during
   file forwarding.
 * builder: Always assume separate builddir when using meson, as
   meson only works with this.
 * document-portal: The app-specific directory is always accessible
   to the app, take this into consideration for AddFull.
 * builder: Don't warn for unknown keys if they start with x-
 * Fix a race condition when restarting the document portal
 * build-update-repo: Don't list removed deltas in the summary
 * list: Don't show .Locale/.Debug/.Sources by default. Show with -a.
 * remote-ls: Don't show .Locale/.Debug/.Sources, or non-primary
   arches (unless the primary does not exist) by default.
   Show with -a.
 * dbus-portal: Fix handling of NameHasOwner
 * builder: Add --export-only to export a previous build.
 * run: Allow regular files for --filesystem=xdg-config/path
 * run: Allow --filesystem=xdg-config/subdir:ro (previously
   it needed to be writable).
 * build-commit-from: Properly handle xa.ref when rewriting
   refnames.

Major changes in 0.9.4
======================

 Changes in flatpak:

 * Now requires ostree 2017.6 and bubblewrap 0.1.8
 * Better progress reporting in CLI and UI
 * Improved output from commands info, list, remotes,
   remote-ls: More detail, colors, nicer table formatting.
 * New command flatpak repo that lets you show information
   about local repositories.
 * When launching exported desktop files, the paths
   passed to it are automatically created as documents
   to allow access to the arguments, if needed.
 * Flatpak install of an already installed application is
   now a warning, not an error.
 * flatpak build now kills all the processes in the
   sandbox when it exits.
 * flatpak update --subpath=... now updates the app event
   if there is no new upstream version, but the subpath is
   different from what is currently installed.
 * Exports are now whitelisted, and the only thing you can
   export are:
     desktop files, icons, dbus services, mime definitions, and
     gnome-shell search providers
 * Exported gnome-shell search providers are automatically
   disabled by default.
 * Exported mimetypes are rewritten to only allow globs, and to
   make the globs have a low priority vs system mime info.
 * A remote can now redirect to a new URL and/or a new GPG key, by
   using build-update-repo --redirect-url=URL --gpg-import=FILE.
   When clients see this they permanently change the local configuration.
   This is very useful when migrating official repositories.
 * flatpak caches in the homedir are now stored in ~/.cache
   (or $XDG_CACHE_HOME) instead of ~/.local/share/flatpak/system-cache.
 * Added version field to all exported dbus interfaces.
 * New AddFull method in the Document Portal, which allows
   exporting multiple files, as-needed by a particular target
   app. This is useful for implementations of dbus activation
   for desktop files.
 * New flag --no-static-deltas for install/update without
   using static deltas. Mostly useful for debugging.
 * TMPDIR is now unset in the sandbox, if set on the
   host. Each sandbox has a personal /tmp that is used.
 * Flatpak run now works if /tmp is a symlink on the
   host.
 * /etc/hosts and /etc/hosts.conf from the host are now exposed
   in the sandbox in addition to /etc/resolv.conf.
 * Titles and default branches are now automatically updated from
   the remote unless they are explicitly set. You no longer have
   to run flatpak remote-modify --update.
 * Some performance inprovements when installing apps.
 * When exporting a build, the commit objects now always include
   the branchname, the metadata and install/download size.
   The sizes are reused for faster summary building, and the
   others changes are for future use. The fields are verified
   against the deployed metadata during installation, so it
   is trusted.
 * Fixed minor race condition in portal application identification.
 * lib: New  flatpak_installation_update_appstream_full_sync method
   that allows progress reporting.
 * bash-completion: Fix out-of-bounds read that could produce
   weird completion at times.

 Changes in flatpak-builder:

 * Added support for appdata screenshot mirroring.
 * New property "install-rule" lets you change what Makefile rule to
   use in the install phase.
 * The git "commit" property can now specify both a tag object and the
   commit object it refers to.
 * New cppflags property, similar to e.g. cflags.
 * The "env" property now overrides the cflags/cxxflags/ldflags
   properties, to allow these to be reset.
 * Initial checkout of git/bzr to a temporary directory so that errors
   during checkout do not persist.
 * Properly take the "buildsystem" field into account when calculating
   cache freshness.
 * Don't crash if appstream-compose fails.
 * "ldflags" property now works  correctly.

Major changes in 0.9.3
======================
 Changes in flatpak-builder:

 * "rename-icon" renames in translated icons too
 * Moved manifest format docs to own manpage, "flatpak-manifest".
 * "bootstrap.sh" is now recognized as an autogen.sh alternative
 * Fall back to not using rofiles-fuse if it is not available.
 * Make sure flatpak-builder --run grants the app access to dbus.
 * Make paths paths for module includes and module dependencies
   relative to the included module rather than the "base" json file.
 * When cross-compiling 32bit apps on 64bit arches (like i386 on x86-64)
   then we automatically set a linux32 personallity.
 * Print warnings for unhandled json properties.
 * Make sure flatpak-builder --run works if --extra-data is in the
   finish args.
 * Take build-commands into consideration when considering if the
   build cache is stale.
 * Support for --extra-sources= to pre-seed downloaded sources.
 * Support for --bundle-sources which creates a runtime with the sources
   that were used to build the app.
 * Handle trailing whitespace in git submodule uris
 * Progress reporting while downloading files.

 Other changes:
 * build-export now always exports directories as readable and executable.
 * build-update-repo --generate-static-deltas now fork the work process
   rather than using threads, which avoids problems with this using
   a lot of memory in a single process in some cases.
 * Report flatpak version in HTTP request user agent.
 * New "flatpak repo" command added that has some options for maintaining
   a repository.
 * flatpak info can now report more information and handles multiple
   installed branches better.
 * Support non-default WAYLAND_DISPLAY environment var.
 * Handle application ids that end with .desktop when generating
   appstream data.
 * Documentation updates

Major changes in 0.9.2
======================

 * Fixed a use-after-free and some leaks in the dbus-proxy. This
   is not currently believed to be exploitable, but the proxy is a
   security boundary, so we still  recommend to update.
 * Regular updates now never allow updates to an older version
   than what is currently installed (unless you explicitly specify
   an old commit id). This closes a hole where a MITM attacker can
   force clients to downgrade to an earlier (gpg-signed) version of
   the application.
 * The automatic detection of --from in flatpak install now detects
   flatpakref extensions even in URIs that end in a query string such as
   https://git.gnome.org/browse/gnome-apps-nightly/plain/gedit.flatpakref?h=stable
 * OCI support now supports GPG signatures
 * OCI support now works with the system-helper for unprivileged systemwide
   installation.
 * Experimental support for the new ostree bare-user-only repo mode that
   allows flatpak to run on filesystems without xattrs. Set
   FLATPAK_OSTREE_REPO_MODE=user-only in the environment to use this.
 * builder: New property disable-fsckobjects for git sources
 * builder: New property commit for git sources. This lets you specify
   both a tag (for readability) and a commit id (to ensure the tag doesn't
   change).
 * builder: The manifest file format docs have been split out into its
   own manpage.
 * builder: App manifests now support specifying sdk-extensions that has
   to be installed for the app to build.
 * builder: When creating the platform, remove all sdk-specific extensions,
   allowing creation of sdk-specific extensions.
 * builder: Correctly handle absolute pathnames in the specified
   command.
 * builder: Support --default-branch which defined the branch to build in
   case the manifest doesn't specify one.
 * When exporting builds to ostree we now use the canonical permissions
   for bare-user files, which means the resulting builds can safely
   be used with the new ostree bare-user-only repository type.
 * The detection of "unmaintained" system extensions was broken, and
   in some cases these extensions were not found. This now always
   works.
 * Flatpak now builds with latest OSTree. This required some fixing for
   multiple definitions of the g_auto* macros as OSTree now exports
   those.
 * We no longer rely on ostree trivial-httpd for the tests, because
   this is optional in later versions of ostree. Instead we use
   they python SimpleHTTPServer.
 * The minimum glib version has been corrected to 2.44.
 * The minimum automake version has been increased to 1.13.4
   because some older version didn't work.

Major changes in 0.9.1
======================

This release mostly has changes to flatpak-builder and the build
machinery. All flatpaks built with this version can run
on flatpak 0.8.x, but there has been additions and minor
changes in flatpak-builder that may require minor changes
to existing builder manifests, see below.

The flatpak-builder build cache now uses an ostree feature called
rofiles-fuse. This allows the build to work directly against
hardlinked checkouts of the cache, because rofiles-fuse disallows
writes to the hardlinked files (but allows replacing them). This makes
cache commits and checkouts much faster. However, it also means that
installation cannot do in-place modification of files in the
installation directory. There is a new per-module property called
"ensure-writable" that takes a list of patterns and ensures all files
matching them are writable (by manually breaking the hardlinks). This
may need to be added to some manifests to keep them building in the new
version.

The cflags and cxxflags module properties now work by appending,
rather that replacing, when there are multiple values specified. For
instance, the per-arch or per-module cflags will be appended to the
base cflags. This may cause old json files do duplicate cflags in
some cases. Normally compiler flags are repeatable without problems
though, so it is unlikely to cause problems.

Here are a short summary of the rest of the flatpak-builder changes:

 * The build cache was changed so that it is not invalidated if
   the installed version of the SDK changed. This means that the app
   will not rebuilt if you updated the SDK. This is generally the right
   thing to do, as SDKs are meant to be compatible.  If you want
   to avoid this (for instance when building against an unstable sdk)
   you can use the --rebuild-on-sdk-change argument.
 * The build cache is now per-arch, so building on one arch doesn't
   invalidate the cache for another arch.
 * New buildsystem "cmake-ninja" which works like "cmake", but builds
   using ninja, rather than make.
 * New buildsystem "simple" which doesn't use configure or make, it
   just runs a set of shell commands specified in the "build-commands"
   property. Note: build-commands is also available to other buildsystems
   and are run between make and make install.
 * flatpak-builder now has build-runtime and build-extension properties that
   makes it easier to build runtimes and extensions.
 * FLATPAK_DEST is set in the build environment to the installation
   destination (i.e. typically /app). It is particularly useful when
   building an extension where the destination is more complex.
 * flatpak-builder now supports --from-git=URL which pulls the
   json manifest and related files directly from a git repo.
 * modules have a new no-make-install property which skips
   the make install step.
 * Modules and sources have only-arches and skip-arches properties,
   which lets you enable/disable them based on the build architecture.
 * build-options has a new property ldflags, which is similar
   to cflags and cxxflags.
 * flatpak build (and thus flatpak-builder --run) now supports
    dbus proxies when needed.
 * All git repos are cloned with fsckObjects=true, which means
   we verify that the repos are valid.
 * New flatpak-builder argument --build-shell=MODULE extracts and
   prepares the sources for a specified module and then starts
   a build sandbox inside it.

There are also some other changes:

 * build-export: Now supports --timestamp=ISO-8601-TIMESTAMP, which
   allows you to create reproducible commits.
 * The OCI support has been updated to the latest version of the
   OCI image specification format.
 * There is a new flatpak-bisect script that can be used to bisect
   flatpak applications, looking for regressions.
 * flatpak list got a revamp. It now shows more information, and
   shows both apps and runtimes by default.
 * flatpak remote-list was renamed flatpak remotes in order
   to minimize confusion with flatpak remote-ls. The old name
   is deprecated but still works.

Major changes in 0.8.4
======================

In addition to the regular list of bugfixes this stable release
include backports of one more feature required for making OpenGL work
well. Now extra-data using extensions (such as the nvidia driver) can
specify that it doesn't need a runtime to run its apply script. We use
this in the nvidia driver by making the script a static binary, which
lets us use the nvidia driver for multiple runtimes without requering
that a particular one is installed. We also support an extension point
supporting multiple versions, which will be use for sharing the
nvidia driver between different runtime versions.

Additional fixes:
 * Documentation fixes
 * Crash fixes
 * Fix xauth propagation in some cases
 * Don't remove origin remotes on uninstall if some other app
   is installed from it.
 * Don't reset what locales are installed when updating a locale
   extension
 * Disable splice for the documentation portal as it seems
   to be broken in fuse
 * Append, don't override XDG_DATA_DIRS in profile script
 * Fix progress reporting in libflatpak to go from 0 to
   100% once, merging the various phases.

Major changes in 0.8.3
======================

In addition to the regular list of bugfixes this stable release
include backports of a the updated OpenGL support from master.  This,
in combination with the work in the runtime allows flatpak to work out
of the box with out-of-tree OpenGL drivers, including the nvidia
driver.

Additionally, due to some complicated issues wrt ptrace and user
namespaces this version disables the use of user namespaces if
bubblewrap is setuid, as it cause problems for the way flatpak
portals identifies applications. (See issue #557 for details)

 * Better handling of errors for extra-data
 * Handle extra-data properly for runtimes (as well as apps)
 * Respect required version for runtimes (as well as apps)
 * flatpak list: Don't break if some local ref is not deployed
 * builder: Look for appstream data in /app/share/metadata also
 * builder: Fix buildsystem=cmake builds
 * Add progress reporting to extra-data download
 * Fix uid/gid for directories in document portal

Major changes in 0.8.2
======================

This is a bugfix and security update.

Some of the bind-mounts that flatpak sets up were not read-only as
they should have. This includes: extensions, system fonts,
resolv.conf, localtime and machine-id. Many of thse are typically only
writable by root, but some, like the user-specific fonts and
user-installed extensions could be modified from the sandbox.

Everyone using 0.8.x is recommended to update to this version.

Other fixes:

 * There are new configure options for where to install dbus configuration
 * Broken symlinks in the root directory no longer break flatpak run
 * flatpak run with HOME in /var now works
 * dri access now also handles mali devices
 * install handles --arch when installing flatpakrefs
 * system-helper activation fixed on systemd-less setups
 * dbus-proxy now works without /run
 * During installation, failing to update a dependency is now not
   fatal.
 * /etc is now fully writable when building runtimes
 * --filesystem=xdg-config/foo now sets up the bind-mount from the host dir
   even when not using :create.

Major changes in 0.8.1
======================

This is a bugfix and security update (CVE-2017-5226).

Flatpak now uses seccomp to disallow the TIOCSTI ioctl in the sandbox,
which works around the possibility to inject text on the controlling
tty (CVE-2017-5226).

This was previously fixed in bubblewrap in 0.1.6, but that change has
now been reverted as it introduced other problems for flatpak.

 * Update bundled bubblewrap to 0.1.7
 * Fix writing new file with O_EXCL in the document portal.
 * Allow appstream data that doesn't have .desktop in the component id,
   such as data for runtimes.
 * Drop json-glib dependency from 1.2 to 1.0
 * Builder: Fail if unable to read included file
 * OCI: Ensure exported layers are readable by everyone
 * Fix extra-data download in gnome-software
 * Fix update-mime-database trigger when installing via
   the system helper.
 * Updating an app by installing a newer bundle now works
   again.
 * Make /var/tmp not be on a tmpfs (it is now in
   ~/.var/app/$appid/cache/tmp).
 * Documentation / translation updates

Major changes in 0.8.0
======================

This is the first release in a new series of stable releases called
0.8.x. New features will be added to 0.9.x, and only bugfixes will be
backported to 0.8.x. The featureset of this release is a good base to
target if you're creating flatpaks that should be widely usable.

This release technically requires only OSTree 2016.14, and it build
fine with this, but we recommend using OSTree 2016.15, because of the
change in how it verifies the checksums of commits in delta files.

 * Flatpakrepo files now support a RuntimeRepo= key which points to
   a flatpakrepo file. This means the user don't have to manually
   configure a remote for the runtime, just reply to the prompt
   to automatically do this when installing the app.
 * We now support dependencies when installing bundles. This includes
   required runtimes, related refs, and the equivalent of RuntimeRepo.
 * The support for OCI in flatpak has been updated to the latest
   OCI spec version, and support has been added to directly install
   flatpak applications from an OCI image.
 * In flatpak install, the --from and --bundle options are now optional
   if the argument has the correct suffix (.flatpakref and .flatpak)
 * Flatpak install now supports -y to let you avoid interactive prompts.
 * build-finish: We now export mime type files with the right name.
 * build-finish: New --require-version option let you specify a particular
   version of flatpak, and older version of flatpak will not install
   or update to the new version.
 * build-sign: Allow signing all apps by omitting the id.
 * Fix regression in the document portal when adding named files.
 * build-import-bundle now signs the commit if you specify a gpg key.
 * Flatpak now reads configuration from /etc/flatpak/installations.d
   which lets you support multiple system-level installation paths.
   These can be accessed with new --installation=... arguments to
   most of the commands.
 * flatpak-builder: Support --jobs=N to limit parallel builds
 * flatpak-builder: Patch source got new options property that lets
   you pass arguments to patch.
 * flatpak-builder: New generic "buildsystem: type" option that
   replace the (now deprecated) "cmake: true" option. This
   supports "autotools", "cmake" and "meson".

Major changes in 0.6.14
=======================
 * Update bundled bubblewrap to 0.1.4 which has some nice bugfixes.
   If you are using an external bubblewrap it is recommended, but
   not required to update.
 * Requires OSTree 2016.14, which allows us to drop some old
   workarounds.
 * When installing an application system-wide, don't consider
   dependencies that are installed for the user only.
 * Flatpak install --from now tries to re-use existing remotes to
   avoid creating unnecessary origin remotes.
 * Using --filesystem=$dir when $dir is a symlink-to-directory now works.
 * Using --filesystem=$file to expose unix sockets to the app is now
   allowed.
 * By default all the directories in ~/.var/app (except the app), as
   well as ~/.local/share/flatpak are hidden in the sandbox.
 * New option --filesystem=$dir:create which will create the destination
   if it did not previously exist.
 * --filesystem= now supports for xdg-[config|cache|data]. This
   allows you access to the host versions of these xdg dirs. Additionally
   if you use these with a subdirectory, like:
     --filesystem=xdg-config/subdir
   then that subdirectory on the host will be shared with the per-app
   instance of the xdg-dir.
 * Builder now correctly handles app-ids that have dashes in them.
   Previously this generated invalid ids for the debuginfo and locale
   extensions.
 * The experimental OCI file format support was changed from creating an
   OCI container to creating an OCI image.
 * Fix regression where "flatpak update --appstream remotename" broke

Major changes in 0.6.13
=======================
 * The command line arguments for install/update/uninstall changed

   These used to take an application id and an optional branch name as
   two arguments. This meant you could not specify multiple apps
   to install in a single command. So, instead of having the branch
   as a separate argument we now support partial references.
   If you only specify an id we try to match the rest as best we
   can depending on what is installed/available, but if this
   matches multiple things you have to specify more details.

   For example you can use:
     * org.my.App//stable - Any compatible arch, stable branch
     * org.my.App/x86_64 - x86-64, look for available branch
     * org.my.App/x86_64/stable - exact reference

   This means install/update/uninstall can now install multiple apps
   in a single operation.

 * Application runtime depencenies are checked/downloaded

   Whenever you install or update an application we check that the
   required runtime is installed. If not, we check if it is available
   in any configured remote, and if found asks the user if/where to
   install it from. If it is not found, the install/update fails.

   You can mark remotes as --no-use-for-deps, which means flatpak will
   never search for runtime dependencies in such remotes. This makes
   the dependency search faster if you have app-only remotes.
   It is recommended that app-only .flatpakrepo file define this
   by specifying NoDeps=true.

 * remote-add and install --from now supports uris

   This means you can install flatpakrefs and flatpakrepos in a
   single command like so:

    * flatpak remote-add --from gnome https://sdk.gnome.org/gnome.flatpakrepo
    * flatpak install --from https://sdk.gnome.org/gedit.flatpakref

 * flatpak run can now launch a runtime directly

   For example, "flatpak run org.gnome.Platform//3.22" will launch a shell
   inside a sandboxy with the gnome 3.22 runtime and an empty /app.
   This is useful for development and testing.

 * included bubblewrap was bumped to 0.1.3 which has a security fix
 * Support for defining the default branch per remote
 * remote-add/modify: --update-metadata pulls current title and default branch
   from remote summary file
 * Applications can now list a set of URIs that will be downloaded with the
   application. The app can then extract these and use as a part of the
   application data. This is useful for applications using freely downloadable
   parts that can't be redistributed elsewhere.
 * flatpak-builder: Support --finish-only and --allow-missing-runtimes
 * flatpak-builder: Support app layering

   An app can define a "base" application which is used for the initial
   content before the application is built. This way applications can
   be built in a layered fashion.

 * dbus proxy: The filtering has been tightened up
 * build-finish: Now exports icons for themes other than hicolor too
 * There is support in the app metadata for generic policies.

   These are read and propagated and supports overriding, but are
   not otherwise interpreted by flatpak. They can be used by other
   host services as static permissions for the application.

 * Support for extensions directories

   In addition to using flatpak maintained runtime as an extensions
   flatpak can now use raw directories in ~/.local/share/flatpak/extension
   and /var/lib/flatpak/extension. For example, if you create a
   directory called org.freedesktop.Platform.GStreamer.MyPlugins/x86_64/1.4
   there it will be used as a source for gstreamer plugins for all
   runtimes based on the freedesktop 1.4 runtime.

Major changes in 0.6.12
=======================
 * Partial revert in application id rules. Application ids
   can now only have dashes in the last element. This allows
   apps to export files such as org.my.App-extra.desktop which
   was used by the libreoffice builds.
 * By default the kernel keyring is not accessible, as it is
   not containable.
 * Some robustness fixes for build-commit-from
 * Better error messages
 * flatpak update --appstream now updates for all remotes
 * Made flatpak enter work, and you can now use any pid in the sandbox.
   However, it requires root permissions.
 * Support for --device=kvm for /dev/kvm access
 * Support for --allow=multiarch to support non-primary arch support.
   For example running i686 code in an x86_64 app.
 * Add new default-branch setting for the remote configuration

Major changes in 0.6.11
=======================

 * Dashes are now allowed in application ids. However, to still work  with
   symbolic icon names, they may not end with "-symbolic".
 * HostCommand now handles ptys correctly
 * Various documentation updates
 * New FLATPAK_CHECK_VERSION macro in libflatpak
 * HostCommand now returns the real PID rather than a fake one.
 * Fix regression in flatpak update --appstream
 * Fix regression installing bundles without origin urls
 * New flatpak-builder option --show-deps lists all the files
   the manifest depends on.

Major changes in 0.6.10
=======================

 * Dropped requirement for systemd --user.
   The way we detect if an process we're talking to is sandboxed, and
   what application id it has doesn't use cgroups anymore, which means
   that the dependency on systemd in the user session is now optional.
   This also means the --no-desktop argument is not needed any more.
   (It is still accepted but does nothing.)
 * Initial support has been added for .flatpakref files. These are simple key
   value files similar to .flatpakrepo files, however they specify an application
   to install in addition to the repo information. For example, gedit can be
   installed by downloading https://sdk.gnome.org/gedit.flatpakref and running:
     flatpak install --from gedit.flatpakref
   There is also library support for this so it can be added to graphical
   installers (such as gnome-software).
 * Requires OSTree 2016.10. The change in how OSTree handles mtimes in
   checkouts that was introduced in 2016.7 has been reverted, and
   the required changes in Flatpak has been made. This means that
   flatpak now depends on OSTree 2016.10.
 * Requires Bubblewrap 0.1.2 for builds using the system bubblewrap.
   Builds using the included copy need no changes.
 * The $XDG_RUNTIME_DIR/flatpak-info file has added information
   about the running application, and is now also securely available
   for a running application from the host as "/proc/$fd/root/.flatpak-info".
   This is what is used to identify remote apps instead of the cgroup
   info.
 * A new run permission --allow=devel has been added. An application with
   this permission is allowed to use ptrace and perf. This was previously
   only available during "flatpak build" and "flatpak run -d". This
   is useful if you're packaging e.g. an IDE.
 * When an application is updated or removed a /app/.updated or /app/.removed
   file is created for running instances. This can be used by applications to
   trigger e.g. a restart for the new version.
 * A new dbus request "HostCommand" has been added to org.freedesktop.Flatpak.
   This lets you run any command on the host, and is therefore clearly not
   sandboxed, so access to this should be limited. However, it is very useful
   if you're using flatpak mainly as a distribution mechanism, for a non-sandboxed
   application.
 * flatpak-builder now supports running from inside a flatpak, by auto-detecting
   this and using the HostCommand service to run recursive flatpaks.
 * Consecutive calls to flatpak build-update-repo has been speed up.
 * The document portal now allows sandboxed applications to create references
   to files in /app and /usr (in the app/runtime).
 * The update process noew doesn't stop at the first failure.

Major changes in 0.6.9
======================

 * Dropped dependency on libgsystem
 * Allow passing partial refs whenever a CLI command takes
   an app or runtime name.
 * New command build-commit-from creates a new commit based
   on the contents of another commit (optionally from another
   local repo).
 * The sandbox now contains $XDG_RUNTIME_DIR/app/$APPID from the
   host (and the directory is created if needed).
 * update: Better output, and faster for the no updates case
 * build-export: Don't make most validation errors fail, instead
   just print a warning.
 * builder: Support local path references for git sources
 * builder: Better handling of recursive git submodules
 * builder: Fixed issues with the .pyc mtime rewriting
 * builder: Handle symbolic icons for rename-icon
 * builder: Add --stop-at=$module to do partial builds
 * builder: Add --sandbox flag to disable the build from escaping
   from the sandbox via build-args.

Major changes in 0.6.8
======================

 * Requires OSTree 2016.7, allowing us to enable use of static delta
   for system downloads again.
 * Support --no-desktop which allows you to run a flatpak app outside
   a desktop, with some loss of functionality (for example, there
   will be no systemd --user scope created for the app)..
 * More documentation.
 * Memory leak fixes.
 * Initial support for rpms as flatpak-builder archive sources.
 * Start work on translating the CLI.
 * Install systemd config snippet to set the right XDG_DATA_DIRS path.
 * Support --arch in flatpak list.
 * Support access() in the document portal.
 * Validate exported desktop files.

Major changes in 0.6.7
======================

 * Automatically download and update related references such
   as locales when using the CLI.
 * lib: Support for getting related references
 * Document metadata format
 * Support build using system-installed bwrap
 * Allow access to the journal socket in the sandbox
 * builder: Support applying patches with git (useful for binary diffs)
 * Require ostree 2016.6

Major changes in 0.6.6
======================

 * Better support for multi-arch (for instance, will automatically install
   i386-only app on x86_64 without user having to specify --arch).
 * Support --device=all to access the full host /dev
 * More command line support for managing exported documents
 * Extended API for the document portal: Lookup, Info, List
 * flatpak-builder: Support initializing /var from a runtime
   extension.
 * Disable static deltas when updating via the system helper to
   work around bug in ostree.

Major changes in 0.6.5
======================

 * Documentation improvements
 * builder: Check that the specified command exists after build is done
 * builder: Fix up mtime in headers for python precompiled files
 * builder: Allow submodules and including modules from other json files
 * system-helper builds are optional (--disable-system-helper)
 * system-helper: Support installing from local remotes and bundles
 * Improved support for --subpath installs, including libflatpak support
 * Improved command line completion

Major changes in 0.6.4
======================

 * Fix an issue where flatpak sometimes created empty "repo"
   directories in the CWD

Major changes in 0.6.3
======================

 * Fix resolv.conf regression in `flatpak build`
 * Fix LD_LIBRARY_PATH override support in `flatpak build`
 * Support forwarding app permissions in `flatpak-builder --run`
 * Flatpak is now smarter about the default branch to use in most operations
 * update will not fail on the first error if updating several things
 * New much more complete bash completion system
 * Faster installations
 * Support new keyfile format for remote-add --from=file

Major changes in 0.6.2
======================

 * Fixed no-network support regression in setuid mode.
 * Fixed creation of root-owned file in home dir when using sudo in some cases
 * New --with-privileged-group configure option

Major changes in 0.6.1
======================

 * Fixed support for systems without user namespaces (default for Arch) or
   unprivileged support for user namespaces (default for Debian).
 * Fix memory leak during install/update.
 * update: Fix support for --arch.
 * Set the right location for the system directory in the environment.
 * system-helper: Support updating without deploying (needed for
   gnome-software support).
 * lib: Fix support for updates

Major changes in 0.6.0
======================

Renamed from xdg-app to Flatpak.  Existing repositories should keep
working, and locally user installed apps/runtime will be migrated
automatically. However, there are some things that you have to be
aware of:
 * The command names are now flatpak/flatpak-builder
 * System-wide installed apps/runtimes need to be reinstalled
 * flatpak-builder uses a ".flatpak-builder" subdirectory instead
   of ".xdg-app-builder".
 * The bus name and interface name for the permission
   store is changed, it was in org.freedesktop.XdgApp, but is
   now in org.freedesktop.impl.portal.DesktopPortal.
 * The installation migration is a one-time operation so you can't
   go back to xdg-app after updating.
 * The library API (and name) changed due to the rename.

Other changes:
 * Flatpak now hard-requires ostree 2016.5
 * Switch from using xdg-app-helper to an included version of bubblewrap:
   https://github.com/projectatomic/bubblewrap
 * Added a policykit-based system helper that allows you to authenticate
   via polkit to install into the system repository.
 * Added an experimental command to export/import applications and runtimes
   as an OCI tarball.
 * builder: Fix creation of locale extensions if there was no locale data in the
   build.
 * It is now possible to disable/enable configured remotes.
 * A lot of new tests where added, and we now support installed tests.
 * builder now has an optional --arch argument for multiarch building.
 * Builder modules can be disabled with "disabled": true.
 * Using --filesystem=/tmp now hides the system X11 sockets.


Major changes in 0.5.2
======================

* The way locale extensions work has changed. Now we build a single extension
  for all locales, but we allow you to specify a subset of it during installation
  and update time using the --subpath commandline flag.
  The main reason for this is that the many extensions didn't scale, both in
  technical terms (large ostree summary file size), but also in terms of the
  UI listing hundreds of uninteresting things.
* We no longer use sizes in the commit objects to get installed and download size,
  instead we store some extra metadata in the summary file. This allows us
  to get much faster access to these, as with recent ostree versions we can
  cache the summary file.
* New command xdg-app build-sign that lets you sign a commit at any time.
* New argument xdg-app build --force-clean that removes pre-existing build dirs.
* xdg-app run now uses the "current" version as the default if you specify no
  branch or arch. It used to default to the "master" branch. This will default
  to the last installed version, but can be changed with xdg-app make-current.
* Added config-opts to the build-options in xdg-app-builder. This allows you
  to extend the configure flags in an arch dependent way.
* Documentation updates

Major changes in 0.5.1
=======================
* Make xdg-app-builder --build-only not export the results
* Create all-in-one Locale extension that combines all the locale extensions
* Extract icons for all appdata nodes when creating appstream
* Documentation updates
* Better handling of metadata in xdg-app-builder cache
* Respect the specified branch when exporting in xdg-app-builder
* Fix support for multi-arch with i386 userspace and 64bit kernel
* Avoid deprecated 32bit capabilities syscalls

Major changes in 0.5.0
=======================
* Some libxdg-app API additions for handling bundles
* Default to /bin/sh as user shell in sandbox
* Fix detection of which apps are in use during uninstall
* New implementation of fuse filesystem for document portal.
  It is now cleaner and works on 32bit.
* Honor the noenumerate flag on remotes in CLI and libxdg-app.
* Add change notification for permissions store
* Require signed summaries for gpg-signed remotes
* Fix summary signatures of deltas in xdg-app build-update.

Major changes in 0.4.13
=======================
* Fix misgeneration of appdata xml in some cases
* Various improvements to bundles, and support in libxdgapp
* Add sources to Debug extensions created by xdg-app-builder
* Allow specifying subdirs of xdg-* dirs, for instance:
   --filesystem=xdg-download/some-dir
* Add support for --filesystem=xdg-run/subdir which means
  XDG_RUNTIME_DIR dir, rather than xdg-user-dirs.
* Add --generate-static-deltas option to build-update-repo.

Major changes in 0.4.12
=======================
* Fix crashes.
* Update exports when removing apps.
* Remove appstream and repo refs when removing a remote.
* Add some build options to make libxdg-app usable inside a sandbox.
* xdg-app-builder builds are now in the .xdg-app-builder/build subdir.
* Make system repo bare-user to avoid creating any setuid binaries.
* Add xdg-app-builder --run operation that runs a command with the
  build environment set up.
* Support creating locale extensions with xdg-app-builder.
* Add support for tags to metadata.
* Put runtime info and tags in the appstream data

Major changes in 0.4.11
=======================
* Fix assertion when installing runtime

Major changes in 0.4.10
=======================
* App desktop files and icons were not being exported to the desktop

Major changes in 0.4.9
======================
* Fix crash at end of runtime install.
* xdg-app-builder has a new source type "shell" which lets you run arbitrary
  shell commands.
* Allow apps with writable homedir access to modify the xdg-app repos.
* New xdg-app info command gives you status of an installed app or runtime.
* The xdg-app-builder cache now contains the sdk commit id, so that a new
  version of the sdk invalidates the cache.
* Fixed a regression in the xdg-app install-app backwards compatibility
  handling.
* xdg-app now gives the application access to the deployment path, which can
  be used to give host-side services access to app files (such as help
  documents).
* build-export no longer exports appstream files, and when generating appstream
  files we don't need them to be.
* The default architecture tag used by xdg-app is now made canonical when needed
  (i.e. on arm/x86/mips).

Major changes in 0.4.8
======================
* Changed global installation directory to /var/lib/xdg-app (not /var/xdg-app).
* Add support for a dbus filtering on the system bus.
* Choosing user namespaces or setuid is now a runtime option, not build time.
* Fix xml-escaping in the appstream generation.
* Various build fixes.
* Added some more documentation for the library.
* Disable support for running apps on systems without a systemd user session.
* Fix uninitialized memory read in xdg-app-builder during git checkouts.
* Correctly handle disabled git submodules in xdg-app-builder
* Fix hiding of non-exported symbols in libxdgapp

Major changes in 0.4.7
======================
* Enabled build of libxdg-app by default, now the API is stable
  enough for e.g. gnome-software to use it.
* Restructured the command line interface to xdg-app, it is now
  more streamlined and easy to use. For instance, to install
  both apps or runtimes, now use "xdg-app install $name".
  The old commands still work, but are deprecated and not
  in the docs.
* xdg-app-builder has gotten a bunch of new features that
  makes it easier to build apps, and some initial work to
  make it possible to create runtimes using it
* build-export now finds and export any app-info installed by
  the app, and build-update-repo collects all such exports
  into a per-repo branch for appstream and icons.
* The client (and libs) support for locally mirroring the appstream
  branch for each remote. This allows use to create graphical appstores
  with user-readable information and icons.
* On the client side one can now specify priorities for each
  remote.

Major changes in 0.4.6
======================
* Added an initial version of libxdg-app, a highlevel library
  intended to be used by user interface frontends to xdg-app.
  It is not yet API stable, so it is disabled by default.
  Enable with --enable-libxdgapp
* Added xdg-app-builder, a separate tool that makes it easier to build
  applications with external dependencies.
* Add support for single-file bundles, which can be a useful way
  to distribute apps on e.g. a usb stick. Only works with the
  latest version of ostree.
* Always allow apps to talk to the built-in portals
* Support granting read-only access to the filesystem with e.g. --filesystem=host:ro
* Add /run/user/$uid/xdg-app-info file that contains the current permissions of the app
* Add --writable-sdk option to xdg-app build-init
* Add file locking to better handle concurrent xdg-app operations like update and install
* Various fixes

Major changes in 0.4.5
======================
* Support signing commits in build-export
* Correctly handle symlinks in host root when app has host-fs access
* Always regenerate summary after build-export
* Make uninstall a bit more robust
* Install the dbus introspection files
* Add human readable size to build-export report
* Add /dev/ptmx symlink in app
* Fix apps not getting SIGCHILD
* Only expose minimal /etc/[passwd|group] in app

Major changes in 0.4.4
======================
* Fix race condition in fuse fs
* Don't save uid/gid/xattrs in build-export
* run: Handle existing mounts with spaces in them
* propagate xauth cookies to sandbox

Major changes in 0.4.3
======================
* Build with older ostree
* Add --nofilesystem flag to e.g. xdg-app run
* Add xdg-app dump-runtime command

Major changes in 0.4.2.1
======================
* Fix dbus proxy

Major changes in 0.4.2
======================
* Fix build with older versions of glib
* Fix regression in filesystem access configuration
* Make seccomp use optional (for arches without it)
* Add xdg-app enter command to enter a running sandbox
* Fix /var/cache being readonly
* Add /var/data and /var/config shortcuts for per-app data
* Minor fixes to bash completion

Major changes in 0.4.1
======================
* Fixed a parallel build issue
* Fixed a build issue where openat() didn't get a mode passed
* Don't block ptrace and perf in debug and build runs
* Put nvidia drivers in sandbox if DRI allowed
* Support specifying a version for runtime extensions

Major changes in 0.4.0
======================
* A new permissions store was added to the dbus api.
  This can be used by portal implementations that want to store
  per-app permissions for objects.
* The document portal was added. This is a dbus api
  which you can use to create document ids and assign
  apps permissions to see these documents. The documents
  themselves are accessed via a custom fuse filesystem.
* perf and strace are now blocked via the seccomp filters
* You can now override application metadata on a system
  and per-user level, giving apps more or less access
  than what they request.
* New command modify-remote added which lets you change
  configuration of a remote after it has been added with
  add-remote.
* Support for adding trusted gpg keys on a per-remote basis
  has been added to add-remote and modify-remote.
* The repo-contents command has been renamed to ls-remote
  to better match the other commands.
* The list-remotes command can now show more information
  about the remotes.
* The bash completion implementation has been improved.

Major changes in 0.3.6
======================

* Fix a typo in the socket seccomp rules that made ipv6 not work
* Export the users fonts (~/.local/share/fonts or ~/.fonts) in the sandbox
* Fix seccomp rules to work on i386
* Make exposing xdg user dirs work right