diff --git a/flatpak-pass-token-to-flatpak-image-source-new-remote.patch b/flatpak-pass-token-to-flatpak-image-source-new-remote.patch new file mode 100644 index 0000000000000000000000000000000000000000..2eb9686ee21e6d1577ef200408ab085618424b1b --- /dev/null +++ b/flatpak-pass-token-to-flatpak-image-source-new-remote.patch @@ -0,0 +1,104 @@ +commit f0bc60dc0b34669e64d48e723a5e84c0b90b281d +Author: Owen W. Taylor +Date: Wed Feb 5 12:29:43 2025 -0500 + + Pass token to flatpak_image_source_new_remote() + + Since flatpak_image_source_new_remote() already tries to load files + from the registry, having a separate flatpak_image_source_set_token() + doesn't work - when the token is set, it's already too late to + be passed along with the initial requests. + +diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c +index 26ec176f..3621dd3b 100644 +--- a/common/flatpak-dir.c ++++ b/common/flatpak-dir.c +@@ -1225,12 +1225,10 @@ flatpak_remote_state_new_image_source (FlatpakRemoteState *self, + if (registry_uri == NULL) + return NULL; + +- image_source = flatpak_image_source_new_remote (registry_uri, oci_repository, digest, NULL, error); ++ image_source = flatpak_image_source_new_remote (registry_uri, oci_repository, digest, token, NULL, error); + if (image_source == NULL) + return NULL; + +- flatpak_image_source_set_token (image_source, token); +- + return g_steal_pointer (&image_source); + } + +@@ -6473,6 +6471,9 @@ flatpak_dir_mirror_oci (FlatpakDir *self, + else + image_source = flatpak_remote_state_fetch_image_source (state, self, ref, opt_rev, token, cancellable, error); + ++ if (!image_source) ++ return FALSE; ++ + flatpak_progress_start_oci_pull (progress); + + g_info ("Mirroring OCI image %s", flatpak_image_source_get_digest (image_source)); +@@ -6514,6 +6515,9 @@ flatpak_dir_pull_oci (FlatpakDir *self, + else + image_source = flatpak_remote_state_fetch_image_source (state, self, ref, opt_rev, token, cancellable, error); + ++ if (!image_source) ++ return FALSE; ++ + oci_digest = flatpak_image_source_get_digest (image_source); + + /* Short circuit if we've already got this commit */ +diff --git a/common/flatpak-image-source-private.h b/common/flatpak-image-source-private.h +index 597a8174..5f9604d8 100644 +--- a/common/flatpak-image-source-private.h ++++ b/common/flatpak-image-source-private.h +@@ -45,14 +45,13 @@ FlatpakImageSource *flatpak_image_source_new_local (GFile *file, + FlatpakImageSource *flatpak_image_source_new_remote (const char *uri, + const char *oci_repository, + const char *digest, ++ const char *token, + GCancellable *cancellable, + GError **error); + FlatpakImageSource *flatpak_image_source_new_for_location (const char *location, + GCancellable *cancellable, + GError **error); + +-void flatpak_image_source_set_token (FlatpakImageSource *self, +- const char *token); + void flatpak_image_source_set_delta_url (FlatpakImageSource *self, + const char *delta_url); + +diff --git a/common/flatpak-image-source.c b/common/flatpak-image-source.c +index a31f1084..1fc0eeb0 100644 +--- a/common/flatpak-image-source.c ++++ b/common/flatpak-image-source.c +@@ -180,6 +180,7 @@ FlatpakImageSource * + flatpak_image_source_new_remote (const char *uri, + const char *oci_repository, + const char *digest, ++ const char *token, + GCancellable *cancellable, + GError **error) + { +@@ -189,6 +190,8 @@ flatpak_image_source_new_remote (const char *uri, + if (!registry) + return NULL; + ++ flatpak_oci_registry_set_token (registry, token); ++ + return flatpak_image_source_new (registry, oci_repository, digest, cancellable, error); + } + +@@ -327,13 +330,6 @@ flatpak_image_source_new_for_location (const char *location, + } + } + +-void +-flatpak_image_source_set_token (FlatpakImageSource *self, +- const char *token) +-{ +- flatpak_oci_registry_set_token (self->registry, token); +-} +- + void + flatpak_image_source_set_delta_url (FlatpakImageSource *self, + const char *delta_url) diff --git a/flatpak.spec b/flatpak.spec index 361b01f588205eb7aa6c6f71a79620ed509ab604..6c394e9b33b479d1774c4bd809e5a6fa96fa7e3a 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global appstream_version 0.15.3 %global bubblewrap_version 0.10.0 @@ -10,17 +10,18 @@ %global wayland_scanner_version 1.15 Name: flatpak -Version: 1.16.0 +Version: 1.16.0 Release: %{anolis_release}%{?dist} Summary: Application deployment framework for desktop apps License: LGPL-2.1-or-later URL: https://flatpak.org/ -Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz +Source0: https://github.com/flatpak/flatpak/releases/download/1.16.0/flatpak-1.16.0.tar.xz +Source2: flatpak.sysusers.conf # systemd-sysusers config. Only used for the %%pre macro. Must be kept in sync # with the config from upstream sources. -Source1: flatpak.sysusers.conf +Patch1: flatpak-pass-token-to-flatpak-image-source-new-remote.patch BuildRequires: pkgconfig(appstream) >= %{appstream_version} BuildRequires: pkgconfig(dconf) @@ -103,6 +104,7 @@ Summary: SELinux policy module for %{name} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel BuildRequires: make +BuildRequires: pkgconfig(appstream) >= 1.0.0~ BuildArch: noarch %{?selinux_requires} @@ -253,6 +255,8 @@ fi %doc README.md NEWS %changelog +* Thu Sep 18 2025 wenyuzifang - 1.16.0-2 +- Fix authentication timing to ensure reliable pulls from private OCI registries * Tue Mar 18 2025 wangzhe - 1.16.0-1 - update to 1.16.0 - Fix CVE-2024-42472