openSUSE has issued an advisory on February 8: https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html The issue was fixed upstream in 0.10.3 on January 31: https://github.com/flatpak/flatpak/releases/tag/0.10.3 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 0.10.3
Fedora has issued an advisory for this on February 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QOYBT2233N67VDJDQVQ3EPNW4GTUXVLF/
flatpak-0.10.3-1.mga7 uploaded for Cauldron by Neal.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
bubblewrap-0.2.0-1.mga6, ostree-2018.1-1.mga6, flatpak-0.10.3-1.mga6, flatpak-builder-0.10.6-1.mga6, xdg-desktop-portal-0.9-1.mga6, xdg-desktop-portal-gtk-0.9-1.mga6, and appstream-glib-0.7.6-1.mga6 have been uploaded to updates_testing for this.
Advisory: ======================== Updated flatpak packages fix security vulnerability: A sandbox escape in the flatpak dbus proxy in the authentication phase (CVE-2018-6560). The flatpak has been upgraded to the latest stable version, 0.10.3, which fixes this issue. The bubblewrap, ostree, flatpak-builder, xdg-desktop-portal, xdg-desktop-portal-gtk, and appstream-glib packages have also been upgraded to support this updated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6560 https://lists.opensuse.org/opensuse-updates/2018-02/msg00019.html ======================== Updated packages in core/updates_testing: ======================== ostree-2018.1-1.mga6 libostree1-2018.1-1.mga6 libostree-devel-2018.1-1.mga6 libostree-gir1.0-2018.1-1.mga6 ostree-grub2-2018.1-1.mga6 ostree-tests-2018.1-1.mga6 bubblewrap-0.2.0-1.mga6 appstream-util-0.7.6-1.mga6 libappstream-glib8-0.7.6-1.mga6 libappstream-builder8-0.7.6-1.mga6 libappstream-glib-gir1.0-0.7.6-1.mga6 libappstream-builder-gir1.0-0.7.6-1.mga6 libappstream-glib-devel-0.7.6-1.mga6 appstream-glib-i18n-0.7.6-1.mga6 flatpak-0.10.3-1.mga6 libflatpak-devel-0.10.3-1.mga6 libflatpak0-0.10.3-1.mga6 libflatpak-gir1.0-0.10.3-1.mga6 xdg-desktop-portal-0.9-1.mga6 xdg-desktop-portal-devel-0.9-1.mga6 flatpak-builder-0.10.6-1.mga6 xdg-desktop-portal-gtk-0.9-1.mga6 from SRPMS: bubblewrap-0.2.0-1.mga6.src.rpm ostree-2018.1-1.mga6.src.rpm flatpak-0.10.3-1.mga6.src.rpm flatpak-builder-0.10.6-1.mga6.src.rpm xdg-desktop-portal-0.9-1.mga6.src.rpm xdg-desktop-portal-gtk-0.9-1.mga6.src.rpm appstream-glib-0.7.6-1.mga6.src.rpm
CC: (none) => ngompa13Assignee: ngompa13 => qa-bugs
wikipedia mentions libreoffice, gimp, blender, pitivi and linphone does installing any of these take advantage of flatpak? Or is the testing in really building the deploy of the application?
CC: (none) => brtians1
MGA6-32 on Dell Latitude D600 No installation issues First tried to use flatpak command, but that's a bit complicated. Searching for a GUI brings me to gnome-software. Run that with strace shows that flatpak lib is called. But in the process of looking for sources for items, it finds nothing because there are no sources defined. I can click on a button to get sources, but there is an error in the journal trying yum location for the mageia repo on Belnet, but that site is now very very slow to respond and there is curl error, and subsequently gnome-software segfaults. So, I cann't see if flatpak sources get populated right now. Maybe tomorrow.
CC: (none) => herman.viaene
Today, gnome-software crashed first time while I tried it to force to find Software sources while it was still trying to list the applications. On the second run, I let it first finish its list. It came up with a correct list of installed rpms, but no availables , no updates. Making it search for software sources, just resulted in an empty list. In the trace I can see it picks up the location of the MGA repos, but at the CLI I get errors in accessing gnome sites, and that seems the end of the search. In the trace I see calls to the flatpak libs, but gnome-software never gets to the point to populatee its database. The errrors: 10:27:00:0600 As no path data for /var/cache/app-info/xmls 10:27:05:0970 Gs failed to call gs_plugin_add_installed on shell-extensions: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.Shell was not provided by any .service files 10:27:06:0008 Gs hiding category graphics featured applications: found only 0 to show, need at least 9 10:27:06:0036 Gs hiding category games featured applications: found only 0 to show, need at least 9 10:27:06:0082 Gs not handling error not-supported for action get-installed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.Shell was not provided by any .service files 10:27:06:0119 Gs failed to get featured apps: no apps to show 10:27:20:0783 Gs failed to call gs_plugin_refresh on packagekit-refresh: cancelled by user action 10:27:25:0459 Gs failed to call gs_plugin_refresh on packagekit-refresh: cancelled by user action That is the end of the road for me. @ Brian: what you found indicates that there might be flatpaks available to install LibreOffice. At least this I guess from your info.
Testing mga6 64 Flatpak is a kind of container software, sort of like docker, but oriented towards desktop applications which installs flatpaks and runs them in a self contained sandboxed environment - complete with their own libs, etc. You can add remote flatpak repositories and install flatpaks from there. There are a couple of talks on it at FOSDEM Youtube channel. Before ------ Adding the flathub remote repository $ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo Picked one of their packages to install - numptyphysics. It asks for root password to install each requirement. $ flatpak install --from https://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref Installing: io.thp.numptyphysics/x86_64/stable Required runtime for io.thp.numptyphysics/x86_64/stable (org.freedesktop.Platform/x86_64/1.6) is not installed, searching... Found in remote flathub, do you want to install it? [y/n]: y Installing: org.freedesktop.Platform/x86_64/1.6 from flathub [####################] 8 delta parts, 63 loose fetched; 133550 KiB transferred i Installing: org.freedesktop.Platform.GL.default/i386/1.6 from flathub [####################] 1 delta parts, 7 loose fetched; 54494 KiB transferred in Installing: org.freedesktop.Platform.GL.default/x86_64/1.6 from flathub [####################] 1 delta parts, 7 loose fetched; 47837 KiB transferred in Installing: org.freedesktop.Platform.ffmpeg/x86_64/1.6 from flathub [####################] 1 delta parts, 2 loose fetched; 2188 KiB transferred in 3 Installing: org.freedesktop.Platform.Locale/x86_64/1.6 from flathub [####################] 4 metadata, 1 content objects fetched; 14 KiB transferred Installing: io.thp.numptyphysics/x86_64/stable from flathub [####################] 1 delta parts, 1 loose fetched; 1316 KiB transferred in 2 $ flatpak list Ref Options io.thp.numptyphysics/x86_64/stable system,current org.freedesktop.Platform.GL.default/i386/1.6 system,runtime org.freedesktop.Platform.GL.default/x86_64/1.6 system,runtime org.freedesktop.Platform.ffmpeg/x86_64/1.6 system,runtime org.freedesktop.Platform/x86_64/1.6 system,runtime $ flatpak run io.thp.numptyphysics It opens as a normal application on the desktop. Played NumptyPhysics, which is quite fun. After ----- $ flatpak remotes Name Options flathub system $ flatpak remote-ls flathub Ref ca._0ldsk00l.Nestopia ca.desrt.dconf-editor ch.x29a.playitslowly com.albiononline.AlbionOnline ...etc Played NumptyPhysics aain. $ flatpak run io.thp.numptyphysics Updated stuff $ flatpak update io.thp.numptyphysics Looking for updates... Installing: org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6 from flathub [####################] 1 delta parts, 2 loose fetched; 2623 KiB transferred in 2 Updating: org.freedesktop.Platform.Locale/x86_64/1.6 from flathub [####################] 4 delta parts, 120 loose fetched; 90180 KiB transferred i Now at ab59ec512ad7. Removed NumptyPhysics :( $ flatpak uninstall io.thp.numptyphysics Uninstalling: io.thp.numptyphysics/x86_64/stable Didn't attempt to build a flatpak, which is rather more advanced. Checked appstream (gnome software/plasma discover) with simple of appstream-util and using gnome-software to view available packages. # appstream-util search flatpak [00060] system/package/mageia-x86_64/addon/org.gnome.Software.Plugin.Flatpak/* [00010] system/package/mageia-x86_64/desktop/org.gnome.Builder.desktop/*
Whiteboard: (none) => mga6-64-okKeywords: (none) => has_procedure
MGA6-32 on Dell Latitude D600 Mate Replicated Claire's installation actions as above with the difference that I did all actions as root. All seems OK until I try to run the program as a normal user: The first time I get: $ flatpak run io.thp.numptyphysics [ 0ms] [Os.cpp:176] Created dir /home/tester6/.var/app/io.thp.numptyphysics/data/numptyphysics Failed to link shader: � H� H After doing the update action as root (did not bring in anything) $ flatpak run io.thp.numptyphysics (process:18848): flatpak-WARNING **: Error writing credentials to socket: Error sending message: Broken pipe Failed to link shader: � H� H I wonder if installing as root is inappropriate here. Will do some googling.
(In reply to Herman Viaene from comment #9) > MGA6-32 on Dell Latitude D600 Mate > Replicated Claire's installation actions as above with the difference that I > did all actions as root. > All seems OK until I try to run the program as a normal user: > The first time I get: > $ flatpak run io.thp.numptyphysics > [ 0ms] [Os.cpp:176] Created dir > /home/tester6/.var/app/io.thp.numptyphysics/data/numptyphysics > Failed to link shader: � > H� > H > After doing the update action as root (did not bring in anything) > $ flatpak run io.thp.numptyphysics > > (process:18848): flatpak-WARNING **: Error writing credentials to socket: > Error sending message: Broken pipe > Failed to link shader: � > H� > H > I wonder if installing as root is inappropriate here. Will do some googling. I'm not sure if flatpak is intended to be used as a system-wide software installation mechanism. It does also attempt to leverage the polkit session interface, which doesn't work through sudo or su logins (which covers most people's ways of accessing root).
Advisory uploaded. Validating. Please push to 6 updates. Thanks
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0143.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED