https://github.com/flatpak/flatpak/releases/tag/1.14.1
SUMMARY: total=50; passed=38; skipped=0; failed=12; user=1229.5s; system=929.6s; maxrss=441956
FAIL: flatpak/test-bundle@system.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-bundle@user.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-prune.sh.test (Child process exited with code 1)
FAIL: flatpak/test-run@system,nodeltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-bundle@system-norevokefs.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system-norevokefs,nodeltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system-norevokefs,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@user,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-history.sh.test (Child process exited with code 1)
FAIL: flatpak/test-seccomp.sh.test (Child process exited with code 1)
FAIL: flatpak/test-run@user,nodeltas.wrap.test (Child process exited with code 1)
Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.
When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.
Also introduce a test for the icon validator to prevent future breakage.
Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
Chromium Flatpak package uses flatpak-spawn command for sandboxing
the child processes. The command comes from flatpak-xdg-utils, which is
presumably included in Flatpak runtimes. The command then calls Spawn
method of the portal.
The portal supports running commands in a clear environment when passed
FLATPAK_SPAWN_FLAGS_CLEAR_ENV flag. Unfortunately, that also clears PATH,
which is probably what prevents `flatpak` command itself from being found.
There is a relevant TODO note in the code:
https://github.com/flatpak/flatpak/blob/1.10.2/portal/flatpak-portal.c#L995-L999
For now, let’s hardcode the path to the binary.
Pantheon's sideload broke:
```
meson.build:17:0: ERROR: Could not generate cargs for flatpak:
Package ostree-1 was not found in the pkg-config search path.
Perhaps you should add the directory containing `ostree-1.pc'
to the PKG_CONFIG_PATH environment variable
Package 'ostree-1', required by 'flatpak', not found
```
https://hydra.nixos.org/build/113077888
ZHF: #80379
* Regenerated all patches for 1.4.2 and resolved
any conflicts.
* fix-test-paths.patch doesn't copy the whole locale archive
because we have C.UTF8 now.
* nixos/flatpak creates a Flatpak system helper user
Change introduced in 1.3.2.
Changes:
See https://github.com/flatpak/flatpak/releases/tag/1.3.1 through
1.4.2.
SVG support isn't built-in to GdkPixBuf, it's provided by an external
module. Therefore, GDK_PIXBUF_MODULE_FILE should be preserved in the
sandbox, otherwise `flatpak-validate-icon --sandbox` won't work on SVG
files.
GDK_PIXBUF_MODULE_FILE is often set to a nix store path not available in a app
sandbox. This can cause some apps to fail launching, simply reset this env var
when running applications.
fixes https://github.com/NixOS/nixpkgs/issues/53441
