2017.7
The most notable thing for this release is that for flatpak users/distributors,
this release adds a lot of (opt-in) hardening against setuid or world-writable
files. These issues are also (to a lesser degree) applicable to ostree-based
build systems which use the bare-user
repository mode. A pending flatpak
version will require this version of libostree. More information in:
flatpak/flatpak#845
For ostree-as-host, we fixed a major regression in SELinux labeling for
/etc
(only applies to SELinux-using host systems).
Known issue: test-symbols.sh
will fail when building from the tarball (as
opposed to a git clone). Pending fix: #944
Besides that, there's various smaller cleanups and fixes. It's great to see
contributors from a variety of organizations; having libostree be a shared
infrastructure layer across distributions is a longstanding vision. Thanks to
all contributors!
Alexander Larsson (5):
fetcher: Send Accept-Encoding: gzip when downloading summary
repo: After renaming in all loose objects, ensure metadata is stable
lib/repo: Always look in staging directory for objects
pull: When mirroring, only replace summary if we're doing a full mirror
static delta apply: Work on bare-user-only repos
Anton Gerasimov (1):
lib/sysroot: Add API to get pending/rollback for given stateroot
Brian C. Lane (1):
Remove the OSTREE_MAX_RECURSION limit on metadata depth
Colin Walters (51):
tests/test-symbols.sh: Fix with --enable-experimental-api
ci: Add unit case for --enable-experimental-api
tests/libtest-core: Copy rpm-ostree changes, clean up
bin/cookies: Delete dead tmpfile code in cookie list command
Add stub for new libglnx tmpfile API, port simpler callers to it
lib/deploy: Port config merge logic to new code style
tests: Add some C tests for object writing
pull-test: Add some 404 tests
lib/fsutil: Delete unused GFile ioctl method
lib/fsutil: Port to new code style
lib: Add an "is_system" member to OstreeRepo
lib/sysroot: Add non-failable ostree_sysroot_repo()
tree-wide: Add+run spatch to use glnx_throw()
cmd: Use autoptr for GKeyFile
lib/util: Some style conversion
Add a notion of "physical" sysroot, use for remote writing
repo/commit: Dedup metadata writing API implementations
repo/commit: Dedup content writing API implementation
repo/commit: In the expected checksum case, check existence early
repo/commit: Don't renormalize trusted metadata
repo/commit: Split up metadata/content commit paths
lib/repo: Delete unused private prototypes
Revert "Add a notion of "physical" sysroot, use for remote writing"
Don't install trivial-httpd man page if not enabled
Canonicalize bare-user-only perms with 0755 mask
builtins/cat: Port to new code style
lib/repofile: Port mostly to new code style
lib/repofile: Follow symlinks for `g_file_read()`
lib/repo: For bare-user, mask content object modes with 0775
tests: Add a test for bare-user-only failing to commit suid content
repo/commit: Support group-writable files for bare-user-only
ci: Update to match current rpm-ostree
ci: Add CentOS 7 build
repo: Fix leak of superblock fds when generating summary
lib/commit: Port final object writing function to new code style
lib/commit: Drop some conditionals/clarify code in content path
lib/checkout: Ignore world-writable dirs for bare-user-only checkout
lib/repo: Refactor object copy import function
lib/repo: Skip import via hardlink if repo owners don't match
lib/repo: Import metadata via hardlink even for distinct repo modes
lib/repo: Support hardlink conversions from bare-user to bu-only
lib/pull: Add OSTREE_REPO_PULL_FLAGS_BAREUSERONLY_FILES
lib/checkout: Add bareuseronly_dirs option
build-sys: post-release version bump
lib/sysroot: Add some g_prefix_error() for ostree_sysroot_cleanup()
lib/pull: Extend BAREUSERONLY_FILES flag to HTTP requests
lib: Split symbol versioning into -released and -devel
checkout: Fix SELinux policy labeling when recursing
tests: Fix previous commit for selinux testing
build-sys: Add "release build" flag, use for symbol versioning
Release 2017.7
Daniel Drake (2):
libtest: allow committing to alternative branches
Allow commits to mark refs as EOL, replaced by others
David Shea (1):
lib/repo: Fix annotations for out parameters
Jonathan Lebon (6):
pull: complete detached meta fetch before scanning
PAPR: migrate to the new name
checkout: don't apply SELinux labeling in user mode
checkout: also chmod in the user checkout case
manual: document bare-user-only repo mode
basic-test.sh: explicitly check for uncompressed objects
Krzesimir Nowak (1):
lib/sysroot: Document the NO_CLEAN flag
Owen W. Taylor (1):
lib/repo: Don't copy xattrs when manipulating the GPG keyring
Philip Withnall (16):
lib/remote: Add a getter for OstreeRemote.name
lib/remote: Add internal annotations to OstreeRemote
lib/remote: Add arguments to internal OstreeRemote constructor
lib/repo: Add return value to _ostree_repo_add_remote()
lib/repo: Make ost_repo_remove_remote() available internally
lib/remote: Fix compilation with --enable-experimental-api
build: Use AM_TESTS_ENVIRONMENT rather than TESTS_ENVIRONMENT
lib/repo: Reindent some code in regenerate_summary() for clarity
lib/pull: Fix a typo in a documentation comment
lib/pull: Simplify a for-loop initialisation
lib/pull: Drop some trailing whitespace
lib/pull: Fix an over-indented block
ostree/dump: Improve formatting for well-known commit metadata keys
lib/repo: Omit deltas from the summary file if there are none
lib/fetcher: Add cleanup function for OstreeFetcher
lib/pull: Fix construction of a refspec to use the correct separator
Tristan Van Berkom (1):
ostreee-version.h.in: Added Since: version annotations
Git-EVTag-v0-SHA512: 5115bcfa837cf59ed3672f5c7717796091ce2e88eb3ecb75148d14055246529afc2206d8e02540d2f6cb0254bee4d29506b47dbd65212f5a0b14a846f1cc986e
-----BEGIN PGP SIGNATURE-----
iQEwBAABCgAaBQJZR/ALExx3YWx0ZXJzQHZlcmJ1bS5vcmcACgkQ3EX9WSHBPwsj
Fwf+J5XIzBg7EWZOvM46tJsIz4SheSC0ULEIOT497S25mZepMUbyWfp5eS1pgr8O
daj/tUwRqWjC84kTF6lo0ChBahQl6d+QFQsC8HYdyKfBgnIfVOEkKfdea5Q2Syed
Ox/ntiPUDdO1bUZ+72X6TpQGaBhV1XfL8l9GT91ZCRgQ22yt3i0hdiAJOX+ka0ix
bD3Dy1LQz/CieUz7ViAMHWxZvva42a+ybKdzgX2r0W9Ci6NXXysOSMtKXCzoNyZl
rf0lzpmx0LpddICUEkn07uSoC2y9Yep8JRH4UKJ5vdbP3h76D1cMckRwNvYvtsjO
vapkPL9pqn/Fv2Rr/oNY3WPJ5w==
=IYbt
-----END PGP SIGNATURE-----