Notably fwupd, pipewire and flatpak.
I want to focus on GNOME and other packages I still actually use.
Pipewire is still important but I have not touched the packaging in a while.
checkInputs used to be added to nativeBuildInputs. Now we have
nativeCheckInputs to do that instead. Doing this treewide change allows
to keep hashes identical to before the introduction of
nativeCheckInputs.
https://github.com/flatpak/flatpak/releases/tag/1.14.1
SUMMARY: total=50; passed=38; skipped=0; failed=12; user=1229.5s; system=929.6s; maxrss=441956
FAIL: flatpak/test-bundle@system.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-bundle@user.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-prune.sh.test (Child process exited with code 1)
FAIL: flatpak/test-run@system,nodeltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-bundle@system-norevokefs.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system-norevokefs,nodeltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system-norevokefs,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@user,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-run@system,deltas.wrap.test (Child process exited with code 1)
FAIL: flatpak/test-history.sh.test (Child process exited with code 1)
FAIL: flatpak/test-seccomp.sh.test (Child process exited with code 1)
FAIL: flatpak/test-run@user,nodeltas.wrap.test (Child process exited with code 1)
Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.
When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.
Also introduce a test for the icon validator to prevent future breakage.
Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
Chromium Flatpak package uses flatpak-spawn command for sandboxing
the child processes. The command comes from flatpak-xdg-utils, which is
presumably included in Flatpak runtimes. The command then calls Spawn
method of the portal.
The portal supports running commands in a clear environment when passed
FLATPAK_SPAWN_FLAGS_CLEAR_ENV flag. Unfortunately, that also clears PATH,
which is probably what prevents `flatpak` command itself from being found.
There is a relevant TODO note in the code:
https://github.com/flatpak/flatpak/blob/1.10.2/portal/flatpak-portal.c#L995-L999
For now, let’s hardcode the path to the binary.
Pantheon's sideload broke:
```
meson.build:17:0: ERROR: Could not generate cargs for flatpak:
Package ostree-1 was not found in the pkg-config search path.
Perhaps you should add the directory containing `ostree-1.pc'
to the PKG_CONFIG_PATH environment variable
Package 'ostree-1', required by 'flatpak', not found
```
https://hydra.nixos.org/build/113077888
ZHF: #80379
* Regenerated all patches for 1.4.2 and resolved
any conflicts.
* fix-test-paths.patch doesn't copy the whole locale archive
because we have C.UTF8 now.
* nixos/flatpak creates a Flatpak system helper user
Change introduced in 1.3.2.
Changes:
See https://github.com/flatpak/flatpak/releases/tag/1.3.1 through
1.4.2.
SVG support isn't built-in to GdkPixBuf, it's provided by an external
module. Therefore, GDK_PIXBUF_MODULE_FILE should be preserved in the
sandbox, otherwise `flatpak-validate-icon --sandbox` won't work on SVG
files.
GDK_PIXBUF_MODULE_FILE is often set to a nix store path not available in a app
sandbox. This can cause some apps to fail launching, simply reset this env var
when running applications.
fixes https://github.com/NixOS/nixpkgs/issues/53441