ostree 2017.7 incompatibility with flatpak < 0.9.6

Mon Jun 26 12:03:24 UTC 2017

On Mon, 2017-06-26 at 12:07 +0100, Simon McVittie wrote:
> On Mon, 26 Jun 2017 at 12:44:02 +0200, Alexander Larsson wrote:
> > I noticed recently that the change to ostree:
> > 
> > https://github.com/ostreedev/ostree/commit/73ba3eb686ef86cea1c45633
> > 03e44df87d73e6c6
> > 
> > that makes ostree mirroring not mirror the summary file when doing
> > a
> > partial mirror broke the systemwide install (as a user) of flatpak.
> > This is fixed in 0.9.6, so anyone who updates to the latest ostree
> > should also make sure that you update to the latest flatpak.
> 
> (cc'ing Jeremy Bicha who seems to be Ubuntu's de facto Flatpak
> maintainer)
> 
> At the moment I'm still tracking Flatpak 0.8.x in Debian unstable.
> This is for two reasons: the wider its testing is, the more confident
> the stable release team can be that 0.8.x is safe for a stable-
> update;
> and if I ship 0.9.x, Ubuntu will pick it up and include a development
> branch in their releases, unless they specifically take steps not to.
> I'm tempted to move to 0.9.x since we're early in the ~ 2 year Debian
> release cycle, but the same cannot really be said for Ubuntu.
> 
> If I cherry-pick commits e987d92 "install: Manually save
> summary[.sig]
> in cache repo" and 67ffd9a "Manually copy summary for update and
> appdata
> too" into 0.8.x, is that expected to work correctly with ostree
> 2017.7?

In theory that should be enough, but i believe those changes rely on a
few earlier changes to make flatpak_dir_remote_fetch_summary() also
return the summary.sig file. I'm sure some digging would find you the
relevant commits you also need.

> What sort of time do you expect to be stabilizing 0.9.x as 0.10.0?

I'm leaving for vacation next week, so I won't be doing a lot of
flatpak work in the near future. However, my current view of flatpak
master is that it is in a pretty decent shape, and that it will turn
into 0.10 pretty soon. Maybe around guadec or so. In fact, i recommend
everyone to use 0.9.x on the builder side, as it has a lot of new nice
features compared to 0.8.

> How bad would it be from your point of view if Ubuntu 18.04 LTS had
> some
> random development version from the 0.9.x series? (Note that flatpak
> in
> Ubuntu is in the "universe" component, which means it is not
> necessarily
> supported by anyone, and in particular there have been no security
> updates there yet for CVE-2017-9780.)

It wouldn't be great if it was a completely random version. But, 18.04
is a long way out, and i'm certain we'll have 0.10 by then.