Simon McVittie writes ("Re: stretch-pu: package flatpak, maybe want debdiff
against security?"):
> Yes, this update was proposed while stretch was still in freeze,
> and I didn't want to annoy the release team with more pings if they
> were deliberately leaving it dormant until after r1. Diff against
> stretch-security attached (diffing patched tree against patched tree,
> and excluding Autotools noise, translations, HTML docs, and the patches
> that were dropped but not their effects).
Thanks. This is IMO much better. I looked at the diff and almost
everything in it is covered by your changelog entries. However:
* document-portal/xdp-dbus.c was generated by a version of
gdbus-codegen which seems to be only in Debian experimental. !
* gtk-doc.make has some noise (which seems to be just whitespace
changes but which is a bit hard to review as-is)
This is a bit odd. Are these generated files even though they are in
the source package ? Is it possible to exclude these updates
somehow ?
(FTR: I have no other concerns.)
> If the release team would be willing to accept a bit more
> delta, I could also add some patches (accepted and queued to
> be released upstream in 0.8.8) to make this flatpak compatible
> with behaviour changes in buster's libostree, which would
> effectively mean a backport of 0.8.7-2 rather than 0.8.7-1. Please
> let me know whether this is desired. That would basically mean adding
> https://anonscm.debian.org/git/collab-maint/flatpak.git/diff/?id=debian/0.8.7-2&id2=debian/0.8.7-1
> to the diff.
If I were the release team I would prefer not to take that unless we
had to.
> > The only one I'm a bit wary of is this one
> >
> > + - Let KDE apps bind-mount ~/.config/kdeglobals into the sandbox:
> >
> > whose security implications I don't feel I understand. Is there any
> > more discussion of that ?
>
> tl;dr: This has no new security implications.
Jolly good.
Thanks,
Ian.
