14 DAY TRIAL // Flatpak developer Alex Larsson is announcing the release of the second bugfix and security update to the Flatpak 0.8 stable series, an open-source project that provides a Linux application sandboxing and distribution framework, formerly XDG-App.
Flatpak 0.8.2 is a security fix release that needs to be installed on your computer immediately, as it addresses a critical bug where various of the bind-mounts the framework implements on your system could have been modified. These include system fonts, extensions, machine-id, localtime, and resolv.conf.
"Some of the bind-mounts that flatpak sets up were not read-only as they should have. This includes: extensions, system fonts, resolv.conf, localtime, and machine-id. Many of these are typically only writable by root, but some, like the user-specific fonts and user-installed extensions could be modified from the sandbox," said Alex Larsson.
DRI access can now handle Mali devices
Flatpak 0.8.2 comes about 11 days after the first maintenance update in the series, so it's not a major release as it only fixes some bugs and adds various small improvements. For example, a few new configuration options have been added to allow developers who want to package their apps as Flatpaks to choose where to install D-Bus configs.
Furthermore, it looks like DRI access was improved to also handle Mali devices, the installation can now support the "--arch" command-line argument when installing flatpakrefs, it's possible to run a Flatpak with HOME in the /var directory, and the dbus-proxy command can run without /run.
Other than that, Flatpak 0.8.2 updates the "--filesystem=xdg-config/foo" argument to also set up a bind-mount from the host directory even when the ":create" option is not used, activation of the system-helper works systems without systemd, and the /etc directory was made fully writable when building your runtimes.
Some broken symlinks in the root directory have been fixed as well in Flatpak 0.8.2, which means that the "flatpak run" command should work flawlessly now. Also, during installation, updating dependency failure is no longer considered fatal. OS vendors are urged to update to Flatpak 0.8.2 at their earliest convenience!