14 DAY TRIAL // Alex Larsson from the Flatpak (formerly XDG-App) project, an open source initiative to develop a distro-agnostic Linux application sandboxing and distribution framework, announced today the release of Flatpak 0.8.5.
Some of you out there reading our regular Flatpak reports may wonder what's Flatpak 0.8.5 doing here when we already got Flatpak 0.9.1. Well, it looks like the Flatpak devs are still maintaining the stable 0.8 series of the project for various GNU/Linux distributions that did not yet move to the 0.9 branch.
Therefore, Flatpak 0.8.5 is a maintenance update fixing a bunch of issues, such as a few memory leaks and a use-after-free in the dbus-proxy. Additionally, it improves the detection of "unmaintained" system extensions, which should now work without issues, and updates the update system to no longer allow older Flatpak versions to be installed.
"Regular updates now never allow updates to an older version than what is currently installed (unless you explicitly specify an old commit id). This closes a hole where an MITM attacker can force clients to downgrade to an earlier (gpg-signed) version of the application," read the release notes on GitHub.
Flatpakref extensions now detected in URIs that end in a query string
Flatpak 0.8.5 also improves the automatic detection of --from in the "flatpak install" command to detect flatpakref extensions in URIs that end in a query string (e.g. https://git.gnome.org/browse/gnome-apps-nightly/plain/gedit.flatpakref?h=stable), and replaces the OSTree trivial-httpd component with SimpleHTTPServer for tests.
Some of the dependencies have been changed as well, and it looks like Flatpak 0.8.5 requires minimum Glib version as 2.44 and minimum Automake version as 1.13.4. Last but not least, support for the latest OSTree release has been implemented. OS integrators can now download the source tarball of Flatpak 0.8.5 from the project's GitHub page if they want to update their Flatpak infrastructure.