QID 174877

This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

- Enable LTO. (bsc#1133120)

- This update contains scalability improvements and bugfixes.
- Caching-related HTTP headers are now supported on summaries and
signatures, so that they do not have to be re-downloaded if not changed
in the meanwhile.
- Summaries and delta have been reworked to allow more fine-grained
fetching.
- Fixes several bugs related to atomic variables, HTTP timeouts, and
32-bit architectures.
- Static deltas can now be signed to more easily support offline
verification.
- There's now support for multiple initramfs images; Is it possible to
have a "main" initramfs image and a secondary one which represents local
configuration.
- The documentation is now moved to
- Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.
- ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.
- ostree now supports `/` and `/boot` being on the same filesystem.
- Improvements to the GObject Introspection metadata, some (cosmetic)
static analyzer fixes, a fix for the immutable bit on s390x, dropping a
deprecated bit in the systemd unit file.
- Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly
left the sysroot read-only
on systems that started out with a read-only `/` (most of them, e.g.
Fedora Silverblue/IoT at least).
- The default dracut config now enables reproducibility.
- There is a new ostree admin unlock `--transient`. This should to be a
foundation for further support for "live" updates.
- New `ed25519` signing support, powered by `libsodium`.
- stree commit gained a new `--base` argument, which significantly
simplifies constructing "derived" commits, particularly for systems
using SELinux.
- Handling of the read-only sysroot was reimplemented to run in the
initramfs and be more reliable. Enabling the `readonly=true` flag in the
repo config is recommended.
- Several fixes in locking for the temporary "staging" directories OSTree
creates, particularly on NFS.
- A new `timestamp-check-from-rev` option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.
- Several fixes and enhancements made for "collection" pulls including a
new `--mirror` option.
- The ostree commit command learned a new `--mode-ro-executables` which
enforces `W^R` semantics
on all executables.
- Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE`
to help standardize the architecture of the OSTree commit. This could be
used on the client side for example to sanity-check that the commit
matches the architecture of the machine before deploying.
- Stop invalid usage of `%_libexecdir`:
+ Use `%{_prefix}/lib` where appropriate.
+ Use `_systemdgeneratordir` for the systemd-generators.
+ Define `_dracutmodulesdir` based on `dracut.pc`. Add
BuildRequires(dracut) for this to work.

xdg-desktop-portal:

Update to version 1.8.0:

- Ensure systemd rpm macros are called at install/uninstall times for
systemd user services.
- Add BuildRequires on systemd-rpm-macros.
- openuri:
- Allow skipping the chooser for more URL tyles
- Robustness fixes
- filechooser:
- Return the current filter
- Add a "directory" option
- Document the "writable" option
- camera:
- [...]

Successful exploitation allows attacker to compromise the system.