bubblewrap (0.1.7-1~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Mon, 27 Feb 2017 11:05:06 +0000

bubblewrap (0.1.7-1) unstable; urgency=medium

  * New upstream release
    - effectively the same as 0.1.6-2
    - drop all patches

 -- Simon McVittie <smcv@debian.org>  Thu, 19 Jan 2017 14:33:46 +0000

bubblewrap (0.1.6-2) unstable; urgency=medium

  * d/p/Make-the-call-to-setsid-optional-with-new-session.patch:
    Add patch from upstream to make the setsid() that addresses
    CVE-2017-5226 optional, because it breaks interactive shells.
    Users of bubblewrap to confine untrusted programs should either
    add --new-session to the bwrap command line, or prevent the
    TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
    - d/control: add Breaks on versions of Flatpak that did not
      load the necessary seccomp filter to prevent CVE-2017-5226
  * d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch:
    Add patch from upstream to improve example code
  * d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch,
    d/p/Install-seccomp-filter-at-the-very-end.patch:
    Add patches from upstream to re-order initialization. This means
    the seccomp filter is no longer required to account for syscalls that
    are made by bwrap itself.
  * d/p/Add-unshare-all-and-share-net.patch:
    Add patch from upstream introducing new command line options
    --unshare-all and --share-net, for a more whitelist-based approach
    to sharing namespaces with the parent.

 -- Simon McVittie <smcv@debian.org>  Wed, 18 Jan 2017 00:56:19 +0000

bubblewrap (0.1.6-1) unstable; urgency=medium

  * New upstream release
    - drop the only patch, applied upstream
  * debian/patches: update to upstream master for additional fixes
    to SIGCHLD handling and documentation, and improved hardening
    against being able to obtain capabilities
  * debian/bubblewrap.examples: install upstream examples

 -- Simon McVittie <smcv@debian.org>  Sat, 14 Jan 2017 22:18:09 +0000

bubblewrap (0.1.5-2~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Mon, 09 Jan 2017 18:19:10 +0000

bubblewrap (0.1.5-2) unstable; urgency=high

  * d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
    Call setsid() before executing sandboxed code, preventing a
    sandboxed executable invoked with a controlling terminal (for
    example in Flatpak) from escalating its privileges by injecting
    keypresses into the controlling terminal with the TIOCSTI
    ioctl. (Closes: #850702; CVE-2017-5226)
  * d/control: remove Maintainer status from Laszlo Boszormenyi at his
    request. Add him to Uploaders instead, and hand the package over
    to the Utopia Maintenance Team (the same as OSTree and Flatpak).

 -- Simon McVittie <smcv@debian.org>  Mon, 09 Jan 2017 18:09:54 +0000

bubblewrap (0.1.5-1) unstable; urgency=medium

  * New upstream release
    - drop all patches, applied upstream
    - debian/copyright: update for build system additions

 -- Simon McVittie <smcv@debian.org>  Tue, 20 Dec 2016 11:25:23 +0000

bubblewrap (0.1.4-2~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Mon, 12 Dec 2016 16:12:30 +0000

bubblewrap (0.1.4-2) unstable; urgency=medium

  * d/tests/*: only run tests on a real or virtual machine, not in a
    container. bubblewrap is effectively already a container, and
    nesting containers doesn't work particularly well.
    Unfortunately this means the tests won't work on ci.debian.net,
    which uses LXC.

 -- Simon McVittie <smcv@debian.org>  Thu, 01 Dec 2016 12:42:33 +0000

bubblewrap (0.1.4-1) unstable; urgency=medium

  * New upstream release
  * d/p/test-run-be-a-bash-script.patch,
    d/p/test-run-don-t-assume-we-are-uid-1000.patch,
    d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch,
    d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch:
    improve the upstream tests
  * d/tests/upstream: run the upstream tests as autopkgtests
  * d/rules: Do not enable setuid mode at configure time. If we do, we
    can't run the build-time tests, and it no longer makes any difference
    to the actual code. Make the executable setuid via Debian packaging
    instead.

 -- Simon McVittie <smcv@debian.org>  Tue, 29 Nov 2016 12:55:31 +0000

bubblewrap (0.1.3-1~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Sun, 20 Nov 2016 12:24:03 +0000

bubblewrap (0.1.3-1) unstable; urgency=medium

  * New upstream release
    - bring back --set-hostname, the upstream fix for CVE-2016-8659
      makes it no longer a vulnerability

 -- Simon McVittie <smcv@debian.org>  Sun, 16 Oct 2016 14:32:11 +0100

bubblewrap (0.1.2-2~bpo8+1) jessie-backports; urgency=high

  * Rebuild for jessie-backports
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2016 22:09:36 +0100

bubblewrap (0.1.2-2) unstable; urgency=high

  * Revert addition of --set-hostname as a short-term fix for
    CVE-2016-8659 (Closes: #840605)

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2016 11:12:38 +0100

bubblewrap (0.1.2-1~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports, to support a Flatpak backport.
    - debian/gbp.conf: adjust for this branch

 -- Simon McVittie <smcv@debian.org>  Tue, 27 Sep 2016 16:23:46 +0100

bubblewrap (0.1.2-1) unstable; urgency=medium

  * New upstream release

 -- Simon McVittie <smcv@debian.org>  Fri, 09 Sep 2016 09:22:57 +0100

bubblewrap (0.1.1-1) unstable; urgency=medium

  * New upstream release
    - drop patch, included upstream

 -- Simon McVittie <smcv@debian.org>  Sun, 17 Jul 2016 09:08:35 +0100

bubblewrap (0.1.0-3) unstable; urgency=medium

  * d/control: bubblewrap is Multi-Arch: foreign
  * Hardening: build as a position-independent executable with
    eager symbol binding

 -- Simon McVittie <smcv@debian.org>  Wed, 06 Jul 2016 11:07:32 +0100

bubblewrap (0.1.0-2) unstable; urgency=medium

  * Run basic and dev autopkgtests in addition to userns
  * Really add the regression test for keeping CAP_NET_ADMIN
  * debian/gbp.conf: add DEP-14-style git-buildpackage configuration
  * Normalize package lists via `wrap-and-sort -abst`
  * Add Vcs-Git, Vcs-Browser metadata
  * d/p/build-put-libraries-in-LDADD-not-LDFLAGS.patch: new patch
    fixing linking with -Wl,--as-needed (closes: #826787)

 -- Simon McVittie <smcv@debian.org>  Tue, 14 Jun 2016 16:28:09 -0400

bubblewrap (0.1.0-1) unstable; urgency=low

  * New upstream release (closes: #826358).
  * Add watch file.
  * Add Simon McVittie as uploader.

  [ Simon McVittie <smcv@debian.org> ]
  * debian/copyright: correct package name and source (closes: #824969)
  * debian/control: make the whole package Linux-only. Like Flatpak, this
    package is inherently non-portable.
  * Move from Section: web to Section: admin
  * Increase Priority to optional, because this tool is likely to be
    depended on by gnome-software (via Flatpak) in future
  * Add some simple autopkgtests, including one for bug 71 (closes: #824968)

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 06 Jun 2016 17:20:38 +0000

bubblewrap (0~git160513-2) unstable; urgency=low

  * Install bwrap binary setuid (closes: #824646).
  * Make libselinux1-dev build dependency Linux only.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 19 May 2016 15:24:35 +0000

bubblewrap (0~git160513-1) unstable; urgency=low

  * Initial upload (closes: #823548).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 10 May 2016 08:45:59 +0000
