Use Meson wrap files for bubblewrap and xdg-dbus-proxy

When combined with using `git subtree` for our mandatory vendored dependencies, this avoids differences between what we ship in our git repository (available to users via `git clone` or by unpacking the result of `git archive`), and what's in our official source code releases (which are the result of `meson dist`). Differences between those artifacts would provide an attractive place for attackers to hide malware, for example in CVE-2024-3094, so avoiding differences is a good "nothing up my sleeve" mechanism to make it less appealing for attackers to target Flatpak. With default Meson settings, the wrap files will be used automatically to download our suggested versions of these dependencies, unless the `-Dsystem_bubblewrap=...`, `-Dsystem_dbus_proxy=...` Meson options are used. In environments where automatic downloads are disabled via `-Dwrap_mode=nodownload`, for example many Linux distributions, specifying a system copy becomes mandatory. Signed-off-by: Simon McVittie <[email protected]>
flatpak · May 6, 2024 · c982e59 · c982e59
1 parent bd86ef9
commit c982e59
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 11 deletions.
diff --git a/.gitmodules b/.gitmodules
diff --git a/subprojects/.gitignore b/subprojects/.gitignore
@@ -0,0 +1,2 @@
+bubblewrap/
+dbus-proxy/
diff --git a/subprojects/bubblewrap b/subprojects/bubblewrap
diff --git a/subprojects/bubblewrap.wrap b/subprojects/bubblewrap.wrap
@@ -0,0 +1,5 @@
+[wrap-git]
+url = https://github.com/containers/bubblewrap.git
+# v0.9.0
+revision = 8e51677abd7e3338e4952370bf7d902e37d8cbb6
+depth = 1
diff --git a/subprojects/dbus-proxy b/subprojects/dbus-proxy
diff --git a/subprojects/dbus-proxy.wrap b/subprojects/dbus-proxy.wrap
@@ -0,0 +1,5 @@
+[wrap-git]
+url = https://github.com/flatpak/xdg-dbus-proxy
+# 0.1.5
+revision = 7466c8137fc06f863fde8486521984e43a26cd10
+depth = 1