From c982e591ba1206a3b63e7d236ba8f24fb60bb7ae Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 6 May 2024 16:42:50 +0100
Subject: [PATCH] Use Meson wrap files for bubblewrap and xdg-dbus-proxy

When combined with using `git subtree` for our mandatory vendored
dependencies, this avoids differences between what we ship in our git
repository (available to users via `git clone` or by unpacking the
result of `git archive`), and what's in our official source code
releases (which are the result of `meson dist`).

Differences between those artifacts would provide an attractive place
for attackers to hide malware, for example in CVE-2024-3094, so
avoiding differences is a good "nothing up my sleeve" mechanism to
make it less appealing for attackers to target Flatpak.

With default Meson settings, the wrap files will be used automatically
to download our suggested versions of these dependencies, unless
the `-Dsystem_bubblewrap=...`, `-Dsystem_dbus_proxy=...` Meson options
are used. In environments where automatic downloads are disabled via
`-Dwrap_mode=nodownload`, for example many Linux distributions,
specifying a system copy becomes mandatory.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 .gitmodules                 | 9 ---------
 subprojects/.gitignore      | 2 ++
 subprojects/bubblewrap      | 1 -
 subprojects/bubblewrap.wrap | 5 +++++
 subprojects/dbus-proxy      | 1 -
 subprojects/dbus-proxy.wrap | 5 +++++
 6 files changed, 12 insertions(+), 11 deletions(-)
 delete mode 100644 .gitmodules
 create mode 100644 subprojects/.gitignore
 delete mode 160000 subprojects/bubblewrap
 create mode 100644 subprojects/bubblewrap.wrap
 delete mode 160000 subprojects/dbus-proxy
 create mode 100644 subprojects/dbus-proxy.wrap

diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index 0fea076f..00000000
--- a/.gitmodules
+++ /dev/null
@@ -1,9 +0,0 @@
-[submodule "bubblewrap"]
-	path = subprojects/bubblewrap
-	url = https://github.com/containers/bubblewrap.git
-	ignore = dirty
-	branch = main
-[submodule "dbus-proxy"]
-	path = subprojects/dbus-proxy
-	url = https://github.com/flatpak/xdg-dbus-proxy.git
-	branch = main
diff --git a/subprojects/.gitignore b/subprojects/.gitignore
new file mode 100644
index 00000000..f71f340d
--- /dev/null
+++ b/subprojects/.gitignore
@@ -0,0 +1,2 @@
+bubblewrap/
+dbus-proxy/
diff --git a/subprojects/bubblewrap b/subprojects/bubblewrap
deleted file mode 160000
index 8e51677a..00000000
--- a/subprojects/bubblewrap
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 8e51677abd7e3338e4952370bf7d902e37d8cbb6
diff --git a/subprojects/bubblewrap.wrap b/subprojects/bubblewrap.wrap
new file mode 100644
index 00000000..1dbd7164
--- /dev/null
+++ b/subprojects/bubblewrap.wrap
@@ -0,0 +1,5 @@
+[wrap-git]
+url = https://github.com/containers/bubblewrap.git
+# v0.9.0
+revision = 8e51677abd7e3338e4952370bf7d902e37d8cbb6
+depth = 1
diff --git a/subprojects/dbus-proxy b/subprojects/dbus-proxy
deleted file mode 160000
index 7466c813..00000000
--- a/subprojects/dbus-proxy
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 7466c8137fc06f863fde8486521984e43a26cd10
diff --git a/subprojects/dbus-proxy.wrap b/subprojects/dbus-proxy.wrap
new file mode 100644
index 00000000..c9ec6490
--- /dev/null
+++ b/subprojects/dbus-proxy.wrap
@@ -0,0 +1,5 @@
+[wrap-git]
+url = https://github.com/flatpak/xdg-dbus-proxy
+# 0.1.5
+revision = 7466c8137fc06f863fde8486521984e43a26cd10
+depth = 1