mirror of
https://github.com/flatpak/flatpak.git
synced 2026-05-16 12:50:01 -04:00
3a05714e2b
This patch could be important in case the ref arg was maliciously crafted to try to convince flatpak-system-helper to delete an arbitrary file on the filesystem. However, in practice (a) recent versions of libostree will not accept such a ref name which has e.g. "../" in it thanks to https://github.com/ostreedev/ostree/pull/1286, and (b) even on ancient versions of Flatpak that use a version of libostree without the aforementioned patch, the exploit does not appear to be successful, at least on Debian 9. See https://github.com/flatpak/flatpak/security/advisories/GHSA-45jq-5658-v38x
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
See https://flatpak.org/ for more information.
Community discussion happens in #flatpak:matrix.org, on the mailing list, and on the Flathub Discourse.
Read documentation for Flatpak here.
Contributing
Flatpak welcomes contributions from anyone! Here are some ways you can help:
- Fix one of the issues and submit a PR
- Update flatpak's translations and submit a PR
- Improve flatpak's documentation, hosted at http://docs.flatpak.org and developed over in flatpak-docs
- Find a bug and submit a detailed report including your OS, flatpak version, and the steps to reproduce
- Add your favorite application to Flathub by writing a flatpak-builder manifest and submitting it
- Improve the Flatpak support in your favorite Linux distribution
Hacking
See CONTRIBUTING.md
Related Projects
Here are some notable projects in the Flatpak ecosystem:
- Flatseal: An app for managing permissions of Flatpak apps without using the CLI
- Flat-manager: A tool for managing Flatpak repositories