Import Debian changes 0.9.0-ok1

bubblewrap (0.9.0-ok1) nile; urgency=medium

  * Build for openKylin.

debian/50-bubblewrap.conf

@@ -0,0 +1,10 @@
+# Enable unprivileged creation of new user namespaces in older Debian
+# kernels.
+#
+# If this is not desired, copy this file to
+# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
+# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
+#
+# For more details see https://deb.li/bubblewrap or
+# /usr/share/doc/bubblewrap/README.Debian
+kernel.unprivileged_userns_clone=1

debian/README.Debian

@@ -0,0 +1,172 @@
+bubblewrap kernel requirements
+==============================
+
+bubblewrap can be used by various parts of the system to run
+partially-trusted programs in a sandboxed environment where their impact
+on system security is reduced. For example:
+
+- Flatpak uses bubblewrap to run partially-trusted, user-installable
+  apps in a sandboxed environment.
+
+- libgnome-desktop uses bubblewrap to run thumbnailers in a sandboxed
+  environment, so that if there are security flaws in an image decoder
+  used by a thumbnailer, the process of generating thumbnails for a
+  maliciously crafted image cannot be used to attack the rest of the
+  system.
+
+bubblewrap can also be used to run trusted programs in a different
+environment, for example with different shared libraries available:
+
+- Flatpak uses bubblewrap to run apps with a predictable library stack
+  that does not match the rest of the system, even if those apps are
+  trusted and so do not need to be sandboxed for security.
+
+- Steam uses bubblewrap to run some games with a predictable library
+  stack that does not match the rest of the system.
+
+The necessary capabilities to do this can be obtained in one of two
+ways:
+
+- On kernels where unprivileged users can create new user namespaces,
+  bubblewrap's bwrap executable can be an ordinary unprivileged program.
+
+- On kernels where this is not possible, bubblewrap will not work unless
+  the /usr/bin/bwrap executable is setuid root. Some bubblewrap and Flatpak
+  features will not work in this configuration for security reasons.
+
+Newer Debian kernels (Linux 5.10 and newer; Debian 11 and newer)
+----------------------------------------------------------------
+
+Debian kernels since 5.10 allow unprivileged users to create new user
+namespaces. The bwrap executable can be made non-setuid on these kernels.
+
+By default, the bubblewrap package in Debian no longer installs a setuid
+root /usr/bin/bwrap executable.
+
+Ubuntu kernels (Ubuntu 18.04 and newer)
+---------------------------------------
+
+Ubuntu kernels also allow unprivileged users to create new user
+namespaces. The bwrap executable can be made non-setuid on these kernels,
+and the Ubuntu bubblewrap package does not install a setuid executable.
+
+Older Debian kernels (Linux 5.9 and older; Debian 10 and older)
+---------------------------------------------------------------
+
+Debian kernels older than 5.10 have support for user namespaces, but
+that feature is disabled by default to reduce the kernel's attack
+surface.
+
+The bubblewrap package contains configuration in
+/usr/lib/sysctl.d/50-bubblewrap.conf to enable user namespaces
+(see "Enabling kernel.unprivileged_userns_clone", below).
+
+If this is not desired, system administrators can copy that file
+to /etc/sysctl.d/50-bubblewrap.conf and modify it to disable unprivileged
+creation of user namespaces, then make bubblewrap setuid root so that it
+still works as intended (see "Making bubblewrap setuid root", below).
+
+Custom and third-party kernels
+------------------------------
+
+If you compile your own kernel, you will need at least
+CONFIG_NAMESPACES=y and preferably CONFIG_USER_NS=y.
+
+If you do not have CONFIG_UTS_NS=y, CONFIG_IPC_NS=y, CONFIG_USER_NS=y,
+CONFIG_PID_NS=y and CONFIG_NET_NS=y, then the corresponding bubblewrap
+features will not work.
+
+Configuring kernel.unprivileged_userns_clone
+--------------------------------------------
+
+This Debian-specific sysctl parameter controls whether unprivileged
+users are allowed to create new user namespaces.
+
+If it is set to 0, some attacks against the kernel are made more difficult,
+which can increase security. However, some user-space software will not
+be able to create a sandboxed environment or will have to rely on a
+setuid version of bubblewrap to create a sandboxed environment, which
+reduces security. The value of this sysctl parameter is a trade-off
+between different security risks.
+
+If this parameter is set to 0, bubblewrap and Flatpak will not work unless
+bwrap is made setuid root (see "Making bubblewrap setuid root" below).
+
+The default is 1 for Debian kernels that are version 5.10 or newer,
+1 for Ubuntu kernels, or 0 for older Debian kernels. The bubblewrap
+package contains configuration in /usr/lib/sysctl.d/50-bubblewrap.conf
+to set this parameter to 1 during system startup.
+
+If this is not desired, system administrators can copy
+/usr/lib/sysctl.d/50-bubblewrap.conf to /etc/sysctl.d/50-bubblewrap.conf
+and modify it to disable unprivileged creation of user namespaces, then
+make bubblewrap setuid root so that it still works as intended (see
+"Making bubblewrap setuid root", below).
+
+You can view the current setting with:
+
+    cat /proc/sys/kernel/unprivileged_userns_clone
+
+and temporarily set it to 1 (until the next reboot) with:
+
+    sudo sysctl -w kernel.unprivileged_userns_clone=1
+
+Configuring the maximum number of namespaces per user
+-----------------------------------------------------
+
+The number of user namespaces per user is limited. The default limit
+depends on the amount of RAM available.
+
+Setting this limit to 0 is the recommended way to disable user namespace
+creation if this is required as a security hardening measure. bubblewrap
+will not work with this limit set to 0, unless it is setuid root (see
+"Configuring whether bubblewrap is setuid root" below).
+
+The limit is given by the user.max_user_namespaces sysctl parameter.
+
+You can view the current setting with:
+
+    cat /proc/sys/user/max_user_namespaces
+
+and temporarily set it to a value (until the next reboot) with a
+command like:
+
+    sudo sysctl -w user.max_user_namespaces=1000
+
+To set it to a value during system startup, create a file in /etc/sysctl.d
+containing a line like this:
+
+    user.max_user_namespaces=1000
+
+Configuring whether bubblewrap is setuid root
+---------------------------------------------
+
+To use bubblewrap with kernel.unprivileged_userns_clone set to 0
+or user.max_user_namespaces set to 0, it is necessary to make the bwrap
+executable setuid root. This gives it the necessary capabilities to set
+up containers even when run by an otherwise unprivileged user, and is the
+configuration normally used in Debian 10.
+
+This can be a security risk: if there are bugs in bubblewrap, it might be
+possible for an unprivileged user to get root privileges by running a
+setuid version of the bwrap executable. CVE-2020-5291 and CVE-2016-8659
+are examples of bugs that had this effect in the past. However, it allows
+the kernel to be configured to disallow creation of user namespaces by
+unprivileged users, which prevents attacks like CVE-2016-3135 from being
+carried out against the kernel. This is a trade-off between different
+security risks.
+
+To avoid other attacks, some Flatpak and bubblewrap features are not
+available when bwrap is setuid root, and the absence of those features
+is known to break some Flatpak apps. For example, the Flatpak app for
+the Chromium web browser will not work with a setuid bwrap executable.
+
+To check whether the bwrap executable will be made setuid root after
+the next upgrade, use this command:
+
+    dpkg-statoverride --list /usr/bin/bwrap
+
+To force the bwrap executable to be setuid root, use these commands:
+
+    sudo dpkg-statoverride --quiet --remove /usr/bin/bwrap
+    sudo dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap

debian/bubblewrap.bug-script

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -eu
+exec >&3 2>&3
+
+echo "Permissions of /usr/bin/bwrap:"
+ls -l /usr/bin/bwrap || :
+
+for f in \
+    /etc/sysctl.d/*-bubblewrap.conf \
+    /usr/lib/sysctl.d/*-bubblewrap.conf \
+    /proc/sys/kernel/unprivileged_userns_clone \
+    /proc/sys/user/max_*_namespaces \
+; do
+    echo "$f:"
+    cat "$f" || :
+done

debian/bubblewrap.examples

@@ -0,0 +1 @@
+demos/*

debian/bubblewrap.install

@@ -0,0 +1 @@
+debian/50-bubblewrap.conf usr/lib/sysctl.d

debian/bubblewrap.postinst

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+# Apply sysctl configuration after upgrade
+if command -v sysctl > /dev/null; then
+    sysctl --quiet --pattern '^kernel\.unprivileged_userns_clone$' --system || :
+fi

debian/changelog

@@ -0,0 +1,5 @@
+bubblewrap (0.9.0-ok1) nile; urgency=medium
+
+  * Build for openKylin.
+
+ -- Luoyaoming <Luoyaoming@kylinos.cn>  Wed, 24 Apr 2024 09:11:58 +0800

debian/clean

@@ -0,0 +1 @@
+config.log

debian/control

@@ -0,0 +1,50 @@
+Source: bubblewrap
+Section: admin
+Priority: optional
+Maintainer: openKylin Developers <packaging@lists.openkylin.top>
+XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
+Uploaders:
+ Laszlo Boszormenyi (GCS) <gcs@debian.org>,
+ Simon McVittie <smcv@debian.org>,
+Build-Depends:
+ bash-completion,
+ debhelper-compat (= 13),
+ docbook-xml,
+ docbook-xsl,
+ iproute2 <!nocheck>,
+ libcap-dev,
+ libcap2-bin <!nocheck>,
+ libipc-run-perl <!nocheck>,
+ libselinux1-dev,
+ meson,
+ perl:any <!nocheck>,
+ pkgconf,
+ python3:any <!nocheck>,
+ xsltproc,
+Standards-Version: 4.6.2
+Homepage: https://github.com/containers/bubblewrap
+Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
+Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
+Rules-Requires-Root: no
+
+Package: bubblewrap
+Architecture: linux-any
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ procps,
+Description: utility for unprivileged chroot and namespace manipulation
+ bubblewrap uses Linux namespaces to launch unprivileged containers.
+ These containers can be used to sandbox semi-trusted applications such
+ as Flatpak apps, image/video thumbnailers and web browser components,
+ or to run programs in a different library stack such as a Flatpak runtime
+ or a different Debian release.
+ .
+ By default, this package relies on a kernel with user namespaces enabled.
+ Official Debian and Ubuntu kernels are suitable.
+ .
+ On kernels without user namespaces, system administrators can make the
+ bwrap executable setuid root, allowing it to create unprivileged
+ containers even though ordinary user processes cannot.

debian/copyright

@@ -0,0 +1,89 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: bubblewrap
+Source: https://github.com/containers/bubblewrap/
+
+Files: *
+Copyright:
+ 2016 Alexander Larsson
+ 2021 Simon McVittie
+ 2022 Collabora Ltd.
+License: LGPL-2+
+
+Files: bubblewrap.jpg
+Copyright: none
+License: pd-bubblewrap.jpg
+ Placed in the public domain by the photographer "dancing_stupidity".
+
+Files: debian/*
+Copyright:
+ 2016 Laszlo Boszormenyi (GCS) <gcs@debian.org>
+ 2016-2024 Simon McVittie
+ 2016-2024 Collabora Ltd.
+License: LGPL-2+
+
+Files:
+ git.mk
+Copyright:
+ 2009, Red Hat, Inc.
+ 2010-2013 Behdad Esfahbod
+License: permissive-git.mk
+ Copying and distribution of this file, with or without modification,
+ is permitted in any medium without royalty provided the copyright
+ notice and this notice are preserved.
+
+Files: m4/attributes.m4
+Copyright:
+ 2006-2008 Diego Pettenò <flameeyes@gmail.com>
+ 2006-2008 xine project
+ 2012 Lucas De Marchi <lucas.de.marchi@gmail.com>
+License: GPL-2+ with Autoconf exception
+
+License: LGPL-2+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+ .
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+ .
+ You should have received a copy of the GNU Library General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+ USA.
+ .
+ On Debian systems, the full text of the GNU Library General Public License
+ version 2 can be found in the file `/usr/share/common-licenses/LGPL-2'.
+
+License: GPL-2+ with Autoconf exception
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2, or (at your option)
+ any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301, USA.
+ .
+ As a special exception, the copyright owners of the
+ macro gives unlimited permission to copy, distribute and modify the
+ configure scripts that are the output of Autoconf when processing the
+ Macro. You need not follow the terms of the GNU General Public
+ License when using or distributing such scripts, even though portions
+ of the text of the Macro appear in them. The GNU General Public
+ License (GPL) does govern all other use of the material that
+ constitutes the Autoconf Macro.
+ .
+ This special exception to the GPL applies to versions of the
+ Autoconf Macro released by this project. When you make and
+ distribute a modified version of the Autoconf Macro, you may extend
+ this special exception to the GPL to apply to your modified version as
+ well.

debian/docs

@@ -0,0 +1 @@
+README.md

debian/gbp.conf

@@ -0,0 +1,6 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/latest
+upstream-branch = upstream/latest
+patch-numbers = False
+upstream-vcs-tag = v%(version)s

debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch

@@ -0,0 +1,22 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 1 Jan 2021 15:03:27 +0000
+Subject: Change EPERM error message to show Debian-specific information
+
+Forwarded: not-needed
+---
+ bubblewrap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index 9b78a9a..1ea16c9 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -2905,7 +2905,7 @@ main (int    argc,
+           if (errno == EINVAL)
+             die ("Creating new namespace failed, likely because the kernel does not support user namespaces.  bwrap must be installed setuid on such systems.");
+           else if (errno == EPERM && !is_privileged)
+-            die ("No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.");
++            die ("No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.");
+         }
+ 
+       if (errno == ENOSPC)

debian/patches/series

@@ -0,0 +1 @@
+debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch

debian/rules

@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+PKGDIR=$(CURDIR)/debian/bubblewrap
+
+%:
+	dh $@ --buildsystem=meson+ninja --without=autoreconf
+
+override_dh_auto_configure:
+	dh_auto_configure \
+		-- \
+		-Dzsh_completion_dir=/usr/share/zsh/vendor-completions \
+		${NULL}
+.PHONY: override_dh_auto_configure
+
+override_dh_auto_test:
+	# Remove LD_PRELOAD so we don't run with faketime. It uses
+	# sem_open(), but bubblewrap runs in an environment where that
+	# can't work.
+	env -u LD_PRELOAD dh_auto_test
+
+.PHONY: override_dh_auto_test

debian/salsa-ci.yml

@@ -0,0 +1,3 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tests/basic

@@ -0,0 +1,21 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out);
+is($out, `id -u`);
+run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out);
+is($out, `id -g`);
+
+done_testing;

debian/tests/control

@@ -0,0 +1,36 @@
+Tests:
+ basic
+ dev
+ net
+ upstream
+ userns
+Restrictions: allow-stderr, isolation-machine
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,
+
+Tests: upstream-usrmerge
+Restrictions: allow-stderr, isolation-machine, breaks-testbed
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,
+ usrmerge
+
+Tests:
+ upstream-as-root
+Restrictions: allow-stderr, isolation-machine, needs-root
+Depends:
+ bubblewrap,
+ iproute2:native,
+ libcap2-bin:native,
+ libipc-run-perl:native,
+ perl:native,
+ python3:native,

debian/tests/dev

@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / --dev /dev //bin/sh -c), "echo /dev/*"],
+    '<', \undef, '>', \$out);
+like($out, qr{(^| )/dev/full( |$)});
+like($out, qr{(^| )/dev/null( |$)});
+like($out, qr{(^| )/dev/pts( |$)});
+like($out, qr{(^| )/dev/random( |$)});
+like($out, qr{(^| )/dev/shm( |$)});
+like($out, qr{(^| )/dev/stderr( |$)});
+like($out, qr{(^| )/dev/stdin( |$)});
+like($out, qr{(^| )/dev/stdout( |$)});
+like($out, qr{(^| )/dev/tty( |$)});
+like($out, qr{(^| )/dev/urandom( |$)});
+like($out, qr{(^| )/dev/zero( |$)});
+unlike($out, qr{(^| )/dev/hda( |$)});
+unlike($out, qr{(^| )/dev/dsp( |$)});
+unlike($out, qr{(^| )/dev/fuse( |$)});
+unlike($out, qr{(^| )/dev/kmsg( |$)});
+unlike($out, qr{(^| )/dev/loop0( |$)});
+unlike($out, qr{(^| )/dev/mem( |$)});
+unlike($out, qr{(^| )/dev/sda( |$)});
+unlike($out, qr{(^| )/dev/snd( |$)});
+unlike($out, qr{(^| )/dev/tty1( |$)});
+unlike($out, qr{(^| )/dev/vda( |$)});
+
+done_testing;

debian/tests/net

@@ -0,0 +1,24 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+run_ok([qw(bwrap --ro-bind / / --unshare-net /bin/sh -c), "ip link ls"],
+    '<', \undef, '>', \$out);
+
+like($out, qr{^[0-9]+: lo:});
+unlike($out, qr{^[0-9]+: en[^:]*:});
+unlike($out, qr{^[0-9]+: eth[^:]*:});
+unlike($out, qr{^[0-9]+: wlan[^:]*:});
+
+done_testing;

debian/tests/upstream

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec tests/test-run.sh

debian/tests/upstream-as-root

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec tests/test-run.sh

debian/tests/upstream-usrmerge

@@ -0,0 +1 @@
+upstream

debian/tests/userns

@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+# vim:set sw=4 sts=4 et ft=perl:
+
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run qw(run);
+
+sub run_ok {
+    my $argv = shift;
+    my $debug = join(' ', @$argv);
+    ok(run($argv, @_), qq{"$debug" should succeed});
+}
+
+my $out;
+
+diag("Unshare user ID");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -u)],
+    '<', \undef, '>', \$out);
+is($out, "2\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -g)],
+    '<', \undef, '>', \$out);
+is($out, "3\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /bin/sh -c),
+        'ls -l /etc/passwd'],
+    '<', \undef, '>', \$out);
+like($out, qr{ nobody nogroup });
+
+diag("Combine new /dev with new user namespace (#71)");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /bin/sh -c),
+        'echo /dev/*'],
+    '<', \undef, '>', \$out);
+like($out, qr{(^| )/dev/full( |$)});
+unlike($out, qr{(^| )/dev/tty1( |$)});
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -u)],
+    '<', \undef, '>', \$out);
+is($out, "2\n");
+run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -g)],
+    '<', \undef, '>', \$out);
+is($out, "3\n");
+
+done_testing;

debian/upstream/metadata

@@ -0,0 +1,7 @@
+---
+Repository: https://github.com/containers/bubblewrap.git
+Repository-Browse: https://github.com/containers/bubblewrap
+Bug-Database: https://github.com/containers/bubblewrap/issues
+Bug-Submit: https://github.com/containers/bubblewrap/issues/new
+...
+# vim:set ft=yaml:

debian/watch

@@ -0,0 +1,9 @@
+version=4
+# Upstream releases official Autotools 'make dist' tarballs, so we use
+# those in preference to git tags
+opts="\
+    compression=xz, \
+    dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)//, \
+    downloadurlmangle=s#/tag/#/download/#;s#(v?@ANY_VERSION@)$#$1/@PACKAGE@-$2.tar.xz#, \
+    filenamemangle=s#v?@ANY_VERSION@#@PACKAGE@-$1.tar.xz#" \
+https://github.com/containers/@PACKAGE@/tags .*/releases/tag/v?@ANY_VERSION@