Version in base suite: 2.1.2-1

Base version: opam_2.1.2-1
Target version: opam_2.1.2-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/opam/opam_2.1.2-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/opam/opam_2.1.2-1+deb12u1.dsc

 changelog                                                               |    8 +
 gbp.conf                                                                |    1 
 patches/0001-Invalidate-.install-fields-containing-destination-fi.patch |   69 ++++++++++
 patches/series                                                          |    1 
 tests/4.08.1                                                            |   23 ---
 tests/4.14.1                                                            |   29 ++++
 tests/basic-test.sh                                                     |   14 +-
 tests/control                                                           |   10 -
 tests/ocaml-system                                                      |   14 +-
 9 files changed, 131 insertions(+), 38 deletions(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9pp778d0/opam_2.1.2-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9pp778d0/opam_2.1.2-1+deb12u1.dsc: no acceptable signature found
diff -Nru opam-2.1.2/debian/changelog opam-2.1.2/debian/changelog
--- opam-2.1.2/debian/changelog	2022-02-14 14:58:35.000000000 +0000
+++ opam-2.1.2/debian/changelog	2026-04-16 13:59:08.000000000 +0000
@@ -1,3 +1,11 @@
+opam (2.1.2-1+deb12u1) bookworm-security; urgency=medium
+
+  * Invalidate .install fields containing destination filepath trying to
+    escape their scope
+  * Fix autopkgtest
+
+ -- Stéphane Glondu <glondu@debian.org>  Thu, 16 Apr 2026 15:59:08 +0200
+
 opam (2.1.2-1) unstable; urgency=medium
 
   * Team upload
diff -Nru opam-2.1.2/debian/gbp.conf opam-2.1.2/debian/gbp.conf
--- opam-2.1.2/debian/gbp.conf	2021-12-01 15:45:54.000000000 +0000
+++ opam-2.1.2/debian/gbp.conf	2026-04-16 13:58:54.000000000 +0000
@@ -1,4 +1,5 @@
 [DEFAULT]
+debian-branch = debian/bookworm
 pristine-tar = True
 filter-pristine-tar = True
 filter = [
diff -Nru opam-2.1.2/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch opam-2.1.2/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch
--- opam-2.1.2/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch	1970-01-01 00:00:00.000000000 +0000
+++ opam-2.1.2/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch	2026-04-16 13:58:54.000000000 +0000
@@ -0,0 +1,69 @@
+From: Kate <kit-ty-kate@exn.st>
+Date: Thu, 16 Apr 2026 08:11:45 +0200
+Subject: Invalidate .install fields containing destination filepath trying to
+ escape their scope
+
+Origin: https://github.com/ocaml/opam/pull/6898
+---
+ src/core/opamFilename.ml  | 10 ++++++++++
+ src/core/opamFilename.mli |  3 +++
+ src/format/opamFile.ml    | 11 +++++++++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/opamFilename.ml b/src/core/opamFilename.ml
+index 567f019..ac9e505 100644
+--- a/src/core/opamFilename.ml
++++ b/src/core/opamFilename.ml
+@@ -9,6 +9,16 @@
+ (*                                                                        *)
+ (**************************************************************************)
+ 
++let might_escape ~sep path =
++  let sep =
++    match sep with
++    | `Unix -> Re.char '/'
++    | `Windows -> Re.alt Re.[  char '\\'; char '/' ]
++    | `Unspecified -> Re.str Filename.dir_sep
++  in
++  List.exists (String.equal Filename.parent_dir_name)
++    Re.(split (compile sep) path)
++
+ module Base = struct
+   include OpamStd.AbstractString
+ 
+diff --git a/src/core/opamFilename.mli b/src/core/opamFilename.mli
+index 3a50568..a4e11e5 100644
+--- a/src/core/opamFilename.mli
++++ b/src/core/opamFilename.mli
+@@ -12,6 +12,9 @@
+ (** Higher level file and directory name manipulation AND file operations,
+     wrappers on OpamSystem using the filename type *)
+ 
++(* Returns [true] if string contains '..' between directory separators *)
++val might_escape: sep:[`Unix | `Windows | `Unspecified ] -> string -> bool
++
+ (** Basenames *)
+ module Base: sig
+   include OpamStd.ABSTRACT
+diff --git a/src/format/opamFile.ml b/src/format/opamFile.ml
+index 71b0dd3..f08ab05 100644
+--- a/src/format/opamFile.ml
++++ b/src/format/opamFile.ml
+@@ -3436,8 +3436,15 @@ module Dot_installSyntax = struct
+       Pp.V.map_list ~depth:1 @@ Pp.V.map_option
+         (Pp.V.string -| pp_optional)
+         (Pp.opt @@
+-         Pp.singleton -| Pp.V.string -|
+-         Pp.of_module "rel-filename" (module OpamFilename.Base))
++         Pp.singleton -| Pp.V.string -| Pp.pp ~name:"rel-filename"
++           (fun ~pos s ->
++              if OpamFilename.might_escape ~sep:`Unspecified s then
++                Pp.bad_format ~pos "%s references its parent directory." s
++              else if Filename.is_relative s then
++                OpamFilename.Base.of_string s
++              else
++                Pp.bad_format ~pos "%s is an absolute filename." s)
++           OpamFilename.Base.to_string)
+     in
+     let pp_misc =
+       Pp.V.map_list ~depth:1 @@ Pp.V.map_option
diff -Nru opam-2.1.2/debian/patches/series opam-2.1.2/debian/patches/series
--- opam-2.1.2/debian/patches/series	2022-02-14 14:58:35.000000000 +0000
+++ opam-2.1.2/debian/patches/series	2026-04-16 13:58:54.000000000 +0000
@@ -2,3 +2,4 @@
 0004-Use-HOME-env-variable-instead-of.patch
 0003-Fix-compilation-with-Dose3-7.0.0.patch
 0004-Fix-compilation-with-Base64-3.5.0.patch
+0001-Invalidate-.install-fields-containing-destination-fi.patch
diff -Nru opam-2.1.2/debian/tests/4.08.1 opam-2.1.2/debian/tests/4.08.1
--- opam-2.1.2/debian/tests/4.08.1	2021-12-01 15:45:54.000000000 +0000
+++ opam-2.1.2/debian/tests/4.08.1	1970-01-01 00:00:00.000000000 +0000
@@ -1,23 +0,0 @@
-#!/bin/sh
-set -eu
-
-if command -v tput > /dev/null; then
-    YELLOW="$(tput setaf 3)"
-    RESET="$(tput sgr0)"
-else
-    YELLOW=""
-    RESET=""
-fi
-
-run() {
-    echo "${YELLOW}\$ $@${RESET}"
-    "$@"
-    echo
-}
-
-SWITCH="$(basename $0)"
-export HOME="$(mktemp -d)"
-trap 'rm -rf -- "$HOME"' EXIT
-
-run opam init --no-setup --compiler="$SWITCH"
-run opam install -y merlin ocp-indent utop
diff -Nru opam-2.1.2/debian/tests/4.14.1 opam-2.1.2/debian/tests/4.14.1
--- opam-2.1.2/debian/tests/4.14.1	1970-01-01 00:00:00.000000000 +0000
+++ opam-2.1.2/debian/tests/4.14.1	2026-04-16 13:46:42.000000000 +0000
@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+if [ -z "$TERM" ]; then
+    export TERM=dumb
+fi
+
+set -u
+
+if [ "$TERM" != dumb ] && command -v tput > /dev/null; then
+    YELLOW="$(tput setaf 3)"
+    RESET="$(tput sgr0)"
+else
+    YELLOW=""
+    RESET=""
+fi
+
+run() {
+    echo "${YELLOW}\$ $@${RESET}"
+    "$@"
+    echo
+}
+
+SWITCH="$(basename "$0")"
+export HOME="$(mktemp -d)"
+trap 'rm -rf -- "$HOME"' EXIT
+
+run opam init --disable-sandbox --no-setup --compiler="$SWITCH"
+run opam install -y merlin ocp-indent utop
diff -Nru opam-2.1.2/debian/tests/basic-test.sh opam-2.1.2/debian/tests/basic-test.sh
--- opam-2.1.2/debian/tests/basic-test.sh	2021-12-01 15:45:54.000000000 +0000
+++ opam-2.1.2/debian/tests/basic-test.sh	2026-04-16 13:46:42.000000000 +0000
@@ -1,7 +1,13 @@
 #!/bin/sh
-set -eu
+set -e
 
-if command -v tput > /dev/null; then
+if [ -z "$TERM" ]; then
+    export TERM=dumb
+fi
+
+set -u
+
+if [ "$TERM" != dumb ] && command -v tput > /dev/null; then
     YELLOW="$(tput setaf 3)"
     RESET="$(tput sgr0)"
 else
@@ -15,9 +21,9 @@
     echo
 }
 
-SWITCH="$(basename $0)"
+SWITCH="$(basename "$0")"
 export HOME="$(mktemp -d)"
 trap 'rm -rf -- "$HOME"' EXIT
 
-run opam init --no-setup --compiler="$SWITCH"
+run opam init --disable-sandbox --no-setup --compiler="$SWITCH"
 run opam install -y merlin ocp-indent utop
diff -Nru opam-2.1.2/debian/tests/control opam-2.1.2/debian/tests/control
--- opam-2.1.2/debian/tests/control	2021-12-01 15:46:04.000000000 +0000
+++ opam-2.1.2/debian/tests/control	2026-04-16 13:46:42.000000000 +0000
@@ -1,7 +1,3 @@
-Tests: 4.08.1 ocaml-system
-Depends: @, ca-certificates
-Restrictions: isolation-container, allow-stderr
-# Container (or greater) isolation seems required for bwrap to work correctly
-
-Tests: ocaml-system
-Depends: ocaml-nox
+Tests: 4.14.1 ocaml-system
+Depends: @, ca-certificates, ocaml
+Restrictions: allow-stderr, needs-internet
diff -Nru opam-2.1.2/debian/tests/ocaml-system opam-2.1.2/debian/tests/ocaml-system
--- opam-2.1.2/debian/tests/ocaml-system	2021-12-01 15:45:54.000000000 +0000
+++ opam-2.1.2/debian/tests/ocaml-system	2026-04-16 13:46:42.000000000 +0000
@@ -1,7 +1,13 @@
 #!/bin/sh
-set -eu
+set -e
 
-if command -v tput > /dev/null; then
+if [ -z "$TERM" ]; then
+    export TERM=dumb
+fi
+
+set -u
+
+if [ "$TERM" != dumb ] && command -v tput > /dev/null; then
     YELLOW="$(tput setaf 3)"
     RESET="$(tput sgr0)"
 else
@@ -15,9 +21,9 @@
     echo
 }
 
-SWITCH="$(basename $0)"
+SWITCH="$(basename "$0")"
 export HOME="$(mktemp -d)"
 trap 'rm -rf -- "$HOME"' EXIT
 
-run opam init --no-setup --compiler="$SWITCH"
+run opam init --disable-sandbox --no-setup --compiler="$SWITCH"
 run opam install -y merlin ocp-indent utop