Release 2021.4

A fair set of minor bugfixes.  Many fixes landed for `bare-user-only` (e.g. unprivileged flatpak) mode, and further work is forthcoming to ensure that `ostree fsck` for example also does the right thing.  There's a new public API to verify signatures outside of HTTP fetches, intended to be used for cases like the "ostree native container" bits in ostree-rs-ext.

ostree learned about [OpenPGP Web Key Directory](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-08) and there are more APIs to access remote GPG keys, in preparation for direct support for updating/rotating keys.

Several CI improvements landed, and minor static analyzer warnings were fixed.

The "deployment staging" model is now explicitly stabilized, and is fairly strongly recommended.  In a future libostree release it is likely we will make it even easier to opt in to newer defaults such as staging and readonly sysroot.

```
Benjamin Gilbert (3):
      man: improve statoverride description
      workflows: bump lint toolchain
      workflows: limit permissions to reading repo contents

Buddelmann, Richard RB (1):
      repo-pull: legacy_transaction_resuming flag ignored

Colin Walters (10):
      lib: Change read_commit_detached_metadata to be nullable
      ci: Run main GH action CI build+test as non-root
      checkout: Save errno when re-throwing
      checkout: Also ignore xattrs for union in bare-user-only mode
      Add an API to verify a commit signature explicitly
      tests/basic: Skip --no-xattrs if we have selinux
      upgrade: Stabilize deployment staging
      Add support for "custom remotes"
      Release 2021.4
      configure: post-release version bump

Dan Nicholson (13):
      lib/repo: Factor out GPG verifier key imports
      lib/repo: Factor out GPG verifier preparation
      lib/repo: Allow preparing GPG verifier without global keyrings
      lib/repo: Add ostree_repo_remote_get_gpg_keys()
      bin/remote: Add list-gpg-keys subcommand
      libotutil: Import implementation of zbase32 encoding
      libotutil: Add helper for GPG WKD update URLs
      lib/repo: Include WKD update URLs in GPG key listing
      bin/remote: Include update URLs in list-gpg-keys
      fixup! lib/repo: Add ostree_repo_remote_get_gpg_keys()
      fixup! bin/remote: Add list-gpg-keys subcommand
      fixup! lib/repo: Add ostree_repo_remote_get_gpg_keys()
      bin/remote: Rename list-gpg-keys to gpg-list-keys

Jonathan Lebon (3):
      lib/sign-dummy: Handle incorrect signatures correctly
      lib/sysroot: Fix error message about creating `/var/lib`
      ostree/dump: Fix free'ing a static string

Luca BRUNO (15):
      configure: post-release version bump
      builtins/commit: check for conflicting permissions options
      builtins/commit: move commit modifier to auto-cleanup
      lib/core/checksum: add flag to use canonical permissions
      lib/repo/checkout: use canonical perms in bare-user-only mode
      lib/commit: autofix permissions for bare-user-only
      lib/diff: ignore xattrs if disabled on either repos
      lib/diff: automatically skip xattrs in bare-user-only mode
      builtins/commit: set up relevant flags in bare-user-only mode
      lib/commit: automatically skip xattrs in bare-user-only mode
      tests: update several bare-user-only checks
      lib: improve transactions auto-cleanup logic
      libtest: tweak selinux/relabel message
      tests/basic: avoid changing ownership
      tests: skip a broken fsck case

Simon McVittie (1):
      tests: Unset SOURCE_DATE_EPOCH

刘建强 (1):
      fix: Avoid wild pointers

```

Git-EVTag-v0-SHA512: eace94b80c91fb88dc9357a42c0f06b4d4cdd198c0c87586d4ef5ee307cf96237202546e1bfe630d2f55988f497224c86bfa2b384000374b9bd6badc22a772a4
-----BEGIN PGP SIGNATURE-----

iQFHBAABCgAxFiEEq5KKnPjdBikJw3u93EX9WSHBPwsFAmE58oITHHdhbHRlcnNA
dmVyYnVtLm9yZwAKCRDcRf1ZIcE/CxCOB/96FP7/60OPWxfW/40za7ZiY76SsYcE
KkmehQYp/TbxxTCbAuEG5HJlrLq6NygU6l0QBurHxJUTWT3TKfR9ZvMyMnVZOYHn
F/nB7U7ZUFYo84tulmso5w4HeKV1mj0Xk/racgD9lQvR6XwKKPlh/S2xTOMZiAuL
CdzdEp1lW+DCj0R+dhuY7xGYUfyNScG7ldDI08enASyW42xwVfplpq1H8buV3tAb
6pbS2yB27enM338H1xxpxsfTo3wBeki6o9t4f5pguwzwShofc4NMsuY/1DA30PZS
QVlfp7B9nGePBI101IC3GoipGbjRD7eXZXRGKWX5Jai5hq/F5FmuAqln
=ylWp
-----END PGP SIGNATURE-----