ostree v2021.4 and ostree-rs 0.13

["Colin Walters" <walters verbum org>]

https://github.com/ostreedev/ostree/releases/tag/v2021.4
https://crates.io/crates/ostree/0.13.0 (mainly to support the above v2021.4)

I'm working on an ostree-rs-ext release which bumps to the updated ostree crate, but I hope to land 
https://github.com/ostreedev/ostree-rs-ext/issues/2 as part of that.

For ostree:

A fair set of minor bugfixes.  Many fixes landed for `bare-user-only` (e.g. unprivileged flatpak) mode, and 
further work is forthcoming to ensure that `ostree fsck` for example also does the right thing.  

There's a new public API to verify signatures outside of HTTP fetches, intended to be used for cases like the 
"ostree native container" bits in ostree-rs-ext.  Related, there is now an API and CLI to enable "custom 
remotes".

ostree learned about [OpenPGP Web Key 
Directory](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-08) and there are more 
APIs to access remote GPG keys, in preparation for direct support for updating/rotating keys.

Several CI improvements landed, and minor static analyzer warnings were fixed.

The "deployment staging" model is now explicitly stabilized, and is fairly strongly recommended.  In a future 
libostree release it is likely we will make it even easier to opt in to newer defaults such as staging and 
readonly sysroot.

```
Benjamin Gilbert (3):
      man: improve statoverride description
      workflows: bump lint toolchain
      workflows: limit permissions to reading repo contents

Buddelmann, Richard RB (1):
      repo-pull: legacy_transaction_resuming flag ignored

Colin Walters (10):
      lib: Change read_commit_detached_metadata to be nullable
      ci: Run main GH action CI build+test as non-root
      checkout: Save errno when re-throwing
      checkout: Also ignore xattrs for union in bare-user-only mode
      Add an API to verify a commit signature explicitly
      tests/basic: Skip --no-xattrs if we have selinux
      upgrade: Stabilize deployment staging
      Add support for "custom remotes"
      Release 2021.4
      configure: post-release version bump

Dan Nicholson (13):
      lib/repo: Factor out GPG verifier key imports
      lib/repo: Factor out GPG verifier preparation
      lib/repo: Allow preparing GPG verifier without global keyrings
      lib/repo: Add ostree_repo_remote_get_gpg_keys()
      bin/remote: Add list-gpg-keys subcommand
      libotutil: Import implementation of zbase32 encoding
      libotutil: Add helper for GPG WKD update URLs
      lib/repo: Include WKD update URLs in GPG key listing
      bin/remote: Include update URLs in list-gpg-keys
      fixup! lib/repo: Add ostree_repo_remote_get_gpg_keys()
      fixup! bin/remote: Add list-gpg-keys subcommand
      fixup! lib/repo: Add ostree_repo_remote_get_gpg_keys()
      bin/remote: Rename list-gpg-keys to gpg-list-keys

Jonathan Lebon (3):
      lib/sign-dummy: Handle incorrect signatures correctly
      lib/sysroot: Fix error message about creating `/var/lib`
      ostree/dump: Fix free'ing a static string

Luca BRUNO (15):
      configure: post-release version bump
      builtins/commit: check for conflicting permissions options
      builtins/commit: move commit modifier to auto-cleanup
      lib/core/checksum: add flag to use canonical permissions
      lib/repo/checkout: use canonical perms in bare-user-only mode
      lib/commit: autofix permissions for bare-user-only
      lib/diff: ignore xattrs if disabled on either repos
      lib/diff: automatically skip xattrs in bare-user-only mode
      builtins/commit: set up relevant flags in bare-user-only mode
      lib/commit: automatically skip xattrs in bare-user-only mode
      tests: update several bare-user-only checks
      lib: improve transactions auto-cleanup logic
      libtest: tweak selinux/relabel message
      tests/basic: avoid changing ownership
      tests: skip a broken fsck case

Simon McVittie (1):
      tests: Unset SOURCE_DATE_EPOCH

刘建强 (1):
      fix: Avoid wild pointers
```