[Pkg-utopia-maintainers] Bug#980323: flatpak: LD_LIBRARY_PATH is not set under flatpak-builder

Joonas Sarajärvi joonas.sarajarvi at iki.fi
Sun Jan 17 19:20:38 GMT 2021 

Package: flatpak
Version: 1.2.5-0+deb10u2
Severity: important

Dear Maintainer,

With flatpak 1.2.5-0+deb10u2, LD_LIBRARY_PATH is not set when invoked
over flatpak-builder. This became apparent when I was reviewing [1],
where a contributor intends to add the Jansson library to be shipped
alongside GNU Emacs in the /app/lib directory. Usually the build
environment provided by flatpak-builder would have this directory
referred to by LD_LIBRARY_PATH. With this latest security update, the
environment variable is entirely absent.

If I test with the older release, flatpak=1.2.5-0+deb10u1, running
flatpak-builder like this:

    flatpak-builder --force-clean --build-shell=emacs ./build2 org.gnu.emacs.json

I get into a shell with LD_LIBRARY_PATH set to

    /app/lib:/usr/lib/x86_64-linux-gnu/GL/default/lib:/usr/lib/x86_64-linux-gnu/openh264/extra

With this software version, building the flatpak under review will
succeed if I simply omit the --build-shell option.

I am not thoroughly familiar with the Flathub ecosystem, but I would
suspect that there are other flatpaks which can not be built on
systems that have 1.2.5-0+deb10u2 installed. I would still expect that
flatpak 1.2.5-0+deb10u2 can run the same flatpaks when consumed
prebuilt from e.g. flathub. The mechanism for linker paths is not
based on LD_LIBRARY_PATH when flatpak is simply run, as opposed to
building.

[1] https://github.com/flathub/org.gnu.emacs/pull/36


-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-13-amd64 (SMP w/8 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages flatpak depends on:
ii  bubblewrap             0.3.1-4
ii  libappstream-glib8     0.7.14-1+deb10u1
ii  libarchive13           3.3.3-4+deb10u1
ii  libc6                  2.28-10
ii  libdconf1              0.30.1-2
ii  libgdk-pixbuf2.0-0     2.38.1+dfsg-1
ii  libglib2.0-0           2.58.3-2+deb10u2
ii  libgpgme11             1.12.0-6
ii  libjson-glib-1.0-0     1.4.4-2
ii  libostree-1-1          2019.1-1
ii  libpolkit-agent-1-0    0.105-25
ii  libpolkit-gobject-1-0  0.105-25
ii  libseccomp2            2.3.3-4
ii  libsoup2.4-1           2.64.2-2
ii  libsystemd0            241-7~deb10u5
ii  libxau6                1:1.0.8-1+b2
ii  libxml2                2.9.4+dfsg1-7+deb10u1
ii  xdg-dbus-proxy         0.1.1-1
ii  xdg-desktop-portal     1.2.0-1

Versions of packages flatpak recommends:
ii  desktop-file-utils                                   0.23-4
ii  gtk-update-icon-cache                                3.24.5-1
ii  hicolor-icon-theme                                   0.17-2
ii  libpam-systemd                                       241-7~deb10u5
ii  p11-kit                                              0.23.15-2+deb10u1
ii  policykit-1                                          0.105-25
ii  shared-mime-info                                     1.10-1
ii  xdg-desktop-portal-gtk [xdg-desktop-portal-backend]  1.2.0-1

Versions of packages flatpak suggests:
ii  avahi-daemon  0.7-4+b1

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list