[Pkg-utopia-maintainers] Bug#1083090: bookworm-pu: package ostree/2022.7-2+deb12u1
Simon McVittie
smcv at debian.org
Tue Oct 1 13:03:33 BST 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ostree at packages.debian.org
Control: affects -1 + src:ostree src:flatpak libcurl3-gnutls
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
Fix a serious regression in flatpak when libcurl3-gnutls is upgraded to
the version from bookworm-backports
[ Impact ]
For users of pure bookworm, no impact.
For users of bookworm-backports' libcurl3-gnutls, flatpak crashes with
an assertion failure when trying to install or upgrade apps/runtimes,
which is fixed by the proposed package.
[ Tests ]
Unfortunately neither the ostree test suite nor the flatpak test suite
reproduces the assertion failure (they use a simple mock http server
and the bad code path appears to require a fully-featured http server,
possibly HTTP/2).
There is a simple manual reproducer, and I've verified that the proposed
package fixes the assertion failure here:
$ podman run --rm -it debian:bookworm-slim
# echo "deb http://deb.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/debian-backports.list
# apt update
# apt install --no-install-recommends flatpak ca-certificates
# apt install libcurl3-gnutls/bookworm-backports
# flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
# flatpak install flathub org.gnome.Recipes
(It is OK and expected that installation of
org.freedesktop.Platform.openh264 fails with "apply_extra script failed",
and other steps log a warning "bwrap: Creating new namespace failed:
Operation not permitted", when installing inside an unprivileged
container: this is a limitation of nested containers and is unrelated
to the regression.)
I have also confirmed that the proposed ostree version can successfully
install a Flatpak app in a Debian 12 GNOME desktop VM with each of
bookworm libcurl3-gnutls or bookworm-backports libcurl3-gnutls.
[ Risks ]
The actual fix seems very low-risk: it's a straightforward backport
of an upstream change that they specifically called out as suitable
for backporting.
The accompanying change to add an assertion failure if curl_multi_assign()
fails could conceivably make a wrong-but-harmless situation into a crash,
but my understanding is that it's something that should never fail for
reasons other than a programming error, and it does seem valuable to
check this.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/control, d/gbp.conf:
Administrivia because this is its first stable update in the bookworm cycle
debian/patches/curl-Make-socket-callback-during-cleanup-into-no-op.patch:
This is the actual bug-fix. The original uses C11 <stdbool.h>, but 2022.7
didn't use that, so I adjusted the patch to use GLib's booleans instead
(the only functional difference is that the struct might be slightly
larger).
debian/patches/curl-Assert-that-curl_multi_assign-worked.patch:
While debugging this assertion failure, upstream added an assertion that
improved their ability to locate the problem.
src/libostree/ostree-fetcher-curl.c:
Modified by each of the patches, see above
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ostree_2022.7-2+deb12u1.diff
Type: text/x-diff
Size: 9728 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20241001/f7452d17/attachment.diff>
More information about the Pkg-utopia-maintainers
mailing list