Package: flatpak
Version: 1.2.5-0+deb10u2
Severity: important
Dear Maintainer,
With flatpak 1.2.5-0+deb10u2, LD_LIBRARY_PATH is not set when invoked
over flatpak-builder. This became apparent when I was reviewing [1],
where a contributor intends to add the Jansson library to be shipped
alongside GNU Emacs in the /app/lib directory. Usually the build
environment provided by flatpak-builder would have this directory
referred to by LD_LIBRARY_PATH. With this latest security update, the
environment variable is entirely absent.
If I test with the older release, flatpak=1.2.5-0+deb10u1, running
flatpak-builder like this:
flatpak-builder --force-clean --build-shell=emacs ./build2
org.gnu.emacs.json
I get into a shell with LD_LIBRARY_PATH set to
/app/lib:/usr/lib/x86_64-linux-gnu/GL/default/lib:/usr/lib/x86_64-linux-gnu/openh264/extra
With this software version, building the flatpak under review will
succeed if I simply omit the --build-shell option.
I am not thoroughly familiar with the Flathub ecosystem, but I would
suspect that there are other flatpaks which can not be built on
systems that have 1.2.5-0+deb10u2 installed. I would still expect that
flatpak 1.2.5-0+deb10u2 can run the same flatpaks when consumed
prebuilt from e.g. flathub. The mechanism for linker paths is not
based on LD_LIBRARY_PATH when flatpak is simply run, as opposed to
building.
[1] https://github.com/flathub/org.gnu.emacs/pull/36
-- System Information:
Debian Release: 10.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-13-amd64 (SMP w/8 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8),
LANGUAGE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages flatpak depends on:
ii bubblewrap 0.3.1-4
ii libappstream-glib8 0.7.14-1+deb10u1
ii libarchive13 3.3.3-4+deb10u1
ii libc6 2.28-10
ii libdconf1 0.30.1-2
ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1
ii libglib2.0-0 2.58.3-2+deb10u2
ii libgpgme11 1.12.0-6
ii libjson-glib-1.0-0 1.4.4-2
ii libostree-1-1 2019.1-1
ii libpolkit-agent-1-0 0.105-25
ii libpolkit-gobject-1-0 0.105-25
ii libseccomp2 2.3.3-4
ii libsoup2.4-1 2.64.2-2
ii libsystemd0 241-7~deb10u5
ii libxau6 1:1.0.8-1+b2
ii libxml2 2.9.4+dfsg1-7+deb10u1
ii xdg-dbus-proxy 0.1.1-1
ii xdg-desktop-portal 1.2.0-1
Versions of packages flatpak recommends:
ii desktop-file-utils 0.23-4
ii gtk-update-icon-cache 3.24.5-1
ii hicolor-icon-theme 0.17-2
ii libpam-systemd 241-7~deb10u5
ii p11-kit 0.23.15-2+deb10u1
ii policykit-1 0.105-25
ii shared-mime-info 1.10-1
ii xdg-desktop-portal-gtk [xdg-desktop-portal-backend] 1.2.0-1
Versions of packages flatpak suggests:
ii avahi-daemon 0.7-4+b1
-- no debconf information
