diff options
| author | Matthew Leeds <matthew.leeds@endlessm.com> | 2020-06-29 16:32:04 -0700 |
|---|---|---|
| committer | Matthew Leeds <matthew.leeds@endlessm.com> | 2020-06-29 16:54:34 -0700 |
| commit | 1a15d695f34ff7a8401aa1a65ba0834137e76407 (patch) | |
| tree | 132b165d7f41ec5e12176377be1df8876dca9eb0 | |
| parent | c3d0a15e3c1ce36af5860aeaba767dee847294b7 (diff) | |
| download | flatpak-fix-wrong-ext-refspecs.tar.gz | |
dir: Fix wrong extension refspecsfix-wrong-ext-refspecs
Currently Flatpak only supports extensions which come from the same
remote as the thing being extended; for discussion on this see
https://github.com/flatpak/flatpak/issues/861
However in general it isn't clear from the metadata what remote provides
an extension. For example com.endlessm.apps.Platform//5 defines the
extension org.freedesktop.Platform.VAAPI.Intel (inherited from
org.freedesktop.Platform) which can be found on flathub not eos-sdk. So
we don't want to add an extension refspec to the transaction if the
current remote is not the one that actually provides it. In
flatpak_dir_find_remote_related_for_metadata() this invariant is
maintained because we check if the ref exists in the remote before
adding it with add_related(). However in
flatpak_dir_find_local_related_for_metadata() we check for existing
deploy data but omit checking that the deploy origin matches the origin
passed in, and in that case can accidentally add an incorrect refspec to
a transaction. So this commit adds the missing origin check.
One way to reproduce this issue is with this command, having both the
Endless platform and the VAAPI extension already installed:
$ flatpak update --no-pull com.endlessm.apps.Platform//5
Looking for updates…
error: Refspec 'eos-sdk:runtime/org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6' not found
This issue also affects GNOME Software which does a no-deploy
transaction followed by a no-pull transaction (this issue occurs in the
latter) and is treated as fatal causing updates not to be applied.
However it only happens in some niche circumstances, because
flatpak_transaction_add_op() will only use the first remote passed to it
if called more than once for the same ref from different remotes. This
is normally fine; refs generally only come from one remote. But it does
mean this issue only occurs if the extension in question was not already
added to the transaction with a correct origin.
| -rw-r--r-- | common/flatpak-dir.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 545d3346..c202b98e 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -13780,7 +13780,8 @@ flatpak_dir_find_local_related_for_metadata (FlatpakDir *self, } else if ((deploy_data = flatpak_dir_get_deploy_data (self, extension_ref, FLATPAK_DEPLOY_VERSION_ANY, - NULL, NULL)) != NULL) + NULL, NULL)) != NULL && + g_strcmp0 (flatpak_deploy_data_get_origin (deploy_data), remote_name) == 0) { /* Here we're including extensions that are deployed but might * not have a ref in the repo, as happens with remote-delete @@ -13812,7 +13813,8 @@ flatpak_dir_find_local_related_for_metadata (FlatpakDir *self, } else if ((match_deploy_data = flatpak_dir_get_deploy_data (self, match, FLATPAK_DEPLOY_VERSION_ANY, - NULL, NULL)) != NULL) + NULL, NULL)) != NULL && + g_strcmp0 (flatpak_deploy_data_get_origin (match_deploy_data), remote_name) == 0) { /* Here again we're including extensions that are deployed but might * not have a ref in the repo |