mirror of
https://github.com/flatpak/flatpak.git
synced 2026-01-29 18:11:22 -05:00
2558b086d7
Currently Flatpak only supports extensions which come from the same remote as the thing being extended; for discussion on this see https://github.com/flatpak/flatpak/issues/861 However in general it isn't clear from the metadata what remote provides an extension. For example com.endlessm.apps.Platform//5 defines the extension org.freedesktop.Platform.VAAPI.Intel (inherited from org.freedesktop.Platform) which can be found on flathub not eos-sdk. So we don't want to add an extension refspec to the transaction if the current remote is not the one that actually provides it. In flatpak_dir_find_remote_related_for_metadata() this invariant is maintained because we check if the ref exists in the remote before adding it with add_related(). However in flatpak_dir_find_local_related_for_metadata() we check for existing deploy data but omit checking that the deploy origin matches the origin passed in, and in that case can accidentally add an incorrect refspec to a transaction. So this commit adds the missing origin check. One way to reproduce this issue is with this command, having both the Endless platform and the VAAPI extension already installed: $ flatpak update --no-pull com.endlessm.apps.Platform//5 Looking for updates… error: Refspec 'eos-sdk:runtime/org.freedesktop.Platform.VAAPI.Intel/x86_64/1.6' not found This issue also affects GNOME Software which does a no-deploy transaction followed by a no-pull transaction (this issue occurs in the latter) and is treated as fatal causing updates not to be applied. However it only happens in some niche circumstances, because flatpak_transaction_add_op() will only use the first remote passed to it if called more than once for the same ref from different remotes. This is normally fine; refs generally only come from one remote. But it does mean this issue only occurs if the extension in question was not already added to the transaction with a correct origin.