On my ongoing deep-dive into the world of rpm, I discovered that we have a bit of an issue in that we rely on a version of dugite that contains a number of invalid RPATHs.
Whilst electron-builder and fpm doesn't appear to care about this at all, this is actually an issue that is treated rather seriously by Fedora and OpenSUSE:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild
https://en.opensuse.org/openSUSE:Packaging_checks#Beware_of_Rpath
In fact, attempting to build an rpm at all with official Fedora packaging tools (rpmbuild) will check for any RPATH and cancel it.
Our culprit causing this problem is dugite which is used in our github package as well as whats-my-line to provide JS bindings for Git. In particular the issue is with v2.x.x (I tested both the 2.5.2 version we currently use and the latest v2 release 2.7.1). The problem is with these 4 files:
ERROR 0002: file '/opt/Pulsar/resources/app.asar.unpacked/node_modules/dugite/git/libexec/git-core/git-http-fetch' contains an invalid runpath '/tmp/build/curl/lib' in [/tmp/build/curl/lib]
ERROR 0002: file '/opt/Pulsar/resources/app.asar.unpacked/node_modules/dugite/git/libexec/git-core/git-http-push' contains an invalid runpath '/tmp/build/curl/lib' in [/tmp/build/curl/lib]
ERROR 0002: file '/opt/Pulsar/resources/app.asar.unpacked/node_modules/dugite/git/libexec/git-core/git-imap-send' contains an invalid runpath '/tmp/build/curl/lib' in [/tmp/build/curl/lib]
ERROR 0002: file '/opt/Pulsar/resources/app.asar.unpacked/node_modules/dugite/git/libexec/git-core/git-remote-http' contains an invalid runpath '/tmp/build/curl/lib' in [/tmp/build/curl/lib]
These are ERROR 0002s which are described by rpmbuild as a security risk:
0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute nor relative filenames and can therefore be a SECURITY risk
If we build dugite (literally just clone the repo at the tag you want, yarn install && yarn build) we can use readelf to look at them (just using git-http-fetch as one example:
v2.5.2 - v2.7.1 (see the last line with RUNPATH):
> readelf -d git/libexec/git-core/git-http-fetch
Dynamic section at offset 0x1fc680 contains 32 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libcurl.so.4]
0x0000000000000001 (NEEDED) Shared library: [libz.so.1]
0x0000000000000001 (NEEDED) Shared library: [librt.so.1]
0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000001d (RUNPATH) Library runpath: [/tmp/build/curl/lib]
v3.0.0 - v3.2.1:
> readelf -d git/libexec/git-core/git-http-fetch
Dynamic section at offset 0x22e660 contains 29 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libcurl-gnutls.so.4]
0x0000000000000001 (NEEDED) Shared library: [libz.so.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
So it does appear that the solution is that we need to bump github and whats-my-line to use dugite v3.0.0 or greater to remove these invalid RPATHs. Unfortunately that does come with a bunch of breaking changes - https://github.com/desktop/dugite/releases/tag/v3.0.0
Pulsar version
1.132.1
Which OS does this happen on?
🐧 Red Hat based (Fedora, Alma, RockyLinux, CentOS Stream, etc.)
OS details
Fedora 43
Which CPU architecture are you running this on?
x86_64/AMD64
On my ongoing deep-dive into the world of rpm, I discovered that we have a bit of an issue in that we rely on a version of
dugitethat contains a number of invalid RPATHs.Whilst
electron-builderandfpmdoesn't appear to care about this at all, this is actually an issue that is treated rather seriously by Fedora and OpenSUSE:https://docs.fedoraproject.org/en-US/packaging-guidelines/#_beware_of_rpath
https://fedoraproject.org/wiki/Changes/Broken_RPATH_will_fail_rpmbuild
https://en.opensuse.org/openSUSE:Packaging_checks#Beware_of_Rpath
In fact, attempting to build an rpm at all with official Fedora packaging tools (
rpmbuild) will check for any RPATH and cancel it.Our culprit causing this problem is dugite which is used in our github package as well as whats-my-line to provide JS bindings for Git. In particular the issue is with
v2.x.x(I tested both the2.5.2version we currently use and the latest v2 release2.7.1). The problem is with these 4 files:These are ERROR 0002s which are described by
rpmbuildas a security risk:If we build
dugite(literally just clone the repo at the tag you want,yarn install && yarn build) we can usereadelfto look at them (just usinggit-http-fetchas one example:v2.5.2 - v2.7.1 (see the last line with
RUNPATH):> readelf -d git/libexec/git-core/git-http-fetch Dynamic section at offset 0x1fc680 contains 32 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [libcurl.so.4] 0x0000000000000001 (NEEDED) Shared library: [libz.so.1] 0x0000000000000001 (NEEDED) Shared library: [librt.so.1] 0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] 0x000000000000001d (RUNPATH) Library runpath: [/tmp/build/curl/lib]v3.0.0 - v3.2.1:
> readelf -d git/libexec/git-core/git-http-fetch Dynamic section at offset 0x22e660 contains 29 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [libcurl-gnutls.so.4] 0x0000000000000001 (NEEDED) Shared library: [libz.so.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6]So it does appear that the solution is that we need to bump
githubandwhats-my-lineto usedugitev3.0.0 or greater to remove these invalid RPATHs. Unfortunately that does come with a bunch of breaking changes - https://github.com/desktop/dugite/releases/tag/v3.0.0Pulsar version
1.132.1
Which OS does this happen on?
🐧 Red Hat based (Fedora, Alma, RockyLinux, CentOS Stream, etc.)
OS details
Fedora 43
Which CPU architecture are you running this on?
x86_64/AMD64