You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
PyInstaller bootloader sets LD_LIBRARY_PATH=/usr/lib/apm/_internal so the bundled Python can find libpython3.12.so. This leaks into every subprocess.run() call, including materialize_from_bare() in bare_cache.py. Bundled shared libs (libreadline.so.8, libz.so.1, libsqlite3.so.0, etc.) shadow system libraries, breaking /bin/sh:
/bin/sh: symbol lookup error: /bin/sh: undefined symbol: rl_print_keybinding
fatal: Could not read from remote repository.
This causes git clone --local --shared --no-checkout to exit 128 in the shared clone cache path. The resulting user-facing error is:
Failed to prepare dependency from cached clone: Command git clone --local --shared --no-checkout ... returned non-zero exit status 128.
To Reproduce
Install APM v0.16.0 binary on an Arch Linux system
Create an apm.yml with 2+ virtual subdirectory deps from the same repo:
Root Cause
Two gaps in the LD_LIBRARY_PATH sanitization:
git_subprocess_env() in git_env.py copies os.environ but does not strip LD_LIBRARY_PATH. This sanitizer exists precisely to clean ambient variables from git subprocess environments — LD_LIBRARY_PATH leaking is a sanitization failure.
build/apm.spec excludes only libssl.so.3/libcrypto.so.3 from the bundle (fix for [BUG] Fedora: brew apm fails on Git clone due to bundled OpenSSL mismatch #462). Other bundled shared libs (libreadline.so.8, libz.so.1, liblzma.so.5, libsqlite3.so.0, libffi.so.8, libbz2.so.1.0, libuuid.so.1, libtinfo.so.6) also leak into child processes.
Additional context
Same class of bug as #462 (OpenSSL LD_LIBRARY_PATH leak), but broader — affects any non-Python shared library bundled by PyInstaller that differs from the system version.
Describe the bug
PyInstaller bootloader sets
LD_LIBRARY_PATH=/usr/lib/apm/_internalso the bundled Python can findlibpython3.12.so. This leaks into everysubprocess.run()call, includingmaterialize_from_bare()inbare_cache.py. Bundled shared libs (libreadline.so.8, libz.so.1, libsqlite3.so.0, etc.) shadow system libraries, breaking/bin/sh:This causes
git clone --local --shared --no-checkoutto exit 128 in the shared clone cache path. The resulting user-facing error is:To Reproduce
apm.ymlwith 2+ virtual subdirectory deps from the same repo:apm installConfirm the root cause manually:
Expected behavior
Virtual subdirectory dependencies from the same repo install successfully on first run.
Environment
Root Cause
Two gaps in the LD_LIBRARY_PATH sanitization:
git_subprocess_env()ingit_env.pycopiesos.environbut does not stripLD_LIBRARY_PATH. This sanitizer exists precisely to clean ambient variables from git subprocess environments —LD_LIBRARY_PATHleaking is a sanitization failure.build/apm.specexcludes onlylibssl.so.3/libcrypto.so.3from the bundle (fix for [BUG] Fedora: brew apm fails on Git clone due to bundled OpenSSL mismatch #462). Other bundled shared libs (libreadline.so.8, libz.so.1, liblzma.so.5, libsqlite3.so.0, libffi.so.8, libbz2.so.1.0, libuuid.so.1, libtinfo.so.6) also leak into child processes.Additional context
Same class of bug as #462 (OpenSSL LD_LIBRARY_PATH leak), but broader — affects any non-Python shared library bundled by PyInstaller that differs from the system version.