fix: exclude bundled OpenSSL libs from Linux binary#466
Merged
danielmeppiel merged 3 commits intomainfrom Mar 26, 2026
Merged
Conversation
PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in --onedir mode. When apm spawns git, git-remote-https inherits that path and loads the bundled (build-machine) libssl instead of the system one. On distros where system libcurl requires a newer OpenSSL ABI than the build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes symbol lookup errors and git clone failures. Fix: exclude libssl.so.3 and libcrypto.so.3 from a.binaries on Linux. Python's _ssl module still works because it finds system libssl via the standard dynamic linker search path. Validated via Docker: built on Ubuntu 24.04, tested on Fedora 43 -- apm --version, apm --help, git clone over HTTPS all pass. Co-authored-by: Copilot <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a Linux PyInstaller packaging issue where bundling libssl.so.3/libcrypto.so.3 can break HTTPS git operations on distros whose system libcurl requires a newer OpenSSL ABI than the build machine provides.
Changes:
- Filter
a.binarieson Linux to excludelibssl.so.3andlibcrypto.so.3from the onedir bundle. - Add an Unreleased changelog entry documenting the Linux binary OpenSSL exclusion.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| build/apm.spec | Excludes bundled OpenSSL shared libraries from the Linux PyInstaller output to avoid LD_LIBRARY_PATH inheritance causing ABI mismatches in spawned git processes. |
| CHANGELOG.md | Adds an Unreleased entry describing the Linux binary packaging fix. |
- CHANGELOG: use PR number (#466) instead of issue number - apm.spec: soften 'always available' to 'expected on supported targets' Co-authored-by: Copilot <[email protected]>
Merged
7 tasks
danielmeppiel
added a commit
that referenced
this pull request
Apr 24, 2026
apm update inherits the PyInstaller bootloader's LD_LIBRARY_PATH when spawning the platform installer. The shell -- and the curl / tar / sudo calls install.sh makes -- then dlopens libssl.so.3 / libcrypto.so.3 from the bundle's _internal/ directory instead of the system ones. When the bundled libs are ABI-incompatible with what the system libcurl needs, curl aborts with "OPENSSL_3.2.0 not found" on the very first release fetch, blocking the upgrade path for every user on an affected distro (Debian trixie arm64 dev-containers, Fedora 43, and similar). Centralise PyInstaller env sanitisation in a new helper, apm_cli.utils.subprocess_env.external_process_env, which restores LD_LIBRARY_PATH / DYLD_LIBRARY_PATH / DYLD_FRAMEWORK_PATH from the <NAME>_ORIG snapshots that PyInstaller's bootloader saves at launch, or drops them entirely when no snapshot exists. The _ORIG keys are stripped from the returned env so PyInstaller internals do not leak to the child. Outside a frozen build and on Windows the helper is a no-op. apm update now calls subprocess.run with env=external_process_env() so the installer runs against the user's pre-launch environment. Restoring from _ORIG rather than blindly popping preserves legitimate user exports (CUDA, Nix, custom toolchains). Complements #466's build-side exclude: that fix stopped new binaries from shipping the offending libs; this fix stops them from being inherited by spawned children even when they are present in older binaries or in any future bundle that re-introduces a similar dependency. Closes #894 Co-authored-by: Daniel Meppiel <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #462
PyInstaller bundles
libssl.so.3andlibcrypto.so.3from the build machine (Ubuntu 24.04) into the frozen binary. In--onedirmode, the bootloader setsLD_LIBRARY_PATHto the binary directory. Whenapmspawnsgit,git-remote-httpsinherits that path and loads the bundled (older)libsslinstead of the system one.On distros where system
libcurlrequires a newer OpenSSL ABI than the build machine provides (e.g. Fedora 43 withOPENSSL_3.2.0), this causes:Fix
Exclude
libssl.so.3andlibcrypto.so.3froma.binarieson Linux builds only. Python's_sslmodule finds systemlibsslvia standardldsearch paths -- no impact.3-line change in
build/apm.spec.Validation
Docker proof (Ubuntu build -> Fedora 43 test)
Built binary on Ubuntu 24.04, tested on Fedora 43 in Docker:
apm --versionapm --help(full module load incl. SSL)git cloneover HTTPSlibsslin binary dirArchitect review
PyInstaller Expert validated all 6 review points:
sys.platformat build time)_sslmodule continues to work (falls through to system libssl)nameis first element)libssl.so.3-- exclusion fires correctlyUnit tests
3078 tests passed, no regressions.
Platform impact
libssl.so.3andlibcrypto.so.3excluded from binaryLD_LIBRARY_PATHleak)