fix(decky): scrub PyInstaller LD_LIBRARY_PATH before spawning system flatpak
apple / swift (push) Successful in 53s
android / android (push) Has been cancelled
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Has been cancelled
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Has been cancelled
decky / build-publish (push) Has been cancelled
ci / rust (push) Has been cancelled
ci / web (push) Has been cancelled
ci / docs-site (push) Has been cancelled
ci / bench (push) Has been cancelled
deb / build-publish (push) Has been cancelled
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Has been cancelled
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Has been cancelled
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Has been cancelled
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Has been cancelled
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Has been cancelled
docker / deploy-docs (push) Has been cancelled

Decky Loader is a PyInstaller binary; it puts its bundled (older) libssl/libcrypto
on LD_LIBRARY_PATH via its /tmp/_MEI* unpack dir, and that env leaked into the
backend's `flatpak run`/`flatpak kill` subprocess. The SYSTEM flatpak's libcurl
+ libostree need newer OPENSSL symbols (3.2/3.3/3.4), so pairing failed with
"libssl.so.3: version OPENSSL_3.3.0 not found". _flatpak_env() now restores
each LD_*_ORIG PyInstaller saved, or drops the var, so the system loader uses
system libs. Reproduced + verified on the Deck (SteamOS 3.8.10, Flatpak 1.16.6).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-18 23:03:39 +00:00
parent b9e50faa40
commit f4cff765ed
+11
View File
@@ -64,6 +64,17 @@ def _flatpak_env() -> dict:
pairing). Reconstruct the user-session bits flatpak wants; the backend may not inherit pairing). Reconstruct the user-session bits flatpak wants; the backend may not inherit
them. Harmless if some are already set.""" them. Harmless if some are already set."""
env = dict(os.environ) env = dict(os.environ)
# Decky Loader is a PyInstaller binary: it prepends its bundled libs (an older libssl) to
# LD_LIBRARY_PATH (its /tmp/_MEI* unpack dir), and that env leaks into our subprocess. The
# SYSTEM flatpak's libcurl needs OPENSSL_3.3.0 from the SYSTEM libssl, so the bundled libssl
# breaks it ("libssl.so.3: version OPENSSL_3.3.0 not found"). Restore the pre-bundle value
# PyInstaller saved as <VAR>_ORIG, or drop the var so the dynamic loader uses system libraries.
for var in ("LD_LIBRARY_PATH", "LD_PRELOAD"):
orig = env.pop(f"{var}_ORIG", None)
if orig:
env[var] = orig
else:
env.pop(var, None)
env.setdefault("HOME", decky.DECKY_USER_HOME) env.setdefault("HOME", decky.DECKY_USER_HOME)
uid = os.environ.get("PF_UID") or "1000" uid = os.environ.get("PF_UID") or "1000"
env.setdefault("XDG_RUNTIME_DIR", f"/run/user/{uid}") env.setdefault("XDG_RUNTIME_DIR", f"/run/user/{uid}")