Skip to content

fix: exclude bundled OpenSSL libs from Linux binary#466

Merged
danielmeppiel merged 3 commits intomainfrom
fix/exclude-bundled-openssl-linux
Mar 26, 2026
Merged

fix: exclude bundled OpenSSL libs from Linux binary#466
danielmeppiel merged 3 commits intomainfrom
fix/exclude-bundled-openssl-linux

Conversation

@danielmeppiel
Copy link
Copy Markdown
Collaborator

@danielmeppiel danielmeppiel commented Mar 26, 2026

Problem

Fixes #462

PyInstaller bundles libssl.so.3 and libcrypto.so.3 from the build machine (Ubuntu 24.04) into the frozen binary. In --onedir mode, the bootloader sets LD_LIBRARY_PATH to the binary directory. When apm spawns git, git-remote-https inherits that path and loads the bundled (older) libssl instead of the system one.

On distros where system libcurl requires a newer OpenSSL ABI than the build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes:

/usr/lib64/libcurl.so.4: undefined symbol: SSL_CTX_set_options, version OPENSSL_3.2.0

Fix

Exclude libssl.so.3 and libcrypto.so.3 from a.binaries on Linux builds only. Python's _ssl module finds system libssl via standard ld search paths -- no impact.

3-line change in build/apm.spec.

Validation

Docker proof (Ubuntu build -> Fedora 43 test)

Built binary on Ubuntu 24.04, tested on Fedora 43 in Docker:

Test Result
apm --version PASS
apm --help (full module load incl. SSL) PASS
git clone over HTTPS PASS
No libssl in binary dir PASS
System OpenSSL available PASS

Architect review

PyInstaller Expert validated all 6 review points:

  • Cross-platform safety (Linux-only guard, sys.platform at build time)
  • Python _ssl module continues to work (falls through to system libssl)
  • certifi/CA certs unaffected (orthogonal concern)
  • Correct binary tuple format (name is first element)
  • Exact soname match is safer than prefix match
  • Ubuntu 24.04 (CI runner) uses libssl.so.3 -- exclusion fires correctly

Unit tests

3078 tests passed, no regressions.

Platform impact

  • Linux: libssl.so.3 and libcrypto.so.3 excluded from binary
  • macOS: No change (dylib rpaths, no LD_LIBRARY_PATH leak)
  • Windows: No change (SxS DLL loading)

@danielmeppiel
fix: exclude bundled OpenSSL libs from Linux binary (#462)
26a718f 
PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in
--onedir mode. When apm spawns git, git-remote-https inherits that path
and loads the bundled (build-machine) libssl instead of the system one.
On distros where system libcurl requires a newer OpenSSL ABI than the
build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes
symbol lookup errors and git clone failures.

Fix: exclude libssl.so.3 and libcrypto.so.3 from a.binaries on Linux.
Python's _ssl module still works because it finds system libssl via the
standard dynamic linker search path.

Validated via Docker: built on Ubuntu 24.04, tested on Fedora 43 --
apm --version, apm --help, git clone over HTTPS all pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 26, 2026 15:54
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a Linux PyInstaller packaging issue where bundling libssl.so.3/libcrypto.so.3 can break HTTPS git operations on distros whose system libcurl requires a newer OpenSSL ABI than the build machine provides.

Changes:

  • Filter a.binaries on Linux to exclude libssl.so.3 and libcrypto.so.3 from the onedir bundle.
  • Add an Unreleased changelog entry documenting the Linux binary OpenSSL exclusion.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
build/apm.spec Excludes bundled OpenSSL shared libraries from the Linux PyInstaller output to avoid LD_LIBRARY_PATH inheritance causing ABI mismatches in spawned git processes.
CHANGELOG.md Adds an Unreleased entry describing the Linux binary packaging fix.

danielmeppiel and others added 2 commits March 26, 2026 17:09
@danielmeppiel
fix: address PR review comments
7c0c6f5 
- CHANGELOG: use PR number (#466) instead of issue number
- apm.spec: soften 'always available' to 'expected on supported targets'

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel
Merge branch 'main' into fix/exclude-bundled-openssl-linux
d6c8d64
@danielmeppiel danielmeppiel merged commit b2b3712 into main Mar 26, 2026
4 checks passed
@danielmeppiel danielmeppiel deleted the fix/exclude-bundled-openssl-linux branch March 26, 2026 16:48
@danielmeppiel danielmeppiel mentioned this pull request Mar 27, 2026
Merged
@github-actions github-actions bot mentioned this pull request Mar 28, 2026
Closed
Copilot AI mentioned this pull request Mar 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Fedora: brew apm fails on Git clone due to bundled OpenSSL mismatch

2 participants

@danielmeppiel