-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AppStream validator gives wrong results and can't be disabled #272
Comments
It seems the system version of |
That the AppStream spec keeps changing has indeed been a constant source of annoyance. Now that it has reached 1.0 state we should probably mandate version 1.0.x of appstreamcli tool, and bundle that one inside the AppImage. |
I've built more than 60 AppImages in my repositories and now I switched all my workflows to this new fantastic version of I had the AppStream error only in five (5) of them, but I've solved by removing the content of /usr/share/metainfo |
Well, entirely removing the AppStream metainfo is what I'd like to avoid, but I have to admit that it's been hard to support due to its ever-changing nature. I hope that we can eventually switch to 1.0 and then leave it alone. According to its developer @ximion
So ideally there would be a test tool that could verify that an AppStream file is 1.0 compatible, while just ignoring any tags that might be introduced after 1.0. So that we could settle with 1.0 and get no warnings or errors once future AppStream versions allow additional tags. Thinking about it, maybe it'd be easiest to write such a validator myself in Go. |
AppStream is backwards-compatible, but has never been (and will not be) forward-compatible. Here, the version of appstreamcli is simply too old to validate metadata that was written for a newer spec version. |
@probonopd this is a module i use in my package managers "AM" and AppMan, I've named this option " https://github.com/ivan-hc/AM/blob/main/modules/nolibfuse.am it is using your new version of and this is a video that shows how it works AM-6.1-convert-from-type2-to-type3-AppImages.mp4in brief, it converts the installed Type2 AppImages to Type3. The thing that amazed me is that Appimages updatable using zsync can be updated without loosing their new Type3 status, also the big ones can be smaller (about 20-30 MB less). But as I've said, there are some cases where to do this conversion is necessary to remove the content of /usr/share/metainfo (where is available), but in my 60+ Appimages only 5 had to use this workaround, and all of them where built from an old Debian repository on a third parti repo for .deb packages (for example Debian Multimedia). This kind of apps are patched from the mantainer of these .deb packages, so they are not the "original ones" from the upstream... on the contrary, my "Archimages" are all originally built from the upstream and packaged for Arch Linux, so no dirty workaround like this is needed to create the AppImages. Don't worry, my goal here is to promote the use of the new Type3 standard, to prevent these patches I did. |
@ivan-hc, Type 3, where did you get that from? There is no Type 3 yet. |
@ximion, thanks for your explanation. In the AppImage project, we aim to provide a stable format that can be trusted to also work in the future. Let's say, 10 years down the road I would like to run an AppImage from today, just like I can run an AppImage from 2014 today. What I mean is: I am looking for a tool that checks that the (essential) tags of (let's say) AppStream MetaInfo 1.0 are there and are valid.
Quickly wrote a small validator at https://github.com/probonopd/appstreamlint/; I think I wouldn't need much more than that? |
I talked to a mutual friend of ours, while I was building an unofficial AppImage for his application (Bottles), and he asked me if my AppImages were Type2 or Type3... then he explained to me about the situation regarding the security holes in So you're telling me I'm wrong? Like the GNOME users who, by dint of calling GNOME4 "GNOME 40" gave it this name? lol 😆 However, regarding my workaround, I am very aware that it is a "dirty trick". In fact my goal is to maintain Appstream datas in the AppImage, convincing developers to move their works to what "only I am calling" (at this point) Type3... or Type2.99, whatever you prefer. lol 🤣 |
Currently we are simply calling it the "static runtime". But maybe there will be one day a type 3 (or version 3 of the spec) that will require the runtime to be static (= not require libfuse). |
@probonopd As far as I'm concerned, this work of yours is excellent as it is. And this is in spite of those who still throw mud at AppImages with the history of obsolete FUSE libraries. If I were you, I would see it as a huge payback. Excellent! |
I remember that the previous |
From my experience, allowing a "just ignore warnings/validation" flag is a recipe for disaster, unless it can be limited to builds or actions that are guaranteed to never leave the development environment and slip into production. |
it is this
for personal use |
Even if the AppStream validator were updated, I would vote to add the
The validator checks whether the urls are valid by making network requests. So when This is before we even get to the issue of offline building, or whether go-appimage should silently be making network requests in a way that cannot be disabled. |
Passing |
Since which version is |
Pretty much forever, since |
Discovered this yesterday The version of This issue wasn't obvious, as newer versions of |
This seems like a pretty bad issue because: What I will do for our software (Overte) is to build AppImageKit or go-appimage from source, with the check disabled. |
This issue has been open for 8 months, with the true fix (updating the validator) indefinitely stalled (PR). The commenter above has even forked the project just to disable the validator, while Inkscape is using a grotesque hack to get around it. Surely an |
Hey I took a look at the Inkscape appimage script If the grotesque hack is using appimagekit for the second step, a better solution would be this appimagetool instead since it uses zstd comp and the static runtime by default, aka you would get the same appimage as if go-appimage had made the second step. And it has the |
The real fix is to get a static version of the AppStream validator to build: |
It's entirely unclear to me why that would fail with 1.0 but not with previous versions, as nothing has changed in AppStream with regards to how it is compiled or its dependencies. If you can use dynamic libraries with linker path changes / rpath, that would solve the issue too though. Or use the executable from the host. |
The executable from the host is not under our control and may be any random version. Statically building fails since there is now a libxml dependency that was not there back then when the static build succeeded. Or maybe I am just doing it wrong. |
AppStream has always depended on libxml2, since its very first version from 2012. |
Running
appstreamcli validate
on this fileorg.inkscape.Inkscape.appdata.xml
says that it is valid:
But when packaging it using
appimagetool-817-x86_64.AppImage
, it complains about errors:In particular, it says
<developer/>
is an unknown tag, then provides a link to a page explicitly documenting it.Is the bundled
appstreamcli
out of date, or is it genuinely supposed to be checking something different?If not, then there should at least be a way to disable this validation check, since it's currently hard-coded to true.
The text was updated successfully, but these errors were encountered: