Flatpak uses a limited form of ostree repos called "bare-user-only". In this for certain things are not allowed. For instance all files are assumed to be owned by uid and gid 0, and certain permissions like world-writable dirs are forbiddent. This is both for security reasons (we want no such bad permissions), but also because we need to represent the objects on disk as written by a non-root user (during pulls, etc).

If i install the fedora platform and run flatpak repair then it reports a bunch of invalid object, as reported by https://github.com/flatpak/flatpak/issues/2470.

I did some research on this:

# Install fedora stuff:
flatpak remote-add --user fedora oci+https://registry.fedoraproject.org
flatpak --user install fedora org.fedoraproject.MediaWriter
# Get a list of broken object ids, note that they are all in the platform
flatpak repair --dry-run --user > a 2>&1
# Get all files in the platform with object ids
ostree --repo=/home/alex/.local/share/flatpak/repo ls -CR runtime/org.fedoraproject.Platform/x86_64/f29 > b
# Reverse map each invalid object to a file
for obj in $(grep invalid a | awk "{ print \$3 }" | sed s/.file//); do grep $obj b; done

This results in showing all the symlinks in the platform, like this:

l00777 0 0      0 9880aff2821430f579e4696a6d029c8aa098856aa29c195cdb83ba38f6616ef8 /files/tmp -> ../var/tmp
l00777 0 0      0 9d3f386eae02cfa44ae8fe22f01b86ffe6b255b4857288dee48d502c1e7fd966 /files/bin/awk -> gawk
l00777 0 0      0 811a375c1d8e8742f5d02246af00136f2192905d06ae1dd7de662f16b1ddebea /files/bin/bashbug -> bashbug-64
l00777 0 0      0 9396116ed486f52943960a591fe9375fb6d79328540eafaf3ae2f14cb7cc962b /files/bin/bunzip2 -> bzip2
l00777 0 0      0 9396116ed486f52943960a591fe9375fb6d79328540eafaf3ae2f14cb7cc962b /files/bin/bzcat -> bzip2

However, if i redo the install after having tweaked the mode of the flatpak repo to "bare-user", which stores the full permissions (in xattrs) i get for example for the above gawk symlink:

l00755 0 0      0 9d3f386eae02cfa44ae8fe22f01b86ffe6b255b4857288dee48d502c1e7fd966 /files/bin/awk -> gawk

So, it seems like we're generating non-canonical permissions for symlinks. I'm not sure exactly where this is happening, but I have two guesses:

• In flatpak_builder.py we call out to ostree commit, this should also pass --canonical-permissions to generate permissions that are guaranteed to work with bare-user-only repos (and thus flatpak).

• In flatpak_builder.py the function _export_from_stream() does some manual permission changes. It references https://github.com/flatpak/flatpak/blob/master/app/flatpak-builtins-build-export.c#L189 for this, but doesn't seem to quite do the same thing. In particular, it doesn't have an else if is_regular() case, which seems like it will trigger this to run on symlinks too.

I think the second is causing the above issue, but both should be fixed.