FS#78527 - [element-desktop] 1.11.31-2 Seshat native Node module for search in E2E encrypted rooms broken

Attached to Project: Community Packages
Opened by 6t8k (6t8k) - Monday, 15 May 2023, 20:20 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 23 May 2023, 08:38 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Since at least element-desktop 1.11.31-2 (possibly earlier), the Seshat native Node module for search in E2E encrypted rooms is broken due to a packaging bug.

Steps to reproduce:
1. Start element-desktop
2. Login
3. Go to the "Security & Privacy" settings
4. The "Message search" section will say "Message search initialization failed" and 'Error opening the database: SqlCipherError("Sqlcipher support is missing")'.

Expected result (in contrast to the actual result described above):
- The "Message search" section will say "Securely cache encrypted messages locally [...]". Compare: https://github.com/vector-im/element-desktop/pull/631#issuecomment-1518078921

I can confirm that this can be fixed by making the following changes to the element.io PKGBUILD (due to having made these changes and having built the package myself):
1) Remove sqlcipher from the runtime dependencies again, keep it as a build-time dependency
2) Instead of setting an environment variable SQLCIPHER_STATIC=1, set SQLCIPHER_BUNDLED=1


Additional info:
* element-desktop 1.11.31-2
* No specific configuration necessary to trigger this bug. Can be triggered by installing element-desktop 1.11.31-2 on a fresh Arch Linux machine and using a freshly created Matrix user account.
* See https://github.com/vector-im/element-desktop/blob/develop/CHANGELOG.md#changes-in-11131-2023-05-10 (section titled "BREAKING CHANGES")
* See https://github.com/vector-im/element-desktop/blob/develop/docs/native-node-modules.md#statically-linking-libsqlcipher
This task depends upon

Closed by  Antonio Rojas (arojas)
Tuesday, 23 May 2023, 08:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  element-desktop 1.11.31-3
Comment by Toolybird (Toolybird) - Monday, 15 May 2023, 21:06 GMT
Related  FS#72359 
Comment by 6t8k (6t8k) - Thursday, 18 May 2023, 10:54 GMT
I have to correct myself a bit: with SQLCIPHER_BUNDLED=1, upstream actually includes a vendored copy of sqlcipher (sigh..), and in that case it is redundant for the PKGBUILD to pull in sqlcipher, both as part of `depends` and `makedepends`.
Comment by Antonio Rojas (arojas) - Sunday, 21 May 2023, 09:09 GMT
SQLCIPHER_BUNDLED=1 doesn't have any effect here. Only preloading sqlcipher.so.0 works.
Comment by 6t8k (6t8k) - Sunday, 21 May 2023, 21:18 GMT
> Comment by Antonio Rojas (arojas) - Sunday, 21 May 2023, 09:09 GMT
> SQLCIPHER_BUNDLED=1 doesn't have any effect here. Only preloading sqlcipher.so.0 works.

I've just now created a completely fresh VM based on archlinux-2023.05.03-x86_64.iso, using the included archinstall script with the Desktop profile, choosing Xfce. I applied the attached patch to the element.io PKGBUILD (remove sqlcipher from depends and makedepends, change SQLCIPHER_STATIC=1 to SQLCIPHER_BUNDLED=1, nothing else), built and installed it, and Seshat/the search in E2E encrypted rooms feature works fine.

This is what I've done right after rebooting the VM for the first time:

$ sudo pacman -Syu git && git clone https://gitlab.archlinux.org/archlinux/packaging/packages/element.io.git && cd element.io
$ git log
commit fed620451d1930699c83c2aefdc32250ca1b5cf6 (HEAD -> main, tag: 1.11.31-2, origin/main, origin/HEAD)
<snip>
$ git am 0001-Fix-FS-78527.patch # patch is attached to this post for reproducibility
$ gpg --import keys/pgp/712BFBEE92DCA45252DB17D7C7BE97EFA179B100.asc
$ makepkg -sic
(go through build process)
$ element-desktop
(feature works)

The current tip commit does not preload sqlcipher.

Could you please take a look at this again?
   0001-Fix-FS-78527.patch (1.4 KiB)
Comment by 6t8k (6t8k) - Sunday, 21 May 2023, 21:19 GMT
(sorry that the formatting turned out funny, I don't know what formatting features flyspray supports and there doesn't seem to be a preview feature)
Comment by Antonio Rojas (arojas) - Monday, 22 May 2023, 11:27 GMT
Please try building it in a clean chroot
Comment by 6t8k (6t8k) - Monday, 22 May 2023, 22:41 GMT
> Comment by Antonio Rojas (arojas) - Monday, 22 May 2023, 11:27 GMT
> Please try building it in a clean chroot

Right, thanks for the heads-up. If you adjust the default packaging options in the PKGBUILD, then the Seshat feature works if the executable was built inside a clean chroot too.

This is because the devtools override the default makepkg configuration within the chroot (compare https://gitlab.archlinux.org/archlinux/devtools/-/blob/1.0.0/config/makepkg/x86_64.conf#L97 to `$ man 5 makepkg.conf`), which results in parts of the package being removed after the build, leaving element unable to access the library.

The attached revised patch to the PKGBUILD works when building inside a clean chroot.
I set `options=(libtool staticlib !lto)` here which may not be optimal; it may be possible to override less options while still leaving the Seshat feature working, but as building element.io takes a while I haven't looked further into this.

This what I did after rebooting the VM for the first time to confirm this:

$ sudo pacman -Syu devtools && git clone https://gitlab.archlinux.org/archlinux/packaging/packages/element.io.git && cd element.io
$ git log
commit fed620451d1930699c83c2aefdc32250ca1b5cf6 (HEAD -> main, tag: 1.11.31-2, origin/main, origin/HEAD)
<snip>
$ git am 0001-Fix-FS-78527-v2.patch
$ gpg --import keys/pgp/712BFBEE92DCA45252DB17D7C7BE97EFA179B100.asc
$ extra-x86_64-build
(go through build process)
$ sudo pacman -U element-web-1.11.31-3-x86_64.pkg.tar.zst element-desktop-1.11.31-3-x86_64.pkg.tar.zst
$ element-desktop
(feature works)

Although it doesn't seem to be documented in the wiki, I've picked up that Arch Linux policy is to discourage static linking (devtools overriding makepkg's default package options the way they do probably has a good reason, I surmise!), and I'm not sure to what extent exceptions are granted.
Now that upstream has decided to vendor sqlcipher, I'd prefer the static linking over a LD_PRELOAD + runtime dependency solution if the latter could work too (Bruno also wrote here https://gitlab.archlinux.org/archlinux/packaging/packages/element.io/-/commit/871a2319478de9f278863ccb883e20311743d240 that this caused conflicts with GTK?), but this is of course package maintainers' decision to make.
   0001-Fix-FS-78527-v2.patch (1.6 KiB)
Comment by loqs (loqs) - Tuesday, 23 May 2023, 01:07 GMT
What if you drop the options and add CFLAGS+=' -ffat-lto-objects' as in the attached diff. This is working on the assumption the flag that fixed the build was !lto. Sorry I can not test this myself as I do not have a matrix account.
   PKGBUILD.diff (0.7 KiB)
Comment by Setpill (setpill) - Tuesday, 23 May 2023, 08:12 GMT
Running with `LD_PRELOAD=/usr/lib/libsqlcipher.so /usr/bin/element-desktop` fixes this, so might not be necessary to switch to bundled sqlcipher.
Comment by Antonio Rojas (arojas) - Tuesday, 23 May 2023, 08:38 GMT
Thanks @6t8k and @loqs, lto was the issue.

> as building element.io takes a while
yeah, unfortunately our electron package is badly outdated so it builds its own bundled electron.

Loading...