dir: Quietly refuse to downgrade ostree-metadata

This reverts commit ed1d7eacf47534fc6aae6571b7d41bca3951d0e9 and fixes
the issue in a different way.

With the introduction of peer (LAN/USB) sources of refs comes a problem:
they may have outdated repository metadata (which is stored as
contentless commits on the branch "ostree-metadata"). Currently Flatpak
allows the older metadata to be pulled into the local repo, but this is
undesirable for a few reasons: it hurts the security properties of the
system because for example the GPG keys might have been rotated and you
don't want to go back to using the old ones, and it's undesirable
because the old metadata might have missing or wrong information about
the apps installed on the system.

So this commit makes Flatpak ignore the downgrade and use the newer
metadata for the offline operation. This is not a perfect solution,
because the newer metadata might have information (such as the download
size or needed runtime) that's not accurate for the old versions of the
refs that are available offline. This issue is significantly mitigated
by the fact that FlatpakTransaction operations use commit metadata to
make decisions, rather than depending on the xa.cache.

Another possible solution would be to read the outdated metadata into
the FlatpakRemoteState object without pulling it into the local repo or
using it to update the remote config, but that's not perfect either
because there's no guarantee you'll pull the metadata from the same
source as the refs (perhaps one comes from a USB drive and the other
from a LAN peer). Longer term, we should figure out how to rely less on
the xa.cache (which is stored in ostree-metadata) or otherwise make
architectural changes to solve those issues. For now, I think this fix
will be enough to make USB updates usable and secure.

Fixes https://github.com/flatpak/flatpak/issues/1473

Closes: #1965
Approved by: alexlarsson

1 files changed, 16 insertions, 9 deletions

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 977d7bc7..4dddbe2e 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -9274,8 +9274,10 @@ _flatpak_dir_get_remote_state (FlatpakDir   *self,
       g_autoptr(GVariant) commit_v = NULL;
       g_autoptr(GError) local_error = NULL;
 
-      /* Make sure the branch is up to date. */
-      if (!_flatpak_dir_fetch_remote_state_metadata_branch (self, state, cancellable, &local_error))
+      /* Make sure the branch is up to date, but ignore downgrade errors (see
+       * below for the explanation). */
+      if (!_flatpak_dir_fetch_remote_state_metadata_branch (self, state, cancellable, &local_error) &&
+          !g_error_matches (local_error, FLATPAK_ERROR, FLATPAK_ERROR_DOWNGRADE))
         {
           if (optional)
             {
@@ -9292,6 +9294,18 @@ _flatpak_dir_get_remote_state (FlatpakDir   *self,
         }
       else
         {
+          if (g_error_matches (local_error, FLATPAK_ERROR, FLATPAK_ERROR_DOWNGRADE))
+            {
+              /* The latest metadata available is a downgrade, which means we're offline and using a
+               * LAN/USB source. Downgrading the metadata in the system repo would be a security
+               * risk, so instead ignore the downgrade and use the later metadata.  There's some
+               * chance its information won't be accurate for the refs that are pulled, but using
+               * the old metadata wouldn't always be correct either because there's no guarantee the
+               * refs will be pulled from the same peer source as the metadata. Long term, we should
+               * figure out how to rely less on it. */
+              g_debug ("Ignoring downgrade of ostree-metadata; using the newer one instead");
+            }
+
           /* Look up the commit containing the latest repository metadata. */
           latest_rev = flatpak_dir_read_latest (self, remote_or_uri, OSTREE_REPO_METADATA_REF,
                                                 NULL, cancellable, error);
@@ -11344,13 +11358,6 @@ _flatpak_dir_fetch_remote_state_metadata_branch (FlatpakDir         *self,
   flatpak_flags = FLATPAK_PULL_FLAGS_DOWNLOAD_EXTRA_DATA;
   flatpak_flags |= FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS;
 
-  /* TODO: This is somewhat weird. as it means downgrade the ostree-metadata branch
-   * if the currently available branch is older. However, it matches what we did before
-   * PR #1961 where we started disallowing downgrades in p2p updates.
-   * Long term we should have a better solution to this.
-   */
-  flatpak_flags |= FLATPAK_PULL_FLAGS_ALLOW_DOWNGRADE;
-
   if (flatpak_dir_use_system_helper (self, NULL))
     {
       g_autoptr(OstreeRepo) child_repo = NULL;