org.freedesktop.Platform.openh264 problem

compis1 · March 18, 2025, 12:21am

When I perform a flatpak update, 3 versions of org.freedesktop.Platform.openh264 attempt to update. These updates are trying to communicate through port 80, HTTP instead of HTTPS.

How can I determine what Flatpak apps are dependent on these items.

flatpak update
Looking for updates…

        ID                                           Branch           Op           Remote            Download
 1. [✗] org.freedesktop.Platform.openh264            2.2.0            i            flathub           603.8 kB / 944.3 kB
 2. [✗] org.freedesktop.Platform.openh264            2.4.1            i            flathub           630.3 kB / 976.5 kB
 3. [✗] org.freedesktop.Platform.openh264            2.5.1            i            flathub           644.7 kB / 971.4 kB

bbhtt · March 18, 2025, 1:50am

These updates are trying to communicate through port 80, HTTP instead of HTTPS.

Due to patents the openh264 library is directly fetched from Cisco, who doesn’t have HTTPS. We can’t do anything about this.

When I perform a flatpak update, 3 versions of org.freedesktop.Platform.openh264

openh264 is autoinstalled by the runtimes, it’s not usually coming from apps.

flatpak list --runtime --columns=ref | xargs -I {} sh -c 'ver=$(flatpak info -m {} | grep -E "^version = (2.5.1|2.4.1|2.2.0)$"); [ -n "$ver" ] && echo "{} $ver" || :'

will tell you which runtimes are pulling it.

compis1 · March 19, 2025, 6:07pm

This seems odd that cisco a large network communication company isn’t using HTTPS ? Why is it calling for several versions of the same component ?

bbhtt · March 20, 2025, 1:31am

You can ask them SSL ceritficate for download openh264 binaries · Issue #3758 · cisco/openh264 · GitHub

Why is it calling for several versions of the same component ?

Those are due to API/ABI breaks. If a version makes a API/ABI break we can’t update it in the same runtime version, so the new openh264 goes to a new runtime version.

So you end up with 23.08 installing 2.2.0, 24.08 installing 2.5.1 and so on.

compis1 · March 21, 2025, 1:06am

OK. I do not want to have any application using openh264 running on my system as I also noticed Flatpak recognized a security issue.
Can i identify any installed apps that use openh264 through flatpak so i can remove them?

bbhtt · March 21, 2025, 1:23am

It’s defined in the runtime, meaning it is mounted into every app. If you want to get rid of it, uninstall it then mask it Tips and Tricks - Flatpak documentation

compis1 · March 21, 2025, 8:42pm

Thank you very much. That was very helpful and I was able to mask org.freedesktop.Platform.openh264 successfully.