launcher script runs Python 2 despite checking for /usr/bin/python3

I noticed this in the course of Endless OS removing Python 2.7 entirely. We don't ship /usr/lib/adobe-flashplugin/manifest.json, and I couldn't find a copy to fully verify this patch, but I tested with a non-ASCII JSON file (the obvious way that 2.7 -> 3.x would break) and it seems to work fine.

The attachment "0001-Check-flashplugin-manifest-with-Python-3.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Maybe a dumb question… After removing Python 2.7 entirely, wouldn't "/usr/bin/python" point to python3 by default anyway?

https://www.python.org/dev/peps/pep-0394/ says “for the time being, all distributions should ensure that python, if installed, refers to the same target as python2, unless the user deliberately overrides this or a virtual environment is active”. That's the case in Endless where /usr/bin/python simply doesn't exist any more.

That is:

  'python' is in $PATH => it is Python 2

By my reading, it follows that if there is no Python 2, 'python' shouldn't be in $PATH at all, according to that PEP.

That makes sense, thanks for confirming.
Python3 should probably be made a runtime dependency of chromium-browser, then.

The shell script checks for the existence of /usr/bin/python3, so it will fail gracefully if python3 is not installed. Not sure what the intent of that was (python3 not widely available at the time this was written, maybe?), but for now let's keep the test and not add an explicit runtime dependency. I think it can be safely assumed that python3 will be installed anyway on most modern distributions.

This bug was fixed in the package chromium-browser - 68.0.3440.75-0ubuntu1

---------------
chromium-browser (68.0.3440.75-0ubuntu1) cosmic; urgency=medium

  * Upstream release: 68.0.3440.75
    - CVE-2018-6153: Stack buffer overflow in Skia.
    - CVE-2018-6154: Heap buffer overflow in WebGL.
    - CVE-2018-6155: Use after free in WebRTC.
    - CVE-2018-6156: Heap buffer overflow in WebRTC.
    - CVE-2018-6157: Type confusion in WebRTC.
    - CVE-2018-6158: Use after free in Blink.
    - CVE-2018-6159: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6160: URL spoof in Chrome on iOS.
    - CVE-2018-6161: Same origin policy bypass in WebAudio.
    - CVE-2018-6162: Heap buffer overflow in WebGL.
    - CVE-2018-6163: URL spoof in Omnibox.
    - CVE-2018-6164: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6165: URL spoof in Omnibox.
    - CVE-2018-6166: URL spoof in Omnibox.
    - CVE-2018-6167: URL spoof in Omnibox.
    - CVE-2018-6168: CORS bypass in Blink.
    - CVE-2018-6169: Permissions bypass in extension installation.
    - CVE-2018-6170: Type confusion in PDFium.
    - CVE-2018-6171: Use after free in WebBluetooth.
    - CVE-2018-6172: URL spoof in Omnibox.
    - CVE-2018-6173: URL spoof in Omnibox.
    - CVE-2018-6174: Integer overflow in SwiftShader.
    - CVE-2018-6175: URL spoof in Omnibox.
    - CVE-2018-6176: Local user privilege escalation in Extensions.
    - CVE-2018-6177: Cross origin information leak in Blink.
    - CVE-2018-6178: UI spoof in Extensions.
    - CVE-2018-6179: Local file information leak in Extensions.
    - CVE-2018-6044: Request privilege escalation in Extensions.
    - CVE-2018-4117: Cross origin information leak in Blink.
  * debian/rules:
    - remove enable_webrtc build flag
    - make ninja less verbose to reduce build log size
  * debian/chromium-browser.sh.in: parse flashplugin manifest with Python 3
    (LP: #1772448)
  * debian/patches/add-missing-base-namespace.patch: added
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/enable-chromecast-by-default.patch: refreshed
  * debian/patches/fix-crashpad-linux-compat.patch: removed, no longer needed
  * debian/patches/fix-extra-arflags.patch: updated
  * debian/patches/fix-ffmpeg-ia32-build.patch: updated
  * debian/patches/last-commit-position: refreshed
  * debian/patches/revert-clang-nostdlib++.patch: removed, no longer needed
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: updated
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/known_gn_gen_args-*: remove enable_webrtc build flag

 -- Olivier Tilloy <email address hidden> Wed, 25 Jul 2018 09:22:28 +0200