Describe the bug
On Linux, the GitHub Copilot Desktop AppImage exports its bundled-library LD_LIBRARY_PATH into the environment of the child processes it spawns. When the app spawns its bundled git to initialize a session workspace (git fetch over HTTPS), git's git-remote-https helper loads the AppImage's older bundled libnghttp2.so.14 instead of the system one. That older nghttp2 is missing a symbol the system libcurl-gnutls.so.4 requires, so the helper aborts and session workspace initialization fails — no session can be created:
git-remote-https: symbol lookup error: /lib/x86_64-linux-gnu/libcurl-gnutls.so.4:
undefined symbol: nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
fatal: remote helper 'https' aborted session
This reproduces reliably (it blocked session creation on two separate occasions).
Root cause (verified):
- The AppImage runtime exports to every child process an
LD_LIBRARY_PATH pointing at its mount, e.g. /tmp/.mount_GitHubXXXX/usr/lib/:/tmp/.mount_GitHubXXXX/usr/lib/x86_64-linux-gnu/:/tmp/.mount_GitHubXXXX/lib/x86_64-linux-gnu/:...
- The bundle ships an old nghttp2:
/tmp/.mount_GitHubXXXX/usr/lib/libnghttp2.so.14 is missing nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation (nm -D → 0 matches). The system /lib/x86_64-linux-gnu/libnghttp2.so.14 → libnghttp2.so.14.26.0 has it (nm -D → 1 match).
- The bundled git's
git-remote-https links system libcurl-gnutls.so.4, whose NEEDED list includes libnghttp2.so.14. With the AppImage LD_LIBRARY_PATH taking precedence, the loader binds the old bundled nghttp2, the required symbol is absent, and the helper dies on symbol lookup.
Why it's clearly the spawn environment, not the user's system:
- Running the same bundled git from a normal shell (no AppImage
LD_LIBRARY_PATH) works: git ls-remote https://github.com/git/git HEAD returns the SHA, exit 0.
- Reproducing with only that
LD_LIBRARY_PATH set makes the bundled git-remote-https symbol-error (exit 127); unsetting it fixes it (exit 0).
- The system nghttp2 is current/healthy; the only "bad" nghttp2 on the machine is the one inside the AppImage bundle.
Affected version
- Copilot CLI:
1.0.64-1
- Copilot Desktop (AppImage): 2.95.0 (
GitHub-Copilot-linux-x64.AppImage; active runtime cache copilot-desktop-gh-2.95.0)
- Bundled git:
github-copilot-git-2.53.0-3 (git 2.53.0)
Steps to reproduce the behavior
- Run the Copilot Desktop AppImage on Ubuntu 24.04 (system libcurl is the gnutls variant, which pulls
libnghttp2.so.14).
- Create a session for any GitHub repo (this triggers a workspace
git fetch over HTTPS).
- Workspace init fails with the
symbol lookup error shown above.
Minimal CLI repro of the underlying mechanism (using the app's own bundled git):
BGIT=~/.cache/github-copilot-git-<ver>/bin/git
APPLIB=/tmp/.mount_GitHub<random>/usr/lib
# Fails (mimics how the app spawns git):
LD_LIBRARY_PATH="$APPLIB" "$BGIT" ls-remote https://github.com/git/git HEAD
# -> symbol lookup error ... nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
# Works (clean env):
"$BGIT" ls-remote https://github.com/git/git HEAD
Expected behavior
The app should be able to spawn its bundled git to fetch over HTTPS and initialize a session workspace, regardless of the host's libcurl/nghttp2 versions. System binaries spawned by the app should resolve system libraries, not the AppImage's bundled ones.
Suggested fixes (any one resolves it):
- Don't leak the bundle's
LD_LIBRARY_PATH to spawned subprocesses. Sanitize/restore LD_LIBRARY_PATH (and LD_PRELOAD) to the pre-AppImage value when spawning git and other system tools. (Standard AppImage guidance for invoking external system tools; cleanest fix.)
- Wrap the bundled git so its remote helpers run with a clean
LD_LIBRARY_PATH (strip the AppImage bundle dirs before exec).
- Bundle git's HTTP stack consistently (ship a
git-remote-https that doesn't mix system libcurl-gnutls with a bundled, older nghttp2), or ensure the bundled nghttp2 is recent enough for the symbols its linked libcurl needs.
Additional context
- Operating system: Ubuntu 24.04.4 LTS
- CPU architecture: x86_64
- Severity: high on affected Linux setups — sessions cannot be created at all; the only surfaced symptom is an opaque libcurl symbol error.
- Affects any distro where system
libcurl-gnutls.so.4 requires a newer nghttp2 symbol than the AppImage's bundled libnghttp2.so.14 provides (e.g. Ubuntu 24.04).
Local workaround in use (reversible): wrapped the bundled git-remote-http helper with a shell shim that runs unset LD_LIBRARY_PATH; unset LD_PRELOAD; exec git-remote-http.real "$@". Verified: the wrapped helper returns capabilities cleanly under the bad env (exit 0); the raw binary symbol-errors (exit 127). This is a per-machine stopgap, not a product fix.
Describe the bug
On Linux, the GitHub Copilot Desktop AppImage exports its bundled-library
LD_LIBRARY_PATHinto the environment of the child processes it spawns. When the app spawns its bundled git to initialize a session workspace (git fetchover HTTPS), git'sgit-remote-httpshelper loads the AppImage's older bundledlibnghttp2.so.14instead of the system one. That older nghttp2 is missing a symbol the systemlibcurl-gnutls.so.4requires, so the helper aborts and session workspace initialization fails — no session can be created:This reproduces reliably (it blocked session creation on two separate occasions).
Root cause (verified):
LD_LIBRARY_PATHpointing at its mount, e.g./tmp/.mount_GitHubXXXX/usr/lib/:/tmp/.mount_GitHubXXXX/usr/lib/x86_64-linux-gnu/:/tmp/.mount_GitHubXXXX/lib/x86_64-linux-gnu/:.../tmp/.mount_GitHubXXXX/usr/lib/libnghttp2.so.14is missingnghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(nm -D→ 0 matches). The system/lib/x86_64-linux-gnu/libnghttp2.so.14→libnghttp2.so.14.26.0has it (nm -D→ 1 match).git-remote-httpslinks systemlibcurl-gnutls.so.4, whoseNEEDEDlist includeslibnghttp2.so.14. With the AppImageLD_LIBRARY_PATHtaking precedence, the loader binds the old bundled nghttp2, the required symbol is absent, and the helper dies on symbol lookup.Why it's clearly the spawn environment, not the user's system:
LD_LIBRARY_PATH) works:git ls-remote https://github.com/git/git HEADreturns the SHA, exit 0.LD_LIBRARY_PATHset makes the bundledgit-remote-httpssymbol-error (exit 127); unsetting it fixes it (exit 0).Affected version
1.0.64-1GitHub-Copilot-linux-x64.AppImage; active runtime cachecopilot-desktop-gh-2.95.0)github-copilot-git-2.53.0-3(git 2.53.0)Steps to reproduce the behavior
libnghttp2.so.14).git fetchover HTTPS).symbol lookup errorshown above.Minimal CLI repro of the underlying mechanism (using the app's own bundled git):
Expected behavior
The app should be able to spawn its bundled git to fetch over HTTPS and initialize a session workspace, regardless of the host's libcurl/nghttp2 versions. System binaries spawned by the app should resolve system libraries, not the AppImage's bundled ones.
Suggested fixes (any one resolves it):
LD_LIBRARY_PATHto spawned subprocesses. Sanitize/restoreLD_LIBRARY_PATH(andLD_PRELOAD) to the pre-AppImage value when spawning git and other system tools. (Standard AppImage guidance for invoking external system tools; cleanest fix.)LD_LIBRARY_PATH(strip the AppImage bundle dirs beforeexec).git-remote-httpsthat doesn't mix systemlibcurl-gnutlswith a bundled, older nghttp2), or ensure the bundled nghttp2 is recent enough for the symbols its linked libcurl needs.Additional context
libcurl-gnutls.so.4requires a newer nghttp2 symbol than the AppImage's bundledlibnghttp2.so.14provides (e.g. Ubuntu 24.04).Local workaround in use (reversible): wrapped the bundled
git-remote-httphelper with a shell shim that runsunset LD_LIBRARY_PATH; unset LD_PRELOAD; exec git-remote-http.real "$@". Verified: the wrapped helper returns capabilities cleanly under the bad env (exit 0); the raw binary symbol-errors (exit 127). This is a per-machine stopgap, not a product fix.