Source: ncftp
Version: 2:3.2.5-2.2
Severity: important
Tags: patch bookworm sid
User: reproducible-bui...@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
If ncftp is built on a merged-/usr system (as created by new installations
of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge
package into an existing installation), the path to tar is recorded in the
binary as /usr/bin/tar.
This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/ncftp.html
(search for "/bin/tar" to see the difference I'm concerned about).
If you have sbuild available, an easy way to reproduce this is to build
ncftp twice, once with --add-depends-arch=usrmerge and once without.
The problematic situation is if pkgconf is *built* on a merged-/usr
system, but *used* on a non-merged-/usr system. In this situation,
/usr/bin/tar exists on the build system but not on the system where
ncftp will be used, resulting in the feature that uses tar not being
available.
Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.
Some Debian developers advocate that instead of merged-/usr, we should
use a different strategy where /bin becomes a "symlink farm" with
individual symlinks such as /bin/tar -> /usr/bin/tar. If that route is
taken instead of merged-/usr, then resolving bugs like this one will be
equally important as part of that transition, because it shares the
property that both /bin/tar and /usr/bin/tar exist after the transition,
but only /bin/tar exists on untransitioned systems.
The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.
A side benefit of fixing this is that this change might be sufficient
to make the package reproducible (as recommended by Policy ยง4.15).
smcv
>From 252c7fdcee3fa2548bc8246849aa3dc280169992 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Sat, 21 Aug 2021 16:50:49 +0100
Subject: [PATCH] d/rules: Specify canonical path to tar
If ncftp is built on a merged-/usr system, then tar is available at
both /usr/bin/tar and /bin/tar, but if it is subsequently used on a
non-merged-/usr system, only /bin/tar will work. Force the canonical
path /bin/tar so that the layout of the build system does not matter.
Signed-off-by: Simon McVittie <s...@debian.org>
---
debian/rules | 1 +
1 file changed, 1 insertion(+)
diff --git a/debian/rules b/debian/rules
index 5b12238..a0410b4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,6 +21,7 @@ config.status:
dh_testdir
cp /usr/share/misc/config.guess /usr/share/misc/config.sub .
# Add here commands to configure the package.
+ TAR=/bin/tar \
CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--mandir=\$${prefix}/share/man \
--
2.33.0
