Source: sharutils Version: 1:4.15.2-5 Severity: important Tags: patch bookworm sid User: reproducible-bui...@lists.alioth.debian.org Usertags: usrmerge X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
If sharutils is built on a merged-/usr system (as created by new installations of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge package into an existing installation), the path to bash is recorded in the binary as /usr/bin/bash. This can be seen on the reproducible-builds.org infra: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/sharutils.html (search for "/usr/bin/bash" to see the difference I'm concerned about). If you have sbuild available, an easy way to reproduce this is to build twice, once with --add-depends-arch=usrmerge and once without. The problematic situation is if the package is *built* on a merged-/usr system, but *used* on a non-merged-/usr system. In this situation, /usr/bin/bash exists on the build system but not on the system where sharutils will be used, resulting in the feature that uses bash not being available. Technical Committee resolution #978636 mandates heading towards a transition to merged-/usr, and this will become a non-issue at the end of that transition; but variation between merged-/usr and non-merged-/usr builds is a problem while that transition is taking place, because it can lead to partial upgrades behaving incorrectly. It is likely that this class of bugs will become release-critical later in the bookworm development cycle. Some Debian developers advocate that instead of merged-/usr, we should use a different strategy where /bin becomes a "symlink farm" with individual symlinks such as /bin/bash -> /usr/bin/bash. If that route is taken instead of merged-/usr, then resolving bugs like this one will be equally important as part of that transition, because it shares the property that both /bin/bash and /usr/bin/bash exist after the transition, but only /bin/bash exists on untransitioned systems. The attached patch resolves this: with it applied, the package builds identically with and without --add-depends-arch=usrmerge. A side benefit of fixing this is that this change seems likely to be sufficient to make the package reproducible (as recommended by Policy ยง4.15). smcv
>From ba667fd7e76dde2d70729a7458ffdb2d15cdf1d3 Mon Sep 17 00:00:00 2001 From: Simon McVittie <s...@debian.org> Date: Sat, 21 Aug 2021 18:49:16 +0100 Subject: [PATCH] d/rules: Specify canonical path to bash If sharutils is built on a merged-/usr system where both /usr/bin/bash and /bin/bash exist, it will hard-code the former into its executable, resulting in an binary package that will not work correctly when used on non-merged-/usr systems. Forcing the canonical path will make it work on any combination of merged-/usr and non-merged-/usr build and runtime systems. Run autoreconf so that the modified m4 files are picked up. Signed-off-by: Simon McVittie <s...@debian.org> --- debian/control | 2 +- ...t-POSIX_SHELL-from-the-environment-d.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + debian/rules | 5 ++- 4 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch diff --git a/debian/control b/debian/control index ec86070..d69acfd 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: utils Priority: optional Maintainer: Santiago Vila <sanv...@debian.org> Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9.20120311), texinfo +Build-Depends: debhelper (>= 9.20120311), dh-autoreconf, texinfo Homepage: https://www.gnu.org/software/sharutils/ Rules-Requires-Root: no diff --git a/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch b/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch new file mode 100644 index 0000000..5682187 --- /dev/null +++ b/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch @@ -0,0 +1,44 @@ +From: Simon McVittie <s...@debian.org> +Date: Sat, 21 Aug 2021 19:19:03 +0100 +Subject: libopts.m4: accept POSIX_SHELL from the environment during + the configure step + +This lets us set it to the canonical path /bin/bash, even on systems +where both /bin/bash and /usr/bin/bash are available, and therefore +which(1) might return /usr/bin/bash (depending on PATH order). + +Both copies of libopts.m4 are marked as generated files, but the files +from which they were generated do not seem to be present in the sharutils +package. This change is equivalent to part of a 2016 autogen commit +<https://git.savannah.gnu.org/cgit/autogen.git/commit/?id=db064b9a>. + +Origin: https://git.savannah.gnu.org/cgit/autogen.git/commit/?id=db064b9a +--- + libopts/m4/libopts.m4 | 1 + + m4/libopts.m4 | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/libopts/m4/libopts.m4 b/libopts/m4/libopts.m4 +index 1a896d9..3b88426 100644 +--- a/libopts/m4/libopts.m4 ++++ b/libopts/m4/libopts.m4 +@@ -114,6 +114,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[ + AC_PROG_SED + [while : + do ++ test -x "$POSIX_SHELL" && break + POSIX_SHELL=`which bash` + test -x "$POSIX_SHELL" && break + POSIX_SHELL=`which dash` +diff --git a/m4/libopts.m4 b/m4/libopts.m4 +index c7ba4f3..a1127e1 100644 +--- a/m4/libopts.m4 ++++ b/m4/libopts.m4 +@@ -114,6 +114,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[ + AC_PROG_SED + [while : + do ++ test -x "$POSIX_SHELL" && break + POSIX_SHELL=`which bash` + test -x "$POSIX_SHELL" && break + POSIX_SHELL=`which dash` diff --git a/debian/patches/series b/debian/patches/series index 08981a6..f852870 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01-fix-heap-buffer-overflow-cve-2018-1000097.patch 02-fix-ftbfs-with-glibc-2.28.patch 03-fix-ftbfs-with-gcc-10.patch +libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch diff --git a/debian/rules b/debian/rules index 4a2de5e..500e1d9 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f %: - dh $@ + dh $@ --with autoreconf package = sharutils @@ -10,6 +10,9 @@ override_dh_auto_clean: dh_auto_clean rm -rf doc/$(package) +override_dh_auto_configure: + dh_auto_configure -- POSIX_SHELL=/bin/bash + override_dh_installdocs-indep: cd doc && makeinfo --html --split=chapter $(package).texi dh_installdocs -i doc/$(package)/*.html -- 2.33.0
