Source: cfengine3 Version: 3.15.2-3 Severity: important Tags: patch bookworm sid User: reproducible-bui...@lists.alioth.debian.org Usertags: usrmerge X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org, Fabio Tranchitella <kob...@debian.org>
If cfengine3 is built on a merged-/usr system (as created by new installations of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge package into an existing installation), the paths to chpasswd, useradd etc. are recorded in the binary as /sbin/chpasswd, /sbin/useradd, etc. This can be seen on the reproducible-builds.org infra: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/cfengine3.html (search for "/sbin/chpasswd" to see the differences I'm concerned about). If you have sbuild available, an easy way to reproduce this is to build twice, once with --add-depends-arch=usrmerge and once without. The problematic situation is if the package is *built* on a merged-/usr system, but *used* on a non-merged-/usr system. In this situation, /sbin/chpasswd etc. exist on the build system but not on the system where cfengine3 will be used, resulting in the features that use these executables not being available. Technical Committee resolution #978636 mandates heading towards a transition to merged-/usr, and this will become a non-issue at the end of that transition; but variation between merged-/usr and non-merged-/usr builds is a problem while that transition is taking place, because it can lead to partial upgrades behaving incorrectly. It is likely that this class of bugs will become release-critical later in the bookworm development cycle. The attached patch resolves this: with it applied, the package builds identically with and without --add-depends-arch=usrmerge. A side benefit of fixing this is that this change seems likely to be sufficient to make the package reproducible (as recommended by Policy ยง4.15). smcv
>From 9e28323e714949a960c88c56b99aab5d6b90f91a Mon Sep 17 00:00:00 2001 From: Simon McVittie <s...@debian.org> Date: Sat, 21 Aug 2021 23:13:30 +0100 Subject: [PATCH] Specify canonical paths to chpasswd, etc. If cfengine3 is built on a merged-/usr system where both /usr/bin/chpasswd and /sbin/chpasswd exist, it will hard-code the latter into binaries, resulting in a package that will not work correctly when used on non-merged-/usr systems. Forcing the canonical path will make it work on any combination of merged-/usr and non-merged-/usr build and runtime systems, as well as improving reproducibility. Signed-off-by: Simon McVittie <s...@debian.org> --- ...4-Make-it-possible-to-override-paths.patch | 46 +++++++++++++++++++ debian/patches/series | 1 + debian/rules | 4 ++ 3 files changed, 51 insertions(+) create mode 100644 debian/patches/cf3_path_root_prog.m4-Make-it-possible-to-override-paths.patch diff --git a/debian/patches/cf3_path_root_prog.m4-Make-it-possible-to-override-paths.patch b/debian/patches/cf3_path_root_prog.m4-Make-it-possible-to-override-paths.patch new file mode 100644 index 00000000..a0eb3398 --- /dev/null +++ b/debian/patches/cf3_path_root_prog.m4-Make-it-possible-to-override-paths.patch @@ -0,0 +1,46 @@ +From: Simon McVittie <s...@debian.org> +Date: Sat, 21 Aug 2021 23:13:08 +0100 +Subject: cf3_path_root_prog.m4: Make it possible to override paths + +CF3_PATH_ROOT_PROG is documented to have almost the same semantics as +AC_PATH_PROG, but AC_PATH_PROG has the key feature that if the variable +given as its first argument is set to a value, that value is used as-is. +Give CF3_PATH_ROOT_PROG that feature too, so that we can force the paths +for various programs to take their canonical values. + +Signed-off-by: Simon McVittie <s...@debian.org> +--- + libntech/m4/cf3_path_root_prog.m4 | 4 ++++ + m4/cf3_path_root_prog.m4 | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/libntech/m4/cf3_path_root_prog.m4 b/libntech/m4/cf3_path_root_prog.m4 +index c7fe4f9..00ed909 100644 +--- a/libntech/m4/cf3_path_root_prog.m4 ++++ b/libntech/m4/cf3_path_root_prog.m4 +@@ -40,6 +40,10 @@ AC_DEFUN([CF3_PATH_ROOT_PROG], + ]) + AS_ECHO_N(["checking for $2... "]) + for i in $(echo $path | sed -e 's/:/ /g'); do ++ AS_IF([test -n "$][$1"], [ ++ found=1 ++ break ++ ]) + AS_IF([test -e $i/$2 && ls -ld $i/$2 | grep ['^[^ ][^ ][^ ][xs][^ ][^ ][^ ][^ ][^ ][^ ]'] > /dev/null], [ + $1=$i/$2 + found=1 +diff --git a/m4/cf3_path_root_prog.m4 b/m4/cf3_path_root_prog.m4 +index 8d5613f..1743acd 100644 +--- a/m4/cf3_path_root_prog.m4 ++++ b/m4/cf3_path_root_prog.m4 +@@ -40,6 +40,10 @@ AC_DEFUN([CF3_PATH_ROOT_PROG], + ]) + AS_ECHO_N(["checking for $2... "]) + for i in $(echo $path | sed -e 's/:/ /g'); do ++ AS_IF([test -n "$][$1"], [ ++ found=1 ++ break ++ ]) + AS_IF([test -e $i/$2 && ls -ld $i/$2 | grep ['^[^ ][^ ][^ ][xs][^ ][^ ][^ ][^ ][^ ][^ ]'] > /dev/null], [ + $1=$i/$2 + found=1 diff --git a/debian/patches/series b/debian/patches/series index 7ed77bb0..b6c8f4f3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 0011-fix_interpreters.patch 0012-CFE-3401-remove_unused_buffer.patch 0013-rename_package_to_cfengine3.patch +cf3_path_root_prog.m4-Make-it-possible-to-override-paths.patch diff --git a/debian/rules b/debian/rules index 99786275..866b3d1e 100755 --- a/debian/rules +++ b/debian/rules @@ -17,6 +17,10 @@ export V=1 # openssl1.1 transition, re-enable once it becomes ready. override_dh_auto_configure: dh_auto_configure -- \ + CHPASSWD=/usr/sbin/chpasswd \ + USERADD=/usr/sbin/useradd \ + USERDEL=/usr/sbin/userdel \ + USERMOD=/usr/sbin/usermod \ --enable-fhs \ --libdir=/usr/lib \ --with-logdir=/var/log/cfengine3 \ -- 2.33.0
