Source: opensmtpd Version: 6.8.0p2-3 Severity: important Tags: patch bookworm sid User: reproducible-bui...@lists.alioth.debian.org Usertags: usrmerge X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
If opensmtpd is built on a merged-/usr system (as created by new installations of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge package into an existing installation), the path to zcat is recorded in the binary package as /usr/bin/zcat, rather than the canonical /bin/zcat. This can be seen on the reproducible-builds.org infra: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/i386/diffoscope-results/opensmtpd.html If you have sbuild available, an easy way to reproduce this is to build twice, once with --add-depends=usrmerge and once without. I suspect the same thing would happen if opensmtpd was built on a system where /sbin and /usr/sbin had instead been unified via a symlink farm. The problematic situation is if the package is *built* on a unified-/usr system, but *used* on a non-unified-/usr system. In this situation, /usr/bin/zcat exists on the build system but not on the system where the package will be used, resulting in the features that use this executable not working correctly. Similarly, if there is a /usr/local/bin/zcat visible at build-time, then that path would likely end up hard-coded into the binary, causing the relevant feature to fail on all systems that do not have /usr/local/bin/zcat. Technical Committee resolution #978636 mandates heading towards a transition to merged-/usr, and variation between merged-/usr and non-merged-/usr builds is a problem while that transition is taking place, because it can lead to partial upgrades behaving incorrectly. It is likely that this class of bugs will become release-critical later in the bookworm development cycle. The attached patch resolves this: with it applied, the package builds identically with and without --add-depends=usrmerge. Some developers advocate unifying /bin with /usr/bin via a symlink farm in /bin instead of merged-/usr, but that strategy would have a similar practical effect on this particular package, and the same solution would be required. A side benefit of fixing this is that this change seems likely to be sufficient to make the package reproducible (as recommended by Policy ยง4.15). smcv
>From 22d9dfcf49de7c577a532fc6f4450efad720d8d6 Mon Sep 17 00:00:00 2001 From: Simon McVittie <s...@debian.org> Date: Sat, 4 Sep 2021 17:57:06 +0100 Subject: [PATCH] d/rules: Specify canonical path to zcat If opensmtpd is built on a unified-/usr system where both /usr/bin/zcat and /bin/zcat exist, it will hard-code the former into configuration, resulting in configuration that will not work correctly when used on non-unified-/usr systems. Similarly, if there is a local zcat executable in /usr/local/bin, the path to that local executable would be hard-coded, resulting in binaries that won't typically work on unmodified Debian systems. Forcing the canonical path will make it work on any combination of unified-/usr and non-unified-/usr build and runtime systems. Signed-off-by: Simon McVittie <s...@debian.org> --- debian/rules | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/rules b/debian/rules index 22b77acc..9de18cae 100755 --- a/debian/rules +++ b/debian/rules @@ -8,6 +8,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all override_dh_auto_configure: ./bootstrap dh_auto_configure -- \ + ZCAT=/bin/zcat \ --with-auth-pam \ --with-group-queue=opensmtpq \ --with-mantype=doc \ -- 2.33.0
