Your message dated Fri, 22 Jul 2022 10:19:37 +0000
with message-id <e1oepkv-0009yr...@fasolo.debian.org>
and subject line Bug#992651: fixed in sharutils 1:4.15.2-6
has caused the Debian Bug report #992651,
regarding sharutils: stores wrong path to bash if built on merged-/usr system
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
992651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992651
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sharutils
Version: 1:4.15.2-5
Severity: important
Tags: patch bookworm sid
User: reproducible-bui...@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
If sharutils is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the path to bash
is recorded in the binary as /usr/bin/bash.
This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/sharutils.html
(search for "/usr/bin/bash" to see the difference I'm concerned about).
If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends-arch=usrmerge and once without.
The problematic situation is if the package is *built* on a merged-/usr
system, but *used* on a non-merged-/usr system. In this situation,
/usr/bin/bash exists on the build system but not on the system where
sharutils will be used, resulting in the feature that uses bash not being
available.
Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.
Some Debian developers advocate that instead of merged-/usr, we should
use a different strategy where /bin becomes a "symlink farm" with
individual symlinks such as /bin/bash -> /usr/bin/bash. If that route is
taken instead of merged-/usr, then resolving bugs like this one will be
equally important as part of that transition, because it shares the
property that both /bin/bash and /usr/bin/bash exist after the transition,
but only /bin/bash exists on untransitioned systems.
The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.
A side benefit of fixing this is that this change seems likely to be
sufficient to make the package reproducible (as recommended by Policy
ยง4.15).
smcv
>From ba667fd7e76dde2d70729a7458ffdb2d15cdf1d3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Sat, 21 Aug 2021 18:49:16 +0100
Subject: [PATCH] d/rules: Specify canonical path to bash
If sharutils is built on a merged-/usr system where both /usr/bin/bash
and /bin/bash exist, it will hard-code the former into its executable,
resulting in an binary package that will not work correctly when used on
non-merged-/usr systems. Forcing the canonical path will make it work
on any combination of merged-/usr and non-merged-/usr build and runtime
systems.
Run autoreconf so that the modified m4 files are picked up.
Signed-off-by: Simon McVittie <s...@debian.org>
---
debian/control | 2 +-
...t-POSIX_SHELL-from-the-environment-d.patch | 44 +++++++++++++++++++
debian/patches/series | 1 +
debian/rules | 5 ++-
4 files changed, 50 insertions(+), 2 deletions(-)
create mode 100644 debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch
diff --git a/debian/control b/debian/control
index ec86070..d69acfd 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: utils
Priority: optional
Maintainer: Santiago Vila <sanv...@debian.org>
Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9.20120311), texinfo
+Build-Depends: debhelper (>= 9.20120311), dh-autoreconf, texinfo
Homepage: https://www.gnu.org/software/sharutils/
Rules-Requires-Root: no
diff --git a/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch b/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch
new file mode 100644
index 0000000..5682187
--- /dev/null
+++ b/debian/patches/libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch
@@ -0,0 +1,44 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sat, 21 Aug 2021 19:19:03 +0100
+Subject: libopts.m4: accept POSIX_SHELL from the environment during
+ the configure step
+
+This lets us set it to the canonical path /bin/bash, even on systems
+where both /bin/bash and /usr/bin/bash are available, and therefore
+which(1) might return /usr/bin/bash (depending on PATH order).
+
+Both copies of libopts.m4 are marked as generated files, but the files
+from which they were generated do not seem to be present in the sharutils
+package. This change is equivalent to part of a 2016 autogen commit
+<https://git.savannah.gnu.org/cgit/autogen.git/commit/?id=db064b9a>.
+
+Origin: https://git.savannah.gnu.org/cgit/autogen.git/commit/?id=db064b9a
+---
+ libopts/m4/libopts.m4 | 1 +
+ m4/libopts.m4 | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/libopts/m4/libopts.m4 b/libopts/m4/libopts.m4
+index 1a896d9..3b88426 100644
+--- a/libopts/m4/libopts.m4
++++ b/libopts/m4/libopts.m4
+@@ -114,6 +114,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[
+ AC_PROG_SED
+ [while :
+ do
++ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=`which bash`
+ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=`which dash`
+diff --git a/m4/libopts.m4 b/m4/libopts.m4
+index c7ba4f3..a1127e1 100644
+--- a/m4/libopts.m4
++++ b/m4/libopts.m4
+@@ -114,6 +114,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[
+ AC_PROG_SED
+ [while :
+ do
++ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=`which bash`
+ test -x "$POSIX_SHELL" && break
+ POSIX_SHELL=`which dash`
diff --git a/debian/patches/series b/debian/patches/series
index 08981a6..f852870 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01-fix-heap-buffer-overflow-cve-2018-1000097.patch
02-fix-ftbfs-with-glibc-2.28.patch
03-fix-ftbfs-with-gcc-10.patch
+libopts.m4-accept-POSIX_SHELL-from-the-environment-d.patch
diff --git a/debian/rules b/debian/rules
index 4a2de5e..500e1d9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,6 @@
#!/usr/bin/make -f
%:
- dh $@
+ dh $@ --with autoreconf
package = sharutils
@@ -10,6 +10,9 @@ override_dh_auto_clean:
dh_auto_clean
rm -rf doc/$(package)
+override_dh_auto_configure:
+ dh_auto_configure -- POSIX_SHELL=/bin/bash
+
override_dh_installdocs-indep:
cd doc && makeinfo --html --split=chapter $(package).texi
dh_installdocs -i doc/$(package)/*.html
--
2.33.0
--- End Message ---
--- Begin Message ---
Source: sharutils
Source-Version: 1:4.15.2-6
Done: Santiago Vila <sanv...@debian.org>
We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanv...@debian.org> (supplier of updated sharutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Jul 2022 12:05:00 +0200
Source: sharutils
Architecture: source
Version: 1:4.15.2-6
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanv...@debian.org>
Changed-By: Santiago Vila <sanv...@debian.org>
Closes: 992651
Changes:
sharutils (1:4.15.2-6) unstable; urgency=medium
.
* Modify libopts.m4 so that POSIX_SHELL is accepted from the
environment during the configure step. Closes: #992651.
This should allow building both with or without usr-merge.
Run autoreconf so that the modified m4 files are picked up.
Thanks a lot to Simon McVittie.
* Raise debhelper compat level.
* Update paths in debian/sharutils-doc.doc-base, as docs are now
installed directly in /usr/share/doc/sharutils.
Checksums-Sha1:
f602456089c1bd24c436d6fa4d0157d1566091b7 1480 sharutils_4.15.2-6.dsc
20f123f43293b7caba227ee3effaf1cddcde9c14 9736 sharutils_4.15.2-6.debian.tar.xz
db1bf13159c957abdde1d5fd9d2289ae71c10ccb 5385
sharutils_4.15.2-6_source.buildinfo
Checksums-Sha256:
c40baba71b69257cfd85a2f3d9b2b0eab67eb2e9fe058e8358b05ac14c589556 1480
sharutils_4.15.2-6.dsc
cf1296b31917e6d013cba7d711b3ab6184fbb76bf3d3aae059df32a7b6ed0750 9736
sharutils_4.15.2-6.debian.tar.xz
8b7146e39ea1d72be43f4f5bf4247cc51294ce4d46e958ec756296a4836e7aac 5385
sharutils_4.15.2-6_source.buildinfo
Files:
ce2167177908d34d77bdf87c08979ae4 1480 utils optional sharutils_4.15.2-6.dsc
6f33d0501c0a7d4105c2151330046367 9736 utils optional
sharutils_4.15.2-6.debian.tar.xz
061dc655b4bd37485ab2a6bd22f7c614 5385 utils optional
sharutils_4.15.2-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmLadxAACgkQQc5/C58b
izKa9AgAqIYVdinHw8IiVtnpxbP1bVDEHLPvD5pP97299Fpt3ghLcvrKiuzDiqI+
wTur+dTFzWGYIHcdVGuqpGqTB1K1HbpXgJTsyyJNi5ulwTAw4uAeAxn9SvJiW6W9
Ss4oEJjIEr59uA4DxDTmcfwEJGY1066QH59B5RgrSRZe3KJZ+14TxuOIrPtCVgq7
JnourxDg1dZzrWevZMZlvtOYICwFymiE6UwsbyPhcc+v5NXYzoRfxMNWGim+JHNJ
MIMbByYbFK3Mveqo9nnBqanQzmOOCUaoak6W62rEyFSB1T/7JCzSfjMPE9SVJq0m
onPtyE5SWCVkHjJK5bsZRgXe7tKGEg==
=tLpX
-----END PGP SIGNATURE-----
--- End Message ---
