Debian Bug report logs -
#1001210
ksh93u+m: stores wrong path to tput if /bin/tput or /usr/local/bin/tput exists
Reported by: Simon McVittie <smcv@debian.org>
Date: Mon, 6 Dec 2021 13:24:04 UTC
Severity: important
Tags: bookworm, patch, sid
Found in version ksh93u+m/1.0.0~beta.1-3
Fixed in version ksh93u+m/1.0.0~beta.2-1
Done: Anuradha Weeraman <anuradha@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Anuradha Weeraman <anuradha@debian.org>:
Bug#1001210; Package src:ksh93u+m.
(Mon, 06 Dec 2021 13:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Anuradha Weeraman <anuradha@debian.org>.
(Mon, 06 Dec 2021 13:24:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: ksh93u+m
Version: 1.0.0~beta.1-3
Severity: important
Tags: patch bookworm sid
User: reproducible-builds@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
If ksh93u+m is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the path to tput
is recorded in the binary package as /bin/tput, rather than the
canonical /usr/bin/tput.
This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/ksh93u+m.html
If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends=usrmerge and once without.
The problematic situation is if the package is *built* on a unified-/usr
system, but *used* on a non-unified-/usr system. In this situation,
/bin/tput exists on the build system but not on the system where the
package will be used, resulting in the features that use this executable
not working correctly.
Similarly, if there is a /usr/local/bin/tput visible at build-time,
then that path would likely end up hard-coded into the binary,
causing the relevant feature to fail on all systems that do not have
/usr/local/bin/tput.
Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and variation between merged-/usr and
non-merged-/usr builds is a problem while that transition is taking
place, because it can lead to partial upgrades behaving incorrectly. It
is likely that this class of bugs will become release-critical later in
the bookworm development cycle.
The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends=usrmerge. Unfortunately I was
not able to find a way to do this via build-time configuration, which
would have been preferable to patching.
Some developers advocate unifying /bin with /usr/bin via a symlink farm
in /bin instead of merged-/usr, but that strategy would have a similar
practical effect on this particular package, and the same solution would
be required.
A side benefit of fixing this is that this change might be sufficient
to make the package reproducible in general (as recommended by Policy
§4.15).
smcv
[Hard-code-tput-to-be-found-at-usr-bin-tput.patch (text/x-diff, attachment)]
Reply sent
to Anuradha Weeraman <anuradha@debian.org>:
You have taken responsibility.
(Sat, 18 Dec 2021 03:36:04 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Dec 2021 03:36:04 GMT) (full text, mbox, link).
Message #10 received at 1001210-close@bugs.debian.org (full text, mbox, reply):
Source: ksh93u+m
Source-Version: 1.0.0~beta.2-1
Done: Anuradha Weeraman <anuradha@debian.org>
We believe that the bug you reported is fixed in the latest version of
ksh93u+m, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1001210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anuradha Weeraman <anuradha@debian.org> (supplier of updated ksh93u+m package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Dec 2021 20:27:30 +0530
Source: ksh93u+m
Architecture: source
Version: 1.0.0~beta.2-1
Distribution: unstable
Urgency: high
Maintainer: Anuradha Weeraman <anuradha@debian.org>
Changed-By: Anuradha Weeraman <anuradha@debian.org>
Closes: 1001210
Changes:
ksh93u+m (1.0.0~beta.2-1) unstable; urgency=high
.
* New upstream release.
* Debian-specific patch by Simon McVittie to hardcode location of tput
to address reproducibility issue. (Closes: #1001210)
Checksums-Sha1:
7fa581024a98f637d0655d39cb5369cf0a837519 1941 ksh93u+m_1.0.0~beta.2-1.dsc
5ea69f10b567240d8ff1e45320b1f1e7b03ffa74 2238224 ksh93u+m_1.0.0~beta.2.orig.tar.gz
6e79137cebd5a4c10cf05e2c771a335292070825 15504 ksh93u+m_1.0.0~beta.2-1.debian.tar.xz
737dc35b8b43c4784b5119eca56c2b0467552bbb 6365 ksh93u+m_1.0.0~beta.2-1_amd64.buildinfo
Checksums-Sha256:
e1c625ce98be49d9c199435093212f6d1ab744fcf715e03bae7a30b62ef1d7fd 1941 ksh93u+m_1.0.0~beta.2-1.dsc
d8678d23c3c9633a03e4fc895e604cdd0af2ff006d0268579b3a29beddfb8463 2238224 ksh93u+m_1.0.0~beta.2.orig.tar.gz
6c70cfec3f014e11e3c967e56eb89e9a1bc69bc203e62c2e4c7026199fb118d1 15504 ksh93u+m_1.0.0~beta.2-1.debian.tar.xz
44565573831ad40134772dafb1d2958de0acefa08294fad9b5bef677ffe8ab54 6365 ksh93u+m_1.0.0~beta.2-1_amd64.buildinfo
Files:
74bb45564fd1e03eed6252d50013f618 1941 shells optional ksh93u+m_1.0.0~beta.2-1.dsc
ea6f0bd764ff1ed681b914c114078af1 2238224 shells optional ksh93u+m_1.0.0~beta.2.orig.tar.gz
bdfb7c864fbea88a7ab2c46a2308b5c7 15504 shells optional ksh93u+m_1.0.0~beta.2-1.debian.tar.xz
8d8ff7a0a28d1fe703e271578ccc0e6b 6365 shells optional ksh93u+m_1.0.0~beta.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE9WuPFOAUze9dBH/BY221odkYYP0FAmG9UrEACgkQY221odkY
YP0nvA/6AyyESMNWcr/Btr1+G73qVnM6ma/OG3NyMNY2T8WMehMT3BYgilqfQ19E
Bxt3To+1njC2E4dr8vymJ0S0SdbKS3c0fTGPI7ROI4glnWrMTESRnmV6T6z+pYSA
iJMBXok1Y2KX8sdRxwQ5faXz3oEcZHWEooagxpkaaEi0EW/sMhH98us+YWVvj3mD
UxD9Cvnjy75lyc+CkgHrnk3GlBoeFwLJKXNdCnL5N6LTJAklPVciT5Q8835Megku
IXxWTkT2ZM3mJ8fHBZCURNLNFBruYizpYLvV7EjMRJE65zNJH2aJ7EY2ZruvbdF5
1GaBp3S8CcLnQyqXUMqRJ8HlX1yVKZ9HS4o4VL5y+VbVnCTM0ekFXI+J+NZv55wR
WQs8Q3xGrpaTRapmMWF7AdNCObOR5fOXq0WBztVOZyiqAcmgpf2TtIV/S+osMfCO
ZtHQ1cAj1IA6rq9HoqEY7Z1B9QBaUWymikraguuatVy3fd2saUjg25rUfwFwnGN9
K79JQbmQ4+GZElYOZc4qmmlzizOmxCfNx665qMyQLMzvpYEXwLIUg7KL91z1FT12
U/nCRwAwgMz42nCqyciHZXS/B8kGmRbjLuYfJcBnU/ikUPiQX3KamPyRW56gfYIi
Sk6//Y+BN4iHOdfC9W8t7HG2tC5C9Mq5By/czd7lzbW7//sq9rA=
=BYqN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Jan 2022 07:25:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 11:09:50 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.