Debian Bug report logs -
#1003929
ncurses: please make the build reproducible
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 18 Jan 2022 09:30:01 UTC
Severity: wishlist
Tags: patch
Found in version ncurses/6.3-2
Fixed in version ncurses/6.3+20220423-1
Done: Sven Joachim <svenjoac@gmx.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Craig Small <csmall@debian.org>:
Bug#1003929; Package src:ncurses.
(Tue, 18 Jan 2022 09:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Craig Small <csmall@debian.org>.
(Tue, 18 Jan 2022 09:30:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: ncurses
Version: 6.3-2
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: umask
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Hi,
Whilst working on the Reproducible Builds effort [0] we noticed that
ncurses could not be built reproducibly.
This is because the README.gz file will retain its group-writeable bit
due to the use of dh_fixperms -Xfoo, and will thus vary when the package
is built with a different umask:
--rw-r--r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
+-rw-rw-r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
Patch attached that removes this bit manually, but feel free to go with a
different solution, of course.
[0] https://reproducible-builds.org/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
[ncurses.diff.txt (text/plain, attachment)]
Message sent on
to "Chris Lamb" <lamby@debian.org>:
Bug#1003929.
(Wed, 19 Jan 2022 16:51:02 GMT) (full text, mbox, link).
Message #8 received at 1003929-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1003929 in ncurses reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/ncurses/-/commit/f95536eca40eea5942d9f9df77789559e4c3ee7c
------------------------------------------------------------------------
Ensure correct permissions of the README file in ncurses-examples
Closes: #1003929
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1003929
Added tag(s) pending.
Request was from Sven Joachim <noreply@salsa.debian.org>
to 1003929-submitter@bugs.debian.org.
(Wed, 19 Jan 2022 16:51:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#1003929; Package src:ncurses.
(Wed, 19 Jan 2022 17:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Joachim <svenjoac@gmx.de>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Wed, 19 Jan 2022 17:21:02 GMT) (full text, mbox, link).
Message #15 received at 1003929@bugs.debian.org (full text, mbox, reply):
On 2022-01-18 09:26 +0000, Chris Lamb wrote:
> Source: ncurses
> Version: 6.3-2
> Severity: wishlist
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: umask
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
>
> Hi,
>
> Whilst working on the Reproducible Builds effort [0] we noticed that
> ncurses could not be built reproducibly.
Thanks. I should have noticed that from the failing reprotest in the
Salsa CI, but did not look closely and thought that it would be due to a
different problem that has shown up on i386 since ncurses 6.3-1.
> This is because the README.gz file will retain its group-writeable bit
> due to the use of dh_fixperms -Xfoo, and will thus vary when the package
> is built with a different umask:
>
> --rw-r--r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
> +-rw-rw-r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
>
> Patch attached that removes this bit manually, but feel free to go with a
> different solution, of course.
> --- a/debian/rules 2022-01-18 08:47:42.277389249 +0000
> --- b/debian/rules 2022-01-18 09:03:30.547729907 +0000
> @@ -508,6 +508,7 @@
> dh_compress -p$(package-examples) usr/libexec/ncurses-examples/README
> dh_compress -a -N$(package-examples)
> dh_fixperms -a -Xusr/libexec/ncurses-examples/README
> + chmod g-w debian/ncurses-examples/usr/libexec/ncurses-examples/README.gz
That works with umask 002, but in fact the file could have any
permissions from 000 to 666, depending on the umask used when the source
was unpacked.
I have installed a different fix, and now the reprotest succeeds
again[1].
Cheers,
Sven
1. https://salsa.debian.org/debian/ncurses/-/pipelines/339074
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#1003929; Package src:ncurses.
(Wed, 19 Jan 2022 21:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Wed, 19 Jan 2022 21:57:02 GMT) (full text, mbox, link).
Message #20 received at 1003929@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Jan 19, 2022 at 06:19:52PM +0100, Sven Joachim wrote:
> On 2022-01-18 09:26 +0000, Chris Lamb wrote:
>
> > Source: ncurses
> > Version: 6.3-2
> > Severity: wishlist
> > Tags: patch
> > User: reproducible-builds@lists.alioth.debian.org
> > Usertags: umask
> > X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> >
> > Hi,
> >
> > Whilst working on the Reproducible Builds effort [0] we noticed that
> > ncurses could not be built reproducibly.
>
> Thanks. I should have noticed that from the failing reprotest in the
> Salsa CI, but did not look closely and thought that it would be due to a
> different problem that has shown up on i386 since ncurses 6.3-1.
>
> > This is because the README.gz file will retain its group-writeable bit
> > due to the use of dh_fixperms -Xfoo, and will thus vary when the package
> > is built with a different umask:
> >
> > --rw-r--r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
> > +-rw-rw-r-- 0 root (0) root (0) 7937 2021-03-07 00:08:58.000000 ./usr/libexec/ncurses-examples/README.gz
> >
> > Patch attached that removes this bit manually, but feel free to go with a
> > different solution, of course.
>
> > --- a/debian/rules 2022-01-18 08:47:42.277389249 +0000
> > --- b/debian/rules 2022-01-18 09:03:30.547729907 +0000
> > @@ -508,6 +508,7 @@
> > dh_compress -p$(package-examples) usr/libexec/ncurses-examples/README
> > dh_compress -a -N$(package-examples)
> > dh_fixperms -a -Xusr/libexec/ncurses-examples/README
> > + chmod g-w debian/ncurses-examples/usr/libexec/ncurses-examples/README.gz
>
> That works with umask 002, but in fact the file could have any
> permissions from 000 to 666, depending on the umask used when the source
> was unpacked.
>
> I have installed a different fix, and now the reprotest succeeds
> again[1].
The last change does a "chmod -x" (which is odd, since the tarball uses
644 for README).
> Cheers,
> Sven
>
>
> 1. https://salsa.debian.org/debian/ncurses/-/pipelines/339074
>
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>:
Bug#1003929; Package src:ncurses.
(Wed, 19 Jan 2022 22:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Joachim <svenjoac@gmx.de>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>.
(Wed, 19 Jan 2022 22:15:03 GMT) (full text, mbox, link).
Message #25 received at 1003929@bugs.debian.org (full text, mbox, reply):
On 2022-01-19 16:54 -0500, Thomas Dickey wrote:
> The last change does a "chmod -x" (which is odd, since the tarball uses
> 644 for README).
The dh_fixperms command makes all files under /usr/libexec executable,
and the chmod call just undoes that.
Cheers,
Sven
Reply sent
to Sven Joachim <svenjoac@gmx.de>:
You have taken responsibility.
(Tue, 26 Apr 2022 18:24:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Apr 2022 18:24:03 GMT) (full text, mbox, link).
Message #30 received at 1003929-close@bugs.debian.org (full text, mbox, reply):
Source: ncurses
Source-Version: 6.3+20220423-1
Done: Sven Joachim <svenjoac@gmx.de>
We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003929@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated ncurses package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Apr 2022 19:52:23 +0200
Source: ncurses
Architecture: source
Version: 6.3+20220423-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Closes: 999437 1003929 1009870
Changes:
ncurses (6.3+20220423-1) unstable; urgency=medium
.
* New upstream patchlevel.
- Add a limit-check to guard against corrupt terminfo data
(report/testcase by NCNIPC of China (CVE-2022-29458),
Closes: #1009870).
- Minor clarification to clear.1 (Closes: #999437).
* Refresh Debian patches.
* Update symbols files.
* Ensure that the README file in ncurses-examples has correct
permissions (Closes: #1003929).
* Add a lintian override to ncurses-examples for a false positive
bash-term-in-posix-shell in tput-initc.
* Update debian/ncurses-term.links to avoid a broken symlink
/usr/share/terminfo/r/rxvt-color.
* Remove libmd-dev build dependency on kfreebsd, no longer needed.
Checksums-Sha1:
aab51272dc0c01393bbb20f34d199463303dd27e 4200 ncurses_6.3+20220423-1.dsc
4c0466c847b29d7eaec850327dc43db6711a05d0 3611993 ncurses_6.3+20220423.orig.tar.gz
29c51309c8c7bde9ae0946bfce28851507606dea 729 ncurses_6.3+20220423.orig.tar.gz.asc
8b7fa4ae92f3e2e50776c2d1700c1030bc8932ba 54400 ncurses_6.3+20220423-1.debian.tar.xz
14528f4cd8315bf0f81f9705c4fc12579472a01c 5668 ncurses_6.3+20220423-1_source.buildinfo
Checksums-Sha256:
35c7a6fd8ce140cbcebde10eb0a349b94e3cf45ef2a1000785819feb1f5ff212 4200 ncurses_6.3+20220423-1.dsc
a6bdfe499ae98ee937fed4729de09ffea08201317a9d16ed5d0142ac8b8b30e1 3611993 ncurses_6.3+20220423.orig.tar.gz
6771460069f300048dd7c7a41027cd38250b4f28d5f1dcef9cf8edb9b5ca691c 729 ncurses_6.3+20220423.orig.tar.gz.asc
6a271687063b669ea9daaefc384a8babb7dc6e8dd2ef4ae5894bff3c39e1ce3a 54400 ncurses_6.3+20220423-1.debian.tar.xz
79405771e3182d391af13b84433ef761f015326f4ba982d5fd0f42c473a45274 5668 ncurses_6.3+20220423-1_source.buildinfo
Files:
7a15a2cf5a5a739ca1656beccfc14f51 4200 libs required ncurses_6.3+20220423-1.dsc
b05833918e9d5c6028ffa37678a82a51 3611993 libs required ncurses_6.3+20220423.orig.tar.gz
f3d466bfe2a2575a9bc2c5b0fb542018 729 libs required ncurses_6.3+20220423.orig.tar.gz.asc
0e35cf244399fce05ea62e674c47d259 54400 libs required ncurses_6.3+20220423-1.debian.tar.xz
f434b6ab314be50cdf12c8f8576208fc 5668 libs required ncurses_6.3+20220423-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAmJoMfYACgkQOxBucY1r
May49A//ZedhdrNtKvXRRWxusWjnVll1B9WXblbqwrDlsfPRTnW6XnD+yY50SlWj
p9Fi7m3APJ0yYHP2yel4tTz8x6d8k46N0grHuK5MWyIbC4W56BYNyncRjSAsFTs0
+xx2Sioq05bAGCQLB8Ofh8sUHUE8RnsgQWLJgBfGHDzaGHJSa/bM+pk3mhuusLPM
FqUSdBHypthy/NlZmPAnWsXJWQHukYF6I+I28qz9SSDErM6rbHkFNUaVB+0SUK9V
ASk7NfgKb91IbiYgDG6iuNxY/8c1Pixm9cj12LcSEIAJgIH0EVFq2jkBkJbA/RyH
7ZKEv3gwXleDzJx9i1T0O0U3J8CmGptsx6+LhfvHAvtGGKjb/aQ/W8P/wyHougks
vVExzwMzPZIUwptueSWYpPM3vyVBIWMCgHHSsjbkD7N7kLtK+q4V0jXUIWh9t3UF
JHfQUl6vc2Gdx3poHKSn3Rou6Zk1OCWMRaoY3GbprEd7chQBJmDnypeAxDguqM9x
6lGwS0vH9XCvC15PASN0mp+BYpEdXPd/ufQJqZ8O5saUOMf0uBKq4Ia3msOV/450
Q9y8dFGTRVdrirwGuNF8mJhe1eg+gmUbkHR2bX4xV+/UZco1FCkpnEm3FXE5+/Xc
1NDNOxlBBDdBNyqKz8OjUPp7cILlJlRFtJDt4Qj2qYF7nrPfH88=
=1wHO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 May 2022 07:25:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 11:03:35 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.