Debian Bug report logs - #915348
foomatic-db-engine: reproducible build (usrmerge): embeds path of gzip (et.al.) found via PATH

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: foomatic-db-engine: reproducible build (usrmerge): embeds path of gzip (et.al.) found via PATH

Date: Sun, 2 Dec 2018 22:47:12 +0100

Package: foomatic-db-engine
Version: 4.0.13-2
Severity: normal
User: md@linux.it
Usertags: usrmerge

Dear Maintainer,

Thanks for looking into trying to make foomatic-dbengine reproducible
on merged-usr vs non-merged, unfortunately you seem to have missed
*atleast* one variable that still makes your package non-reproducible.

The new version 4.0.13-2 still has problems with gzip.
This should be easily fixable by just passing GZIP=/bin/gzip to
configure the same way as the others, but bear with me because there
are several other semi-related issues that you might also want to
fix while at it (even though they have absolutely no relation to
usrmerge).

Here's a snippet  from the diffoscope output by reproducible-builds:

│ │ │ ├── ./usr/share/perl5/Foomatic/Defaults.pm
│ │ │ │ @@ -70,12 +70,12 @@
│ │ │ │      'rlpr' => '/usr/bin/rlpr',
│ │ │ │      'smbclient' => '/usr/bin/smbclient',
│ │ │ │      'nprint' => '/usr/bin/nprint',
│ │ │ │      'ptal-connect' => '/usr/bin/ptal-connect',
│ │ │ │      'ptal-pipes' => '/var/run/ptal-printd',
│ │ │ │      'mtink-pipes' => '/var/mtink',
│ │ │ │      'cat' => '/bin/cat',
│ │ │ │ -    'gzip' => '/bin/gzip',
│ │ │ │ +    'gzip' => '/usr/bin/gzip',
│ │ │ │      'wget' => '/usr/bin:/bin:/usr/local/bin:/usr/sbin:/sbin:/usr/local/sbin:/etc/sbin',
│ │ │ │      'curl' => '/usr/bin:/bin:/usr/local/bin:/usr/sbin:/sbin:/usr/local/sbin:/etc/sbin'
│ │ │ │  };


Please notice the values for wget and curl!

Here's a quoted snippet from the configure.ac file in the source:

> AC_PATH_PROG(CAT,cat,CAT_NOT_FOUND,$BSB)
> AC_PATH_PROG(GS,gs,GHOSTSCRIPT_NOT_FOUND,$BSB)
> AC_PATH_PROG(A2PS,a2ps,A2PS_NOT_FOUND,$BSB)
> AC_PATH_PROG(WGET,wget,$BSB)

The $BSB should be the *fourth* argument. Now the search path is instead
being used as the default value when wget is not found.

> AC_PATH_PROG(CURL,curl,$BSB)

Same as previous.

> if test -z "$CURL" -a -z "$CURL" ; then

One of these should likely be $WGET.

>         AC_MSG_ERROR("cannot find wget and curl.  You need to install at least o
> ne");
> fi
> AC_PATH_PROG(PRINTF,printf,$BSB)dnl

Same problem as with WGET and CURL. The $BSB should be forth argument.

The above mentioned things are ofcourse upstream bugs which you
might want to discuss to get fixed upstream.


Please also note that you most likely want to go over *all* AC_PROG_*
and AC_PATH_PROG variables, see which ones gets embedded into shipped
files (or just assume all of them), and pass all of those explicitly.
If you don't do that then god forbid someone installed something in
/usr/local which will instead be picked up.

Hope this helps.

Regards,
Andreas Henriksson

Message #10 received at 915348-close@bugs.debian.org (full text, mbox, reply):

From: Didier Raboud <odyx@debian.org>

To: 915348-close@bugs.debian.org

Subject: Bug#915348: fixed in foomatic-db-engine 4.0.13-3

Date: Wed, 05 Dec 2018 22:49:19 +0000

Source: foomatic-db-engine
Source-Version: 4.0.13-3

We believe that the bug you reported is fixed in the latest version of
foomatic-db-engine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 915348@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated foomatic-db-engine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Dec 2018 23:31:56 +0100
Source: foomatic-db-engine
Binary: foomatic-db-engine
Architecture: source
Version: 4.0.13-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Group <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
 foomatic-db-engine - OpenPrinting printer support - programs
Closes: 915348
Changes:
 foomatic-db-engine (4.0.13-3) unstable; urgency=medium
 .
   * merged-/usr support:
     - Add patch to fix CURL and WGET detection
     - Enforce fixed paths for more binaries (Closes: #915348)
Checksums-Sha1:
 ef2a58a97038da414fd1a85b2384243fcbc982ca 2023 foomatic-db-engine_4.0.13-3.dsc
 d923990cd6e25248d4a7adbd4ab3c1508792fbf3 18540 foomatic-db-engine_4.0.13-3.debian.tar.xz
Checksums-Sha256:
 e0b0e28b4c2a92c321b98a565c2385019a2085d0d0140c16627fc673dd24df83 2023 foomatic-db-engine_4.0.13-3.dsc
 71c42587fc82a51aaf5cbda0ec8d03a37cf3fd21c082865c2e2187c97977fed5 18540 foomatic-db-engine_4.0.13-3.debian.tar.xz
Files:
 fe1d67452a33ffab30a0d710cdecbcc0 2023 text optional foomatic-db-engine_4.0.13-3.dsc
 cced2f1f31466f340b8794cfd4febf9e 18540 text optional foomatic-db-engine_4.0.13-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAlwIUwEACgkQi8+nHsoW
NFWrQQv+NNgQnBDIsLiAnFx/o9YevMw5daUVk2pohgoqbP0oZ03ikvyi4+IIiZuD
HvrraRWN3kliiSg1xTb5glW6LD/67oz0Z1x5Dx6nwN1lyyhe4w6S/o0WxuRD8Yr0
d+x03nzsaxwq4HKAgsbHPrKXR+1mYdrIkTeZEYwYxMArzDyQ1VqAeD4MMxCmnEpW
Jce3nBEh+b/4UGAw8TGDRKczhXAIgx/5DzV53H+B5S/ijcPwvr20kwkrUtTKdjCb
iQasaSp93HzBkaiwwqFGFahfVYkIQLKxYncOA/jEtdbDIUh+wYp+6Ls0fnam7tV9
HYhy9hpJ28/g3evy5FD3LU/ro5lEM8Z5aZAfBmlOd7XTSr9eSmU7/wXTrfvvnxWR
hOH9gfz+pGooQoVHtEXqHFITOJQjR6nR9ZnqCDQBlCtcCXMHWfvyoZ4p7ES5y0qW
nWAmz7+c70Q+YxAabxmGNceDAvVJDpcvJNEjJF9jvJlfAqkRYwflrisKyI5RhGe/
jxRcPIWm
=l5qt
-----END PGP SIGNATURE-----

Message #15 received at 915348@bugs.debian.org (full text, mbox, reply):

From: Didier 'OdyX' Raboud <odyx@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 915348@bugs.debian.org

Subject: Re: Bug#915348: foomatic-db-engine: reproducible build (usrmerge): embeds path of gzip (et.al.) found via PATH

Date: Thu, 06 Dec 2018 19:14:25 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 +patch

Hi there Andreas,

Le dimanche, 2 décembre 2018, 22.47:12 h CET Andreas Henriksson a écrit :
> Thanks for looking into trying to make foomatic-dbengine reproducible
> on merged-usr vs non-merged, unfortunately you seem to have missed
> *atleast* one variable that still makes your package non-reproducible.

Indeed I did; so embarassing.

> The new version 4.0.13-2 still has problems with gzip.
> This should be easily fixable by just passing GZIP=/bin/gzip to
> configure the same way as the others, but bear with me because there
> are several other semi-related issues that you might also want to
> fix while at it (even though they have absolutely no relation to
> usrmerge).

Great, thanks for the scrutiny!

> Here's a snippet  from the diffoscope output by reproducible-builds:
> 
> │ │ │ ├── ./usr/share/perl5/Foomatic/Defaults.pm
> │ │ │ │ @@ -70,12 +70,12 @@
> │ │ │ │      'rlpr' => '/usr/bin/rlpr',
> │ │ │ │      'smbclient' => '/usr/bin/smbclient',
> │ │ │ │      'nprint' => '/usr/bin/nprint',
> │ │ │ │      'ptal-connect' => '/usr/bin/ptal-connect',
> │ │ │ │      'ptal-pipes' => '/var/run/ptal-printd',
> │ │ │ │      'mtink-pipes' => '/var/mtink',
> │ │ │ │      'cat' => '/bin/cat',
> │ │ │ │ -    'gzip' => '/bin/gzip',
> │ │ │ │ +    'gzip' => '/usr/bin/gzip',
> │ │ │ │      'wget' =>
> '/usr/bin:/bin:/usr/local/bin:/usr/sbin:/sbin:/usr/local/sbin:/etc/sbin', │
> │ │ │      'curl' =>
> '/usr/bin:/bin:/usr/local/bin:/usr/sbin:/sbin:/usr/local/sbin:/etc/sbin' │
> │ │ │  };
> 
> 
> Please notice the values for wget and curl!
> 
> Here's a quoted snippet from the configure.ac file in the source:
> > AC_PATH_PROG(CAT,cat,CAT_NOT_FOUND,$BSB)
> > AC_PATH_PROG(GS,gs,GHOSTSCRIPT_NOT_FOUND,$BSB)
> > AC_PATH_PROG(A2PS,a2ps,A2PS_NOT_FOUND,$BSB)
> > AC_PATH_PROG(WGET,wget,$BSB)
> 
> The $BSB should be the *fourth* argument. Now the search path is instead
> being used as the default value when wget is not found.
> 
> > AC_PATH_PROG(CURL,curl,$BSB)
> 
> Same as previous.
> 
> > if test -z "$CURL" -a -z "$CURL" ; then
> 
> One of these should likely be $WGET.
> 
> >         AC_MSG_ERROR("cannot find wget and curl.  You need to install at
> >         least o
> > 
> > ne");
> > fi
> > AC_PATH_PROG(PRINTF,printf,$BSB)dnl
> 
> Same problem as with WGET and CURL. The $BSB should be forth argument.
> 
> The above mentioned things are ofcourse upstream bugs which you
> might want to discuss to get fixed upstream.

Indeed. The following patch should do it.

-- a/configure.ac
+++ b/configure.ac
@@ -116,12 +116,12 @@ fi
 AC_PATH_PROG(CAT,cat,CAT_NOT_FOUND,$BSB)
 AC_PATH_PROG(GS,gs,GHOSTSCRIPT_NOT_FOUND,$BSB)
 AC_PATH_PROG(A2PS,a2ps,A2PS_NOT_FOUND,$BSB)
-AC_PATH_PROG(WGET,wget,$BSB)
-AC_PATH_PROG(CURL,curl,$BSB)
-if test -z "$CURL" -a -z "$CURL" ; then
+AC_PATH_PROG(WGET,wget,WGET_NOT_FOUND,$BSB)
+AC_PATH_PROG(CURL,curl,CURL_NOT_FOUND,$BSB)
+if test -z "$CURL" -a -z "$WGET" ; then
        AC_MSG_ERROR("cannot find wget and curl.  You need to install at least 
one");
 fi
-AC_PATH_PROG(PRINTF,printf,$BSB)dnl
+AC_PATH_PROG(PRINTF,printf,PRINTF_NOT_FOUND,$BSB)dnl
 
 # disable ghostscript check
 AC_MSG_CHECKING(Ghostscript check)

> Please also note that you most likely want to go over *all* AC_PROG_*
> and AC_PATH_PROG variables, see which ones gets embedded into shipped
> files (or just assume all of them), and pass all of those explicitly.
> If you don't do that then god forbid someone installed something in
> /usr/local which will instead be picked up.

I checked now that all the AC_* statements make sense. BUT… Setting all 
binaries through their fullpaths really feels like something that should be 
done through either automake globally, in debhelper (dh_auto_configure), or by 
having our packaging wrappers (dpkg comes to mind) provide PATHS with the 
expected binaries in the right places.

Worst case, diffoscope will come to help. :-)

> Hope this helps.

It does; thank you very much!

Cheers
    OdyX

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.