Debian Bug report logs - #915423
xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: submit@bugs.debian.org

Subject: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Mon, 03 Dec 2018 20:02:50 +0100

[Message part 1 (text/plain, inline)]

Source: xfce4-session
Version: 4.12.1-6
Severity: normal
Tags: patch
User: md@linux.it
Usertags: usrmerge
Control: user reproducible-builds@lists.alioth.debian.org
Control: usertag -1 + environment

Dear Maintainer,

According to reproducible build tests xfce4-session gets built
differently on a merged-usr system vs a non-merged system.

The package embeds the full path of rm. Since PATH defaults to
/usr/bin before /bin, the first will be used on a usrmerged system
where they're both essentially the same thing, but /usr/bin/rm does
not exist on non-merged systems.

The attached patch passes `RM=/bin/rm` to explicitly set the path.

Regards,
Ansgar

[xfce4-session.diff (text/x-patch, attachment)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Ansgar Burchardt <ansgar@debian.org>, 915423@bugs.debian.org, submit@bugs.debian.org

Subject: Re: Bug#915423: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Sun, 09 Dec 2018 15:12:28 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 2018-12-03 at 20:02 +0100, Ansgar Burchardt wrote:
> Source: xfce4-session
> Version: 4.12.1-6
> Severity: normal
> Tags: patch
> User: md@linux.it
> Usertags: usrmerge
> Control: user reproducible-builds@lists.alioth.debian.org
> Control: usertag -1 + environment
> 
> Dear Maintainer,
> 
> According to reproducible build tests xfce4-session gets built
> differently on a merged-usr system vs a non-merged system.
> 
> The package embeds the full path of rm. Since PATH defaults to
> /usr/bin before /bin, the first will be used on a usrmerged system
> where they're both essentially the same thing, but /usr/bin/rm does
> not exist on non-merged systems.
> 
> The attached patch passes `RM=/bin/rm` to explicitly set the path.

Hi,

I didn't follow recent discussions on usrmerge, but are we sure explicitly
adding snippets like this to every relevant package is the right way to fix
that? It looks a bit hacky to me (also couldn't that be done in debhelper or
something?).

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlwNIswACgkQ3rYcyPpX
RFsi2AgA35yWi7pUVlmyDz18S+2bvZkVd5yojUko+U2UKrODkThR67iC3bAQJPUf
hXgvMPtSyoHrFPuaQYexWuhU5Hobn3D7P6mrAxwYVLjfsdTbbyYdvtEtfI2RIj6Q
DvXvRtFOjm1QRB3nKugDj8FQRZt54Uu+K6ovreiUs86ZZ0TH3vSUh516dlUZns59
cr/FC9pTJDQxUqZ7VhbUWkUoN/bxLYqIPAhgLwpkCBLcBKnzmiCNxgHLceU56odF
3gAVM9xqNVJ2/Vo5gbbjlTaQBF+Eg8tozEIjxSxCgvJWWYq5t8ralfYSKKG2Bwx0
geTiA1Rj9n5tuaYIQwbjms8J2xoyJA==
=GRJS
-----END PGP SIGNATURE-----

Message #20 received at 915423@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: Ansgar Burchardt <ansgar@debian.org>, 915423@bugs.debian.org

Subject: Re: Bug#915423: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Thu, 3 Jan 2019 20:21:40 +0100

Hello,

On Sun, Dec 09, 2018 at 03:12:28PM +0100, Yves-Alexis Perez wrote:
> I didn't follow recent discussions on usrmerge, but are we sure explicitly
> adding snippets like this to every relevant package is the right way to fix
> that? It looks a bit hacky to me (also couldn't that be done in debhelper or
> something?).

What the "right" way to fix it can easily become a bit of a
philosophical discussion. Passing the variables explicitly to configure
is the *documented* autotools way of handling it.

It seems to me like autotools tries alot to cater to arcane proprietary
unix systems and similar where system tools generally can't be expected
to behave sanely in most cases and you need to build in the specific
path to the sane (gnu?) version instead. I'm not sure why in your case
AC_PATH_PROG was considered, because I'm not aware of systems where
the rm command can't be considered sane. A better approach in general,
specially when dealing with a free software system where we can fix
the system tools if they don't behave sanely, would be to just trust
the runtime PATH, instead of hardcoding the result from the *build*
environment.

In your case the RM_CMD define is passed to g_spawn_sync function.
That function takes a flags argument where you could add
G_SPAWN_SEARCH_PATH. The envp argument is already being passed NULL
which means that the environment is inherited from the parent process.
I assume that one has a sane PATH set, but with things like session
managers you might need to pay special attention to the environment it
runs in/from.

Please also note that you can't pass RM=rm because (for unknown reasons)
the generated configure script (in your case, and most cases, but not
all) the passed value is checked to be a full path and if not then it's
ignored. You'll thus have to patch in both the "Search PATH" flag and
somehow bypass the RM_CMD configure logic, if you want to do down
that road instead of using the simple solution Ansgar already provided.

Regards,
Andreas Henriksson

Message #25 received at 915423@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Andreas Henriksson <andreas@fatal.se>

Cc: Ansgar Burchardt <ansgar@debian.org>, 915423@bugs.debian.org

Subject: Re: Bug#915423: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Thu, 03 Jan 2019 21:40:03 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2019-01-03 at 20:21 +0100, Andreas Henriksson wrote:
> In your case the RM_CMD define is passed to g_spawn_sync function.
> That function takes a flags argument where you could add
> G_SPAWN_SEARCH_PATH. The envp argument is already being passed NULL
> which means that the environment is inherited from the parent process.
> I assume that one has a sane PATH set, but with things like session
> managers you might need to pay special attention to the environment it
> runs in/from.

To be honest, I didn't actually investigated why the rm command was needed.
Considering that, I'll upload with a patch just hardcoding RM_CMD to rm.

Will that pose a problem wrt. reproducibility if I don't remove the autotools
logic around?

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlwucyMACgkQ3rYcyPpX
RFt17ggAk7qVYoK1ASoi4RdUiCvjuhMY8+6pBeMKL5NEOKrpV/PmIV1JXicehLvW
lOy9ZwGYK6iWv1vR5x3cG3t8cfl82PProHYbv3LqSio92h+5Ts2z8XBNjtFWTSgw
0zg5zitSiZRaITFRvpKrMvlgJnS49bZevDmdNRlnSVRJobp93yuDAZ6FAKV4q3iA
CPCZM+v0ZBryon6E1YUHKy+D6oHnvvYO9DtbymOsva8JRsfVrDCWrfOdcjJqW2FF
5gadN5bGYMS5reW4ccp+JTqCDW6UMdTngvyudo/r4hM/89KLZERKAy8WUz/Mvhek
ClfXrUh7n0vA5BvydaGZBKhwMIpevw==
=mruq
-----END PGP SIGNATURE-----

Message #30 received at 915423@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: Ansgar Burchardt <ansgar@debian.org>, 915423@bugs.debian.org

Subject: Re: Bug#915423: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Sat, 5 Jan 2019 19:58:09 +0100

On Thu, Jan 03, 2019 at 09:40:03PM +0100, Yves-Alexis Perez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On Thu, 2019-01-03 at 20:21 +0100, Andreas Henriksson wrote:
> > In your case the RM_CMD define is passed to g_spawn_sync function.
> > That function takes a flags argument where you could add
> > G_SPAWN_SEARCH_PATH. 
[...]
> To be honest, I didn't actually investigated why the rm command was needed.
> Considering that, I'll upload with a patch just hardcoding RM_CMD to rm.

Please also note the previous/above comment about G_SPAWN_SEARCH_PATH
flag, which I think you will need as well (or AIUI g_spawn_sync will
*not* search in PATH).

https://developer.gnome.org/glib/stable/glib-Spawning-Processes.html#g-spawn-sync
https://developer.gnome.org/glib/stable/glib-Spawning-Processes.html#GSpawnFlags

> 
> Will that pose a problem wrt. reproducibility if I don't remove the autotools
> logic around?

Reproducible problem only hits for files shipped in your binary
packages, so you don't need to touch the autoconf stuff if you sidestep
it since those files are not shipped.

Regards,
Andreas Henriksson

Message #35 received at 915423@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Andreas Henriksson <andreas@fatal.se>, 915423@bugs.debian.org

Cc: Ansgar Burchardt <ansgar@debian.org>

Subject: Re: Bug#915423: xfce4-session: reproducible build (usrmerge): embeds path of rm found via PATH

Date: Tue, 08 Jan 2019 13:18:23 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, 2019-01-05 at 19:58 +0100, Andreas Henriksson wrote:
> Please also note the previous/above comment about G_SPAWN_SEARCH_PATH
> flag, which I think you will need as well (or AIUI g_spawn_sync will
> *not* search in PATH).
> 
> https://developer.gnome.org/glib/stable/glib-Spawning-Processes.html#g-spawn-sync
> https://developer.gnome.org/glib/stable/glib-Spawning-Processes.html#GSpawnFlags

Hmh, I've tried the patch and it does seem to work, but I'll use it through
strace to double check.
> 
> > Will that pose a problem wrt. reproducibility if I don't remove the autotools
> > logic around?
> 
> Reproducible problem only hits for files shipped in your binary
> packages, so you don't need to touch the autoconf stuff if you sidestep
> it since those files are not shipped.

Ok, thanks!
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlw0lQ8ACgkQ3rYcyPpX
RFt9IAgA4xAvfgcow7UjJQI86xlMjmRhT56nufFHOvrLbXBp6xEbqaSaOcf6ZvVF
2+4U9SPSnUOzPkdgidHNlNio3E1HxkT8CoFpOdRYfLyKNkOKQ77Etc+wQ6x5UHTT
k5Y+9tOZzBfZNx5X7EjNgKm62f+h6zYvIpZLqFFmK6J6iMqOMpUnfcv/kBARRGb5
cNus1KFpzzJ1P2Y+IDUnqAx/OLRzrneagjjXbtuBXA+4d1O56oXMVDc7WbXC5NU6
AO/5N7qinmsas7ghRvWv189sNlQ4VHhLQTm2qK993uDrx/+dVU4q8WsIE9dlWZTn
tIKb0mBZa3/NtJNfbB5lGtG0u9FlNw==
=0vxA
-----END PGP SIGNATURE-----

Message #40 received at 915423-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 915423-close@bugs.debian.org

Subject: Bug#915423: fixed in xfce4-session 4.13.1-2

Date: Fri, 22 Feb 2019 15:53:40 +0000

Source: xfce4-session
Source-Version: 4.13.1-2

We believe that the bug you reported is fixed in the latest version of
xfce4-session, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 915423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated xfce4-session package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Feb 2019 13:53:57 +0100
Source: xfce4-session
Binary: xfce4-session
Architecture: source
Version: 4.13.1-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Xfce Maintainers <debian-xfce@lists.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
 xfce4-session - Xfce4 Session Manager
Closes: 915423 922718
Changes:
 xfce4-session (4.13.1-2) experimental; urgency=medium
 .
   * d/patches: hardcode RM_CMD to fix reproducibility issues (Closes: #915423)
   * d/control: drop Lionel from uploaders, thanks!
   * select debhelper compat mode through debhelper-compat b-d
   * d/control: remove versions in b-deps satisfied in stable
   * d/control: update standards version to 4.3.0
   * use HTTPS protocol where needed
   * d/control: drop duplicate Section field
   * update lintian overrides
   * d/patches: add xfce4-screensaver to locker list (Closes: #922718)
Checksums-Sha1:
 4f5d7b842ae48fd2ccbc3c0a90ff19cb820c1a3e 1894 xfce4-session_4.13.1-2.dsc
 dda3e297148bf87dd58f5a95efe71d7b241ccbd6 14492 xfce4-session_4.13.1-2.debian.tar.xz
 f53c4aed52613a20f6ada4706a9924ebdd78f34b 15631 xfce4-session_4.13.1-2_amd64.buildinfo
Checksums-Sha256:
 305415696656b6b380082d5d9da2d4440200ef215acaec89cda8f3499b8235c7 1894 xfce4-session_4.13.1-2.dsc
 6f996bb422c82dc1a57adb6ac58fff7152eb1683e877a68d9781d4a3c716340a 14492 xfce4-session_4.13.1-2.debian.tar.xz
 04ea32c930f832df3e53bb86a7c85e370701a78c289392a51b010841ca3466fd 15631 xfce4-session_4.13.1-2_amd64.buildinfo
Files:
 7e06ec033e7f90a7c3a9b4242777bf9a 1894 xfce optional xfce4-session_4.13.1-2.dsc
 8c8548964159d0309baca5c5d3764995 14492 xfce optional xfce4-session_4.13.1-2.debian.tar.xz
 1b4799ddabd6ed0260aae723f4bb03c2 15631 xfce optional xfce4-session_4.13.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxwGOkACgkQ3rYcyPpX
RFtWmQgA0x0V0FfPXk2qIDWrQM+wHA+Sn9b3hMKhBtzbF6faPQqzjENMmLFZ90j4
vZmDsl3FK7/DW485zeWFl5gNy3awdERUpFlsmF2j+idMVzvB0Y9n7mhSonah/LYt
bhvxMkH51vlqcQs4BpG77S4mCZAf1FLwS6Vf3xXTzp9lgGg+h0YNd5FXHiT/G29W
qucs0BPo8IcsB12GQYtVFhXg5iG0X5AKjggvI5DZ14fhKGvF9Yt2yjE8jODpGQmp
oKEgvknBPNgk00yD6Kpm3oWgkadW3r0zW3O5HWLY3IYhN1rvtFD1hRzpYjJC6jBh
MpWFCWqVBdB9s0cgiiAYLAoFMLlzgA==
=uTkG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.