Debian Bug report logs - #992651
sharutils: stores wrong path to bash if built on merged-/usr system

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sharutils: stores wrong path to bash if built on merged-/usr system

Date: Sat, 21 Aug 2021 19:40:10 +0100

[Message part 1 (text/plain, inline)]

Source: sharutils
Version: 1:4.15.2-5
Severity: important
Tags: patch bookworm sid
User: reproducible-builds@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

If sharutils is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the path to bash
is recorded in the binary as /usr/bin/bash.

This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/sharutils.html
(search for "/usr/bin/bash" to see the difference I'm concerned about).

If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends-arch=usrmerge and once without.

The problematic situation is if the package is *built* on a merged-/usr
system, but *used* on a non-merged-/usr system. In this situation,
/usr/bin/bash exists on the build system but not on the system where
sharutils will be used, resulting in the feature that uses bash not being
available.

Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.

Some Debian developers advocate that instead of merged-/usr, we should
use a different strategy where /bin becomes a "symlink farm" with
individual symlinks such as /bin/bash -> /usr/bin/bash. If that route is
taken instead of merged-/usr, then resolving bugs like this one will be
equally important as part of that transition, because it shares the
property that both /bin/bash and /usr/bin/bash exist after the transition,
but only /bin/bash exists on untransitioned systems.

The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.

A side benefit of fixing this is that this change seems likely to be
sufficient to make the package reproducible (as recommended by Policy
§4.15).

    smcv

[0001-d-rules-Specify-canonical-path-to-bash.patch (text/x-diff, attachment)]

Message #10 received at 992651@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 992651@bugs.debian.org

Subject: Re: Bug#992651: sharutils: stores wrong path to bash if built on merged-/usr system

Date: Sun, 17 Jul 2022 13:17:56 +0100

Control: severity -1 serious

On Sat, 21 Aug 2021 at 19:40:10 +0100, Simon McVittie wrote:
> If sharutils is built on a merged-/usr system (as created by new
> installations of Debian >= 10, debootstrap --merged-usr, or installing
> the usrmerge package into an existing installation), the path to bash
> is recorded in the binary as /usr/bin/bash.
> 
> This can be seen on the reproducible-builds.org infra:
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/sharutils.html
> (search for "/usr/bin/bash" to see the difference I'm concerned about).

This will be a practical problem as soon as Debian starts using merged-/usr
on official buildds, and the Debian technical committee resolution
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
treating this class of bug as release-critical for Debian 12, so I'm
raising the severity of this bug.

Please upload a fixed package before the Debian 12 freeze. I provided a
patch in 2021 which I hope will solve this.

Thanks,
    smcv

Message #17 received at 992651@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: bug-gnu-utils@gnu.org

Cc: Simon McVittie <smcv@debian.org>, 992651@bugs.debian.org

Subject: Fwd: Bug#992651: sharutils: stores wrong path to bash if built on merged-/usr system

Date: Fri, 22 Jul 2022 01:05:36 +0200

[Message part 1 (text/plain, inline)]

Hello.

I received the attached patch from the Debian bug system. It was taken 
from sharutils git repository and it allows to pass a value for 
POSIX_SHELL in the ./configure call. We need this for the usrmerge 
transition.

I plan to apply the patch mostly "as is" to the Debian source package, 
but as a result, I have to regenerate autoconf files during the package 
build. Some people do that as a normal thing, but I prefer to do that 
only when it's really necessary, so it would be more simple if there was 
a new sharutils release from upstream. Are there any plans for that?

After all, the last release was made in 2015, and there are even some 
CVE which are still not part of the last stable release.

Thanks.

[sharutils.diff.txt (text/plain, attachment)]

Message #25 received at 992651-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 992651-close@bugs.debian.org

Subject: Bug#992651: fixed in sharutils 1:4.15.2-6

Date: Fri, 22 Jul 2022 10:19:37 +0000

Source: sharutils
Source-Version: 1:4.15.2-6
Done: Santiago Vila <sanvila@debian.org>

We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated sharutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 22 Jul 2022 12:05:00 +0200
Source: sharutils
Architecture: source
Version: 1:4.15.2-6
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Closes: 992651
Changes:
 sharutils (1:4.15.2-6) unstable; urgency=medium
 .
   * Modify libopts.m4 so that POSIX_SHELL is accepted from the
     environment during the configure step. Closes: #992651.
     This should allow building both with or without usr-merge.
     Run autoreconf so that the modified m4 files are picked up.
     Thanks a lot to Simon McVittie.
   * Raise debhelper compat level.
   * Update paths in debian/sharutils-doc.doc-base, as docs are now
     installed directly in /usr/share/doc/sharutils.
Checksums-Sha1:
 f602456089c1bd24c436d6fa4d0157d1566091b7 1480 sharutils_4.15.2-6.dsc
 20f123f43293b7caba227ee3effaf1cddcde9c14 9736 sharutils_4.15.2-6.debian.tar.xz
 db1bf13159c957abdde1d5fd9d2289ae71c10ccb 5385 sharutils_4.15.2-6_source.buildinfo
Checksums-Sha256:
 c40baba71b69257cfd85a2f3d9b2b0eab67eb2e9fe058e8358b05ac14c589556 1480 sharutils_4.15.2-6.dsc
 cf1296b31917e6d013cba7d711b3ab6184fbb76bf3d3aae059df32a7b6ed0750 9736 sharutils_4.15.2-6.debian.tar.xz
 8b7146e39ea1d72be43f4f5bf4247cc51294ce4d46e958ec756296a4836e7aac 5385 sharutils_4.15.2-6_source.buildinfo
Files:
 ce2167177908d34d77bdf87c08979ae4 1480 utils optional sharutils_4.15.2-6.dsc
 6f33d0501c0a7d4105c2151330046367 9736 utils optional sharutils_4.15.2-6.debian.tar.xz
 061dc655b4bd37485ab2a6bd22f7c614 5385 utils optional sharutils_4.15.2-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmLadxAACgkQQc5/C58b
izKa9AgAqIYVdinHw8IiVtnpxbP1bVDEHLPvD5pP97299Fpt3ghLcvrKiuzDiqI+
wTur+dTFzWGYIHcdVGuqpGqTB1K1HbpXgJTsyyJNi5ulwTAw4uAeAxn9SvJiW6W9
Ss4oEJjIEr59uA4DxDTmcfwEJGY1066QH59B5RgrSRZe3KJZ+14TxuOIrPtCVgq7
JnourxDg1dZzrWevZMZlvtOYICwFymiE6UwsbyPhcc+v5NXYzoRfxMNWGim+JHNJ
MIMbByYbFK3Mveqo9nnBqanQzmOOCUaoak6W62rEyFSB1T/7JCzSfjMPE9SVJq0m
onPtyE5SWCVkHjJK5bsZRgXe7tKGEg==
=tLpX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.