Debian Bug report logs - #992662
cfengine3: stores wrong path to chpasswd, etc. if built on merged-/usr system

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cfengine3: stores wrong path to chpasswd, etc. if built on merged-/usr system

Date: Sat, 21 Aug 2021 23:48:08 +0100

[Message part 1 (text/plain, inline)]

Source: cfengine3
Version: 3.15.2-3
Severity: important
Tags: patch bookworm sid
User: reproducible-builds@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org, Fabio Tranchitella <kobold@debian.org>

If cfengine3 is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the paths to
chpasswd, useradd etc. are recorded in the binary as /sbin/chpasswd,
/sbin/useradd, etc.

This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/cfengine3.html
(search for "/sbin/chpasswd" to see the differences I'm concerned about).

If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends-arch=usrmerge and once without.

The problematic situation is if the package is *built* on a merged-/usr
system, but *used* on a non-merged-/usr system. In this situation,
/sbin/chpasswd etc. exist on the build system but not on the system
where cfengine3 will be used, resulting in the features that use these
executables not being available.

Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.

The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.

A side benefit of fixing this is that this change seems likely to be
sufficient to make the package reproducible (as recommended by Policy
§4.15).

    smcv

[0001-Specify-canonical-paths-to-chpasswd-etc.patch (text/x-diff, attachment)]

Message #10 received at 992662@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 992662@bugs.debian.org

Subject: Re: Bug#992662: cfengine3: stores wrong path to chpasswd, etc. if built on merged-/usr system

Date: Sun, 17 Jul 2022 12:42:30 +0100

Control: severity -1 serious

On Sat, 21 Aug 2021 at 23:48:08 +0100, Simon McVittie wrote:
> The problematic situation is if the package is *built* on a merged-/usr
> system, but *used* on a non-merged-/usr system. In this situation,
> /sbin/chpasswd etc. exist on the build system but not on the system
> where cfengine3 will be used, resulting in the features that use these
> executables not being available.

This will be a practical problem as soon as Debian starts using merged-/usr
on official buildds, and the Debian technical committee resolution
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
treating this class of bug as release-critical for Debian 12, so I'm
raising the severity of this bug.

Please upload a fixed package before the Debian 12 freeze. I provided
a patch last year, which I hope is suitable.

Thanks,
    smcv

Message #17 received at 992662@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: Simon McVittie <smcv@debian.org>

Cc: 992662@bugs.debian.org

Subject: Re: Bug#992662: cfengine3: stores wrong path to chpasswd, etc. if built on merged-/usr system

Date: Tue, 6 Sep 2022 22:32:46 +1000

Hi Simon,

On Sun, 17 Jul 2022 12:42:30 +0100 Simon McVittie wrote:
> Control: severity -1 serious
>
> On Sat, 21 Aug 2021 at 23:48:08 +0100, Simon McVittie wrote:
> > The problematic situation is if the package is *built* on a merged-/usr
> > system, but *used* on a non-merged-/usr system. In this situation,
> > /sbin/chpasswd etc. exist on the build system but not on the system
> > where cfengine3 will be used, resulting in the features that use these
> > executables not being available.
>
> This will be a practical problem as soon as Debian starts using merged-/usr
> on official buildds, and the Debian technical committee resolution
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
> treating this class of bug as release-critical for Debian 12, so I'm
> raising the severity of this bug.
>
> Please upload a fixed package before the Debian 12 freeze. I provided
> a patch last year, which I hope is suitable.

One alternative -- arguably simpler -- is to remove /sbin from the
hard-coded PATH override in configure.ac. For example:

-CF3_PATH_ROOT_PROG([CHPASSWD], [chpasswd], [],
[/sbin:/usr/sbin:/bin:/usr/bin:$PATH])
+CF3_PATH_ROOT_PROG([CHPASSWD], [chpasswd], [], [/usr/sbin:/bin:/usr/bin:$PATH])

This sets the absolute path prefix to chpasswd, useradd, etc. to
/usr/sbin/ regardless of usrmerge status.

I can take care of this, if no one else has time to.

I'm also aware that we need to upgrade to version 3.18 as soon as
possible, because support for version 3.15 ends in December. I'll file
a bug for this work.

Message #22 received at 992662@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: 945623@bugs.debian.org, 949086@bugs.debian.org, 972893@bugs.debian.org, 992662@bugs.debian.org, 998014@bugs.debian.org

Subject: cfengine3: diff for NMU version 3.15.2-3.2

Date: Fri, 9 Sep 2022 17:33:38 +1000

[Message part 1 (text/plain, inline)]

Control: tags 945623 + patch
Control: tags 949086 + patch
Control: tags 998014 + patch


Dear maintainer,

I've prepared an NMU for cfengine3 (versioned as 3.15.2-3.2). The diff
is attached to this message.

I require a sponsor to have it uploaded and intend to seek sponsorship
without delay due to the RC bug #992662.

Please let me know if you plan to take care of the upload yourself.

Regards,

Hugh McMaster

[cfengine3-3.15.2-3.2-nmu.diff (text/x-diff, attachment)]

Message #27 received at 992662@bugs.debian.org (full text, mbox, reply):

From: Christoph Martin <martin@uni-mainz.de>

To: Hugh McMaster <hugh.mcmaster@outlook.com>, <945623@bugs.debian.org>, <949086@bugs.debian.org>, <972893@bugs.debian.org>, <992662@bugs.debian.org>, <998014@bugs.debian.org>

Subject: Re: Bug#945623: cfengine3: diff for NMU version 3.15.2-3.2

Date: Tue, 13 Sep 2022 13:39:45 +0200

[Message part 1 (text/plain, inline)]

Hi all,

I'll have a look at it.

First I will include the changes from NMU -3.1 into the salsa repository.

Christoph

Am 09.09.22 um 09:33 schrieb Hugh McMaster:
> Control: tags 945623 + patch
> Control: tags 949086 + patch
> Control: tags 998014 + patch
> 
> 
> Dear maintainer,
> 
> I've prepared an NMU for cfengine3 (versioned as 3.15.2-3.2). The diff
> is attached to this message.
> 
> I require a sponsor to have it uploaded and intend to seek sponsorship
> without delay due to the RC bug #992662.
> 
> Please let me know if you plan to take care of the upload yourself.
> 

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #32 received at 992662-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 992662-close@bugs.debian.org

Subject: Bug#992662: fixed in cfengine3 3.15.2-3.2

Date: Tue, 13 Sep 2022 14:34:41 +0000

Source: cfengine3
Source-Version: 3.15.2-3.2
Done: Hugh McMaster <hugh.mcmaster@outlook.com>

We believe that the bug you reported is fixed in the latest version of
cfengine3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated cfengine3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Sep 2022 17:13:10 +1000
Source: cfengine3
Architecture: source
Version: 3.15.2-3.2
Distribution: unstable
Urgency: medium
Maintainer: Antonio Radici <antonio@debian.org>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Closes: 945623 949086 972893 992662 998014
Changes:
 cfengine3 (3.15.2-3.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/control:
     + Build-Depend on pkg-config.
     + cfengine3: Recommend python3 instead of python (Closes: #998014).
   * debian/patches:
     + Drop 883480-fix-crossbuild-libxml2.patch (no longer needed).
     + Use pkg-config to find libxml2 (Closes: #972893, #949086).
     + Remove /sbin from the CF3_PATH_ROOT_PROG macro PATH override to ensure
       system tools can be invoked on usr-merged and non-usr-merged systems
       (Closes: #992662).
     + Fix python3 and shell interpreter paths; use python3 syntax in upstream
       apt_get module (Closes: #945623).
     + Fix spelling error in openssl3.patch metadata.
Checksums-Sha1:
 671a149edf279e8cf0bbe4045b494797b97e2824 2340 cfengine3_3.15.2-3.2.dsc
 af2a917fcda4923acf7de4975092a2f4c5587383 483402 cfengine3_3.15.2.orig-masterfiles.tar.gz
 6b71fdb0e22de1a647044b6aa3a1e2d8ad6556da 3099121 cfengine3_3.15.2.orig.tar.gz
 521d62882298d430cac20ebcf5db0476a8214473 21644 cfengine3_3.15.2-3.2.debian.tar.xz
 52b5ff7cfbef46fbcc8b9d6777e2c2801decbf62 9057 cfengine3_3.15.2-3.2_amd64.buildinfo
Checksums-Sha256:
 f299e5625338e92df4d7d474fca33370808efe20768b642e47da6428f74fa6d4 2340 cfengine3_3.15.2-3.2.dsc
 6d05f3211c80f0295677f3ddadf1959b3e624a847814097d5e3ed54c11aaf759 483402 cfengine3_3.15.2.orig-masterfiles.tar.gz
 d1c570b7a0f47794a92f66e21cccdc86b8f56a7028a389780e705db41bfd3cab 3099121 cfengine3_3.15.2.orig.tar.gz
 c2cb8fca0004e25fff0f5c0f2bedb475326af8f0cf05f285e2664369f82bd9c8 21644 cfengine3_3.15.2-3.2.debian.tar.xz
 933e3e923d203f336cc0a894c8ced6d74c1ab9ffe121676aea76ea07b0b97219 9057 cfengine3_3.15.2-3.2_amd64.buildinfo
Files:
 17c1a994fd6aa4ea50522cb4b44b2349 2340 admin optional cfengine3_3.15.2-3.2.dsc
 27b6ead9201b14a11167cedfbaacf977 483402 admin optional cfengine3_3.15.2.orig-masterfiles.tar.gz
 be04030c007dacd69ad705059a906495 3099121 admin optional cfengine3_3.15.2.orig.tar.gz
 eb81dc34f6d083345d7d0bf56c01abba 21644 admin optional cfengine3_3.15.2-3.2.debian.tar.xz
 7c887cbc28caafd8fe2095cd40e4d222 9057 admin optional cfengine3_3.15.2-3.2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEienqSdlSvBRoCebg9oBraugTkrAFAmMgirQACgkQ9oBraugT
krAN/Q//XYB6x8z0hSR7QIAYztLWICbEM8syjkmgjLIY3DWfnPRQxyKLkw/bKmvT
1Gz/RxMbT7CSMuIJxwL+hBsojSdTxgr8rp4kgRorA/041MYi0W9c7OzUGztVzUYq
qwdLMxwuq8oYWUTNTIt7Z+VTpdkEOEBDSEKHPnuPo2IGo3ju4FVDb0lYoaX3Nf3s
6F534Lb+fNNCylaOHWiiB/K9BrEjIVv0jVbPFj+6rTFzhrdEUKRj14GgCw48pId5
2lppOv7IaruKr0pkPKx+ANVrG72O3BeqQ2rXJpCAmd2AMBqpUYklZkhbLa9nPhfF
LzAax6uj4gI+C2SDKd+g41lVYClQ6fPr3onWIPzT7HrwKbiek4LhEdaY5UVqad7d
oVqAoYzucN0BCJ2fv5kGjMQtQ6fIJ3dSqeNirpEHKQCjdMaNWPhzgL7xEdUlBItx
H/EWfXQcusX5T+O3HAGkmIZytdFz4amCuCCGVGRTub2nRSgu+QFE0N2CzQ+RREd6
jFtrJxRHxSZkrfq05R7X22/CzvY3l79L8PGbxeyjWs6qnhrQUNX1+VxLzan1ifU7
NYczfBxE4LMidSdHHV+8/GiNFfH1igsLJYJRov/qPFY4HHH/Sl1UsgauNrKJ5xI8
GkhfsWEX1SVBKlf3XrkfIQQHWzda+E3/RSPkFaU5uG30ibc+SXg=
=WYVj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.