Debian Bug report logs - #992781
supermin: stores wrong path to cpio, etc. if built on merged-/usr system

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: supermin: stores wrong path to chpasswd, etc. if built on merged-/usr system

Date: Mon, 23 Aug 2021 12:01:01 +0100

[Message part 1 (text/plain, inline)]

Source: supermin
Version: 5.2.1-4
Severity: important
Tags: patch bookworm sid
User: reproducible-builds@lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

If supermin is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the paths to
cpio, mke2fs, zcat are recorded in the binary as /usr/bin/cpio,
/usr/sbin/mke2fs, /usr/bin/zcat rather than their canonical paths in
/bin and /sbin.

This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/supermin.html

If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends-arch=usrmerge and once without.

I suspect the same thing would happen if supermin was built on a system
where /bin and /usr/bin had instead been unified via a symlink farm.

The problematic situation is if the package is *built* on a unified-/usr
system, but *used* on a non-unified-/usr system. In this situation,
/usr/bin/cpio etc. exist on the build system but not on the system
where supermin will be used, resulting in the features that use these
executables not being available.

Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.

The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.

Some developers advocate unifying /bin with /usr/bin via a symlink farm
in /bin instead of merged-/usr, but that strategy would have a similar
practical effect on this particular package, and the same solution would
be required.

A side benefit of fixing this is that this change seems likely to be
sufficient to make the package reproducible (as recommended by Policy
§4.15).

    smcv

[0001-d-rules-Specify-canonical-paths-of-cpio-mke2fs-zcat.patch (text/x-diff, attachment)]

Message #12 received at 992781-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 992781-close@bugs.debian.org

Subject: Bug#992781: fixed in supermin 5.2.1-5

Date: Mon, 23 Aug 2021 20:37:12 +0000

Source: supermin
Source-Version: 5.2.1-5
Done: Hilko Bengen <bengen@debian.org>

We believe that the bug you reported is fixed in the latest version of
supermin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated supermin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Aug 2021 14:26:58 +0200
Source: supermin
Architecture: source
Version: 5.2.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Closes: 992781
Changes:
 supermin (5.2.1-5) unstable; urgency=medium
 .
   [ Simon McVittie ]
   * d/rules: Specify canonical paths of cpio, mke2fs, zcat
     (Closes: #992781)
Checksums-Sha1:
 382dd18e68dc3e27467e10500bb2fa654ad97569 2776 supermin_5.2.1-5.dsc
 32a036dedf83f415a3b8b8fc7a62877b8e3f0e8a 7168 supermin_5.2.1-5.debian.tar.xz
 bb5e744936784f234d40a1f23c473774ca55db5d 8405 supermin_5.2.1-5_source.buildinfo
Checksums-Sha256:
 99686e0e2954f29d62d8fcca9e2aaec2e3f1b79a48eda848a3b5fb21d89b579d 2776 supermin_5.2.1-5.dsc
 6426f14dd7334c1647a77575a2cefc41d170cf88e4545fe6c08c00a3896e7903 7168 supermin_5.2.1-5.debian.tar.xz
 93c3dc8d4f956e6a72a8309410b1023fe09675e2347eb388b66962fa0bd88a5e 8405 supermin_5.2.1-5_source.buildinfo
Files:
 87b3b51c7dc565cea0e39c76f02361e5 2776 admin optional supermin_5.2.1-5.dsc
 21142da0d21173b1f518c031fc002997 7168 admin optional supermin_5.2.1-5.debian.tar.xz
 e80c5c8abb8bf76d348c9a2f72336b85 8405 admin optional supermin_5.2.1-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmEj/qEACgkQdbcQY1wh
On7SfxAAgTZvQJeKixbtBzijwSlhX4q42pQbTJDoNH4Nd4BMND90jDG4vNyX+HGO
Qy5QQm368Rb2gWBK94jBzThKEBjhk0dy5Z+cscjNItfCHzMQRv7Z6DBcSRLZ8+Xl
pCdgvgQ8VHTdq7umJMKyqbENd5bwnAat8IaTyMu5rP3tEbslKfi01G/JpDQ3ktM4
QzlGEayGlfMff6LCIK6cfB04lcgytlGvmU+1PcuKa9lLpQc0fWM7E3YltTdZYBm5
iVJDCg8zs4l+EoYMBvWAvtiWmyOk46n78H+s5/SzZBmopmrqeq1X1J5UOdVuc/oi
/1lRxDYYoGOFtkiBVDoOtlOL6Zpk6orn7VYjaZjjz/7vHaucJVsboI7Pv97KUY0T
Bn6JGvH8BD+nHD4POErGnfiOOzU8Zb3WGLTbw3XCIctea2Ow8HMItyNN4DH14Ayd
t3/oIZUKUwlWZvuKy2uVLzj/g0mZ1JrYEYbDlJdIX4x446OOpofSYGX1GOaHViIs
zeQdtacMJdY5rRz8B0v0OYsE46/OO13o3Y+KwIJBXujExFXPk0vn0cJhoIXWPDEz
Y2GcwuC/wx48a/KThziOdfcyNBEq7+YEh3+yXrxcQCFKFtPg6yTIwFvC1bU4lSoL
lMM+RnxBtH5/G5Qu1qtZC8Fol7Mn4x3loqPWNcloXFoJ/NX6448=
=bsee
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.