Source: shim
Version: 15.8-1
Severity: important
Tags: ftbfs
Justification: FTBFS
X-Debbugs-Cc: ni...@thykier.net
User: ni...@thykier.net
Usertags: rrr-no-as-default-issue

Dear maintainer,

During a test rebuild for building packages with
`Rules-Requires-Root: no` as the default in `dpkg`,
shim failed to rebuild.

Log Summary:
-------------------------------------------------------------------------------
[...]
aarch64-linux-gnu-gcc-12 -I/<<PKGBUILDDIR>>/gnu-efi//gnuefi -I/<<PKGBUILDDIR>>/gnu-efi/inc -I/<<PKGBUILDDIR>>/gnu-efi/inc/aarch64 -I/<<PKGBUILDDIR>>/gnu-efi/inc/protocol -std=gnu11 -ggdb -ffreestanding -fmacro-prefix-map=/<<PKGBUILDDIR>>/= -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Os -Wall -Wextra -Wno-missing-field-initializers -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align -Werror -nostdinc -I/<<PKGBUILDDIR>>/Cryptlib -I/<<PKGBUILDDIR>>/Cryptlib/Include -I/<<PKGBUILDDIR>>/gnu-efi/inc -I/<<PKGBUILDDIR>>/gnu-efi/inc/aarch64 -I/<<PKGBUILDDIR>>/gnu-efi/inc/protocol -I/<<PKGBUILDDIR>>/include -iquote /<<PKGBUILDDIR>> -iquote /<<PKGBUILDDIR>> -isystem /<<PKGBUILDDIR>>/include/system -isystem /usr/lib/gcc/aarch64-linux-gnu/12/include -DDEFAULT_LOADER='L"\\\\grubaa64.efi"' -DDEFAULT_LOADER_CHAR='"\\\\grubaa64.efi"' -DEFI_ARCH='L"aa64"' -DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/aa64-15.8-15.8/"' -DVENDOR_CERT_FILE=\"debian/debian-uefi-ca.der\" -DVENDOR_DBX_FILE=\"dbx.esl\" -DSBAT_AUTOMATIC_DATE=2024010900 -DGNU_EFI_USE_EXTERNAL_STDARG -Wno-error=pragmas -fpic -Os -Wall -Wextra -Wno-missing-field-initializers -Werror -fshort-wchar -fno-strict-aliasing -ffreestanding -fno-stack-protector -fno-stack-check -nostdinc -isystem /<<PKGBUILDDIR>>/gnu-efi/../include/system -isystem /usr/lib/gcc/aarch64-linux-gnu/12/include -fno-merge-all-constants -Wno-error=pragmas -fpic -Os -Wall -Wextra -Wno-missing-field-initializers -Werror -fshort-wchar -fno-strict-aliasing -ffreestanding -fno-stack-protector -fno-stack-check -nostdinc -isystem /<<PKGBUILDDIR>>/gnu-efi/../include/system -isystem /usr/lib/gcc/aarch64-linux-gnu/12/include -fno-merge-all-constants -fno-jump-tables -Wdate-time -D_FORTIFY_SOURCE=2 -DCONFIG_aarch64 -DCONFIG_aarch64 -c /<<PKGBUILDDIR>>/gnu-efi//gnuefi/reloc_aarch64.c -o reloc_aarch64.o
/<<PKGBUILDDIR>>/gnu-efi//gnuefi/crt0-efi-aarch64.S: Assembler messages:
/<<PKGBUILDDIR>>/gnu-efi//gnuefi/crt0-efi-aarch64.S:54: Warning: setting incorrect section attributes for .note.GNU-stack
aarch64-linux-gnu-gcc-ar rv -U libgnuefi.a reloc_aarch64.o
/usr/bin/ar: creating libgnuefi.a
a - reloc_aarch64.o
make: Leaving directory '/<<PKGBUILDDIR>>/gnu-efi/aarch64/gnuefi'
make: Leaving directory '/<<PKGBUILDDIR>>/gnu-efi'
aarch64-linux-gnu-ld -o shimaa64.so --hash-style=sysv -nostdlib -znocombreloc -T /<<PKGBUILDDIR>>/elf_aarch64_efi.lds -shared -Bsymbolic -Lgnu-efi/aarch64/gnuefi -Lgnu-efi/aarch64/lib -LCryptlib -LCryptlib/OpenSSL gnu-efi/aarch64/gnuefi/crt0-efi-aarch64.o --build-id=sha1 --no-undefined shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o pe-relocate.o httpboot.o csv.o load-options.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a gnu-efi/aarch64/lib/libefi.a gnu-efi/aarch64/gnuefi/libgnuefi.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/aarch64-linux-gnu/12/libgcc.a lib/lib.a aarch64-linux-gnu-ld: warning: shimaa64.so has a LOAD segment with RWX permissions
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-aarch64 shimaa64.so shimaa64.efi
./post-process-pe -vv  shimaa64.efi
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
        -j .sbatlevel \
        -j .debug_info -j .debug_abbrev -j .debug_aranges \
        -j .debug_line -j .debug_str -j .debug_ranges \
        -j .note.gnu.build-id \
        shimaa64.so shimaa64.efi.debug
aarch64-linux-gnu-ld -o mmaa64.so --hash-style=sysv -nostdlib -znocombreloc -T /<<PKGBUILDDIR>>/elf_aarch64_efi.lds -shared -Bsymbolic -Lgnu-efi/aarch64/gnuefi -Lgnu-efi/aarch64/lib -LCryptlib -LCryptlib/OpenSSL gnu-efi/aarch64/gnuefi/crt0-efi-aarch64.o --build-id=sha1 --no-undefined MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a gnu-efi/aarch64/lib/libefi.a gnu-efi/aarch64/gnuefi/libgnuefi.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/aarch64-linux-gnu/12/libgcc.a lib/lib.a aarch64-linux-gnu-ld: warning: mmaa64.so has a LOAD segment with RWX permissions
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
        -j .sbatlevel \
        -j .debug_info -j .debug_abbrev -j .debug_aranges \
        -j .debug_line -j .debug_str -j .debug_ranges \
        -j .note.gnu.build-id \
        mmaa64.so mmaa64.efi.debug
aarch64-linux-gnu-ld -o fbaa64.so --hash-style=sysv -nostdlib -znocombreloc -T /<<PKGBUILDDIR>>/elf_aarch64_efi.lds -shared -Bsymbolic -Lgnu-efi/aarch64/gnuefi -Lgnu-efi/aarch64/lib -LCryptlib -LCryptlib/OpenSSL gnu-efi/aarch64/gnuefi/crt0-efi-aarch64.o --build-id=sha1 --no-undefined fallback.o tpm.o errlog.o sbat_data.o globals.o Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a gnu-efi/aarch64/lib/libefi.a gnu-efi/aarch64/gnuefi/libgnuefi.a -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group /usr/lib/gcc/aarch64-linux-gnu/12/libgcc.a lib/lib.a
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
        -j .sbatlevel \
        -j .debug_info -j .debug_abbrev -j .debug_aranges \
        -j .debug_line -j .debug_str -j .debug_ranges \
        -j .note.gnu.build-id \
        fbaa64.so fbaa64.efi.debug
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-aarch64 mmaa64.so mmaa64.efi
./post-process-pe -vv  mmaa64.efi
aarch64-linux-gnu-objcopy -D -j .text -j .sdata -j .data -j .data.ident \
        -j .dynamic -j .rodata -j .rel* \
        -j .rela* -j .dyn -j .reloc -j .eh_frame \
        -j .vendor_cert -j .sbat -j .sbatlevel \
        --target efi-app-aarch64 fbaa64.so fbaa64.efi
./post-process-pe -vv  fbaa64.efi
gcc -I/usr/include -Og -g3 -Wall -Werror -Wextra -o buildid /<<PKGBUILDDIR>>/buildid.c -lelf
Making BOOTAA64.CSV
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp/
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp//usr/lib/debug/boot/efi/EFI/debian// install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp//usr/src/debug//shim-15.8-15.8 find /<<PKGBUILDDIR>> -type f -a '(' -iname '*.c' -o -iname '*.h' -o -iname '*.S' ')' | while read file ; do \
        outfile=$(echo ${file} | sed -e "s,^/<<PKGBUILDDIR>>,,") ; \
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp//usr/src/debug//shim-15.8-15.8/$(dirname ${outfile}) ; \ install -m 0644 ${file} /<<PKGBUILDDIR>>/debian/tmp//usr/src/debug//shim-15.8-15.8/${outfile} ; \
done
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp/
install -d -m 0700 /<<PKGBUILDDIR>>/debian/tmp/boot/efi/
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/BOOT/
install -d -m 0755 /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/debian/
install -m 0644 shimaa64.efi /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/BOOT//BOOTAA64.EFI install -m 0644 shimaa64.efi /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/debian// install -m 0644 BOOTAA64.CSV /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/debian//
install -m 0644 fbaa64.efi /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/BOOT//
install -m 0644 mmaa64.efi /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/BOOT//
install -m 0644 mmaa64.efi /<<PKGBUILDDIR>>/debian/tmp/boot/efi/EFI/debian//
make: Leaving directory '/<<PKGBUILDDIR>>'
# Remove the copy of the source that's installed - we have git
# already...
rm -rf debian/tmp/usr
# And remove the extra removable-media copy of shim too, it's
# not needed for our build and causes debhelper to complain
rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
install -m 644 debian/debian-uefi-ca.der debian/shim-unsigned/usr/share/shim
# Generate the template packages that we'll use for SB signing later
./debian/signing-template.generate
install: cannot change owner and permissions of ‘debian/shim-helpers-arm64-signed-template/usr/share/code-signing/shim-helpers-arm64-signed-template’: Operation not permitted
make[1]: *** [debian/rules:93: override_dh_auto_install] Error 1
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:69: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
--------------------------------------------------------------------------------
Build finished at 2024-11-18T14:43:48Z

-------------------------------------------------------------------------------


The above is just how the build ends and not necessarily the most
relevant part. If required, the full build log is available here:

https://people.debian.org/~nthykier/rrr-no-as-default/logs/1044526.gz

You can find common solutions at
https://people.debian.org/~nthykier/rrr-no-as-default/docs/solutions.md

If this is really a bug in one of the build-depends, please use
reassign and affects, so that this is still visible in the BTS web
page for this package.

If this package is listed in
https://people.debian.org/~nthykier/rrr-no-as-default/docs/static-ownership.list,
then please just set `Rules-Requires-Root: binary-targets` to the source
stanza of `debian/control` as a fix to this bug.

If this package is listed in
https://people.debian.org/~nthykier/rrr-no-as-default/docs/maybe-misbuilds.list,
then the package was deemed at risk for misbuilding (having wrong
ownership) but had a FTBFS problem we tested it. Please test whether the
package works with `Rules-Requires-Root: no` validating that the
resulting deb has the correct ownership for all paths in the deb.

The goal is to have the default changed in `dpkg` either in `Trixie` or
`Forky`, depending on progress and feasibility with the release schedule
for Trixie.

For more information on this bug filing, please see:
https://lists.debian.org/debian-dpkg/2024/11/msg00016.html

Thanks,


PS: The builds were performed in mid-November. If you fixed the problem
between between then and this bug being filed, then please just close
the bug with the version it was fixed in.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to