Source: supermin Version: 5.2.1-4 Severity: important Tags: patch bookworm sid User: [email protected] Usertags: usrmerge X-Debbugs-Cc: [email protected]
If supermin is built on a merged-/usr system (as created by new installations of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge package into an existing installation), the paths to cpio, mke2fs, zcat are recorded in the binary as /usr/bin/cpio, /usr/sbin/mke2fs, /usr/bin/zcat rather than their canonical paths in /bin and /sbin. This can be seen on the reproducible-builds.org infra: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/supermin.html If you have sbuild available, an easy way to reproduce this is to build twice, once with --add-depends-arch=usrmerge and once without. I suspect the same thing would happen if supermin was built on a system where /bin and /usr/bin had instead been unified via a symlink farm. The problematic situation is if the package is *built* on a unified-/usr system, but *used* on a non-unified-/usr system. In this situation, /usr/bin/cpio etc. exist on the build system but not on the system where supermin will be used, resulting in the features that use these executables not being available. Technical Committee resolution #978636 mandates heading towards a transition to merged-/usr, and this will become a non-issue at the end of that transition; but variation between merged-/usr and non-merged-/usr builds is a problem while that transition is taking place, because it can lead to partial upgrades behaving incorrectly. It is likely that this class of bugs will become release-critical later in the bookworm development cycle. The attached patch resolves this: with it applied, the package builds identically with and without --add-depends-arch=usrmerge. Some developers advocate unifying /bin with /usr/bin via a symlink farm in /bin instead of merged-/usr, but that strategy would have a similar practical effect on this particular package, and the same solution would be required. A side benefit of fixing this is that this change seems likely to be sufficient to make the package reproducible (as recommended by Policy ยง4.15). smcv
>From 50a4a8d83463a81dbf656f834a5ca63a19a698f3 Mon Sep 17 00:00:00 2001 From: Simon McVittie <[email protected]> Date: Mon, 23 Aug 2021 11:30:37 +0100 Subject: [PATCH] d/rules: Specify canonical paths of cpio, mke2fs, zcat When supermin is built on a system where both /usr/bin/cpio and /bin/cpio exist (either merged-/usr or via a symlink farm), this results in storing /usr/bin/cpio etc. in the installed scripts, which will not work as intended on systems where only the traditional paths /bin/cpio etc. exist. Signed-off-by: Simon McVittie <[email protected]> --- debian/rules | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/rules b/debian/rules index 53b33d0..cc55f14 100755 --- a/debian/rules +++ b/debian/rules @@ -3,6 +3,10 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +cfgflags = +cfgflags += CPIO=/bin/cpio +cfgflags += MKE2FS=/sbin/mke2fs +cfgflags += ZCAT=/bin/zcat override_dh_auto_configure: dh_auto_configure -- --disable-network-tests $(cfgflags) -- 2.33.0
