[DRE-maint] Bug#1006471: ruby3.0: reproducible builds: embeds path to various binaries

Antonio Terceiro terceiro at debian.org
Wed Jul 27 12:49:27 BST 2022 

Control: clone -1 -2
Control: reassign -2 src:ruby3.1
Control: retitle -2 ruby3.1: reproducible builds: embeds path to various binaries

Hi,

On Sun, Jul 17, 2022 at 12:04:45PM +0100, Simon McVittie wrote:
> Control: severity -1 serious
> 
> On Fri, 25 Feb 2022 at 15:26:51 -0800, Vagrant Cascadian wrote:
> > The paths to various binaries, which differs on a usrmerge
> > vs. non-usrmerge system, are embedded in rbconfig.rb:
> > 
> >   https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/ruby3.0.html
> > 
> >   /usr/lib/x86_64-linux-gnu/ruby/3.0.0/rbconfig.rb
> > 
> >   CONFIG["EGREP"]·=·"/bin/grep·-E"
> >   vs.
> >   CONFIG["EGREP"]·=·"/usr/bin/grep·-E"
> 
> If these CONFIG variables are used for something at runtime, then this
> will become a practical problem as soon as Debian starts using merged-/usr
> buildds. The problem scenario is:
> 
> - ruby3.0 is built on a merged-/usr buildd
> - /usr/bin/grep is recorded in rbconfig.rb
> - this build of ruby3.0 is installed on a non-merged-/usr system during
>   the upgrade from Debian 11 to Debian 12
> - whatever feature uses CONFIG["EGREP"] will not work, because
>   non-merged-/usr systems only have /bin/grep
> 
> Technical Committee resolution
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
> that this class of bug is treated as release-critical, so I'm raising the
> severity of this bug report.
> 
> If none of the affected CONFIG variables are actually used for anything
> on installed systems, then the severity of this bug can be downgraded
> to non-RC (but it would be better to fix it anyway, because reproducible
> builds are a useful goal for other reasons).

Those variables are read from config.status during the builds. Maybe
this should be fixed centrally in autoconf instead?

> > Patch attached which passes variables to configure to use the
> > non-usrmerge locations, as usrmerge installations typically have
> > compatibility symlinks, but not vice-versa.
> 
> To clarify: in Debian, merged-/usr installations are *guaranteed* to
> have these compatibility symlinks. The patch looks appropriate to me,
> although I have not tested it.

Sure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20220727/fd85037a/attachment.sig>

More information about the Pkg-ruby-extras-maintainers mailing list