Bug#1001210: ksh93u+m: stores wrong path to tput if /bin/tput or /usr/local/bin/tput exists
Simon McVittie
smcv at debian.org
Mon Dec 6 13:21:44 GMT 2021
Source: ksh93u+m
Version: 1.0.0~beta.1-3
Severity: important
Tags: patch bookworm sid
User: reproducible-builds at lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
If ksh93u+m is built on a merged-/usr system (as created by new
installations of Debian >= 10, debootstrap --merged-usr, or installing
the usrmerge package into an existing installation), the path to tput
is recorded in the binary package as /bin/tput, rather than the
canonical /usr/bin/tput.
This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/ksh93u+m.html
If you have sbuild available, an easy way to reproduce this is to build
twice, once with --add-depends=usrmerge and once without.
The problematic situation is if the package is *built* on a unified-/usr
system, but *used* on a non-unified-/usr system. In this situation,
/bin/tput exists on the build system but not on the system where the
package will be used, resulting in the features that use this executable
not working correctly.
Similarly, if there is a /usr/local/bin/tput visible at build-time,
then that path would likely end up hard-coded into the binary,
causing the relevant feature to fail on all systems that do not have
/usr/local/bin/tput.
Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and variation between merged-/usr and
non-merged-/usr builds is a problem while that transition is taking
place, because it can lead to partial upgrades behaving incorrectly. It
is likely that this class of bugs will become release-critical later in
the bookworm development cycle.
The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends=usrmerge. Unfortunately I was
not able to find a way to do this via build-time configuration, which
would have been preferable to patching.
Some developers advocate unifying /bin with /usr/bin via a symlink farm
in /bin instead of merged-/usr, but that strategy would have a similar
practical effect on this particular package, and the same solution would
be required.
A side benefit of fixing this is that this change might be sufficient
to make the package reproducible in general (as recommended by Policy
§4.15).
smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hard-code-tput-to-be-found-at-usr-bin-tput.patch
Type: text/x-diff
Size: 1401 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20211206/f76be795/attachment.patch>
More information about the Reproducible-bugs
mailing list