[Pkg-gmagick-im-team] Bug#983303: imagemagick: reproducible builds: Embeds different paths on usrmerge system

[Simon McVittie]

Control: severity -1 serious

On Mon, 22 Feb 2021 at 00:19:22 -0800, Vagrant Cascadian wrote:
> Various files embed the full path to the "mv" and "rm" binaries, which
> are different on usrmerge systems:
> 
>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/imagemagick.html
> 
>   /etc/ImageMagick-6/delegates.xml
> 
>   <delegate·xmlns=""·decode="bpg"·command=""bpgdec"·-b·16·-o·"%o.png"·"%i";·/bin/mv·"%o.png"·"%o""/>
>   vs.
>   <delegate·xmlns=""·decode="bpg"·command=""bpgdec"·-b·16·-o·"%o.png"·"%i";·/usr/bin/mv·"%o.png"·"%o""/>

This will be a practical problem as soon as Debian starts using merged-/usr
on official buildds, and the Debian technical committee resolution
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
treating this class of bug as release-critical for Debian 12, so I'm
raising the severity of this bug.

The problem scenario is:

- build the package on a system where both /bin/mv and /usr/bin/mv exist
  (merged-/usr)
- install and run the package on a system where only /bin/mv exists
  (non-merged-/usr)
- result: the feature that runs mv will not work

> The attached patch fixes this in debian/rules by passing arguments to
> configure to use the paths in the non-usrmerge paths, as usrmerge
> systems typically have compatibility symlinks, while non-usrmerge
> systems do not.

This looks appropriate. To clarify, Debian installations with merged-/usr
are *guaranteed* to have the compatibility symlinks such as /bin ->
usr/bin, so it is always appropriate to use the canonical non-merged-/usr
paths such as /bin/mv.

Please upload a fixed package to unstable before the Debian 12 freeze.
Both the unstable and experimental versions of imagemagick seem to be
affected by this problem.

Thanks,
    smcv