[DRE-maint] Bug#1006471: ruby3.0: reproducible builds: embeds path to various binaries

Simon McVittie smcv at debian.org
Sun Jul 17 12:04:45 BST 2022


Control: severity -1 serious

On Fri, 25 Feb 2022 at 15:26:51 -0800, Vagrant Cascadian wrote:
> The paths to various binaries, which differs on a usrmerge
> vs. non-usrmerge system, are embedded in rbconfig.rb:
> 
>   https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/ruby3.0.html
> 
>   /usr/lib/x86_64-linux-gnu/ruby/3.0.0/rbconfig.rb
> 
>   CONFIG["EGREP"]·=·"/bin/grep·-E"
>   vs.
>   CONFIG["EGREP"]·=·"/usr/bin/grep·-E"

If these CONFIG variables are used for something at runtime, then this
will become a practical problem as soon as Debian starts using merged-/usr
buildds. The problem scenario is:

- ruby3.0 is built on a merged-/usr buildd
- /usr/bin/grep is recorded in rbconfig.rb
- this build of ruby3.0 is installed on a non-merged-/usr system during
  the upgrade from Debian 11 to Debian 12
- whatever feature uses CONFIG["EGREP"] will not work, because
  non-merged-/usr systems only have /bin/grep

Technical Committee resolution
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends
that this class of bug is treated as release-critical, so I'm raising the
severity of this bug report.

If none of the affected CONFIG variables are actually used for anything
on installed systems, then the severity of this bug can be downgraded
to non-RC (but it would be better to fix it anyway, because reproducible
builds are a useful goal for other reasons).

> Patch attached which passes variables to configure to use the
> non-usrmerge locations, as usrmerge installations typically have
> compatibility symlinks, but not vice-versa.

To clarify: in Debian, merged-/usr installations are *guaranteed* to
have these compatibility symlinks. The patch looks appropriate to me,
although I have not tested it.

    smcv



More information about the Pkg-ruby-extras-maintainers mailing list