Bug#992645: ncftp: stores wrong path to tar if built on merged-/usr system
Simon McVittie
smcv at debian.org
Sat Aug 21 17:25:12 BST 2021
Source: ncftp
Version: 2:3.2.5-2.2
Severity: important
Tags: patch bookworm sid
User: reproducible-builds at lists.alioth.debian.org
Usertags: usrmerge
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
If ncftp is built on a merged-/usr system (as created by new installations
of Debian >= 10, debootstrap --merged-usr, or installing the usrmerge
package into an existing installation), the path to tar is recorded in the
binary as /usr/bin/tar.
This can be seen on the reproducible-builds.org infra:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/ncftp.html
(search for "/bin/tar" to see the difference I'm concerned about).
If you have sbuild available, an easy way to reproduce this is to build
ncftp twice, once with --add-depends-arch=usrmerge and once without.
The problematic situation is if pkgconf is *built* on a merged-/usr
system, but *used* on a non-merged-/usr system. In this situation,
/usr/bin/tar exists on the build system but not on the system where
ncftp will be used, resulting in the feature that uses tar not being
available.
Technical Committee resolution #978636 mandates heading towards a
transition to merged-/usr, and this will become a non-issue at the end of
that transition; but variation between merged-/usr and non-merged-/usr
builds is a problem while that transition is taking place, because it
can lead to partial upgrades behaving incorrectly. It is likely that
this class of bugs will become release-critical later in the bookworm
development cycle.
Some Debian developers advocate that instead of merged-/usr, we should
use a different strategy where /bin becomes a "symlink farm" with
individual symlinks such as /bin/tar -> /usr/bin/tar. If that route is
taken instead of merged-/usr, then resolving bugs like this one will be
equally important as part of that transition, because it shares the
property that both /bin/tar and /usr/bin/tar exist after the transition,
but only /bin/tar exists on untransitioned systems.
The attached patch resolves this: with it applied, the package builds
identically with and without --add-depends-arch=usrmerge.
A side benefit of fixing this is that this change might be sufficient
to make the package reproducible (as recommended by Policy §4.15).
smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-d-rules-Specify-canonical-path-to-tar.patch
Type: text/x-diff
Size: 1016 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20210821/05fa518e/attachment.patch>
More information about the Reproducible-bugs
mailing list