Control: clone -1 -2 Control: reassign -2 src:ruby3.1 Control: retitle -2 ruby3.1: reproducible builds: embeds path to various binaries
Hi, On Sun, Jul 17, 2022 at 12:04:45PM +0100, Simon McVittie wrote: > Control: severity -1 serious > > On Fri, 25 Feb 2022 at 15:26:51 -0800, Vagrant Cascadian wrote: > > The paths to various binaries, which differs on a usrmerge > > vs. non-usrmerge system, are embedded in rbconfig.rb: > > > > > > https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/ruby3.0.html > > > > /usr/lib/x86_64-linux-gnu/ruby/3.0.0/rbconfig.rb > > > > CONFIG["EGREP"]·=·"/bin/grep·-E" > > vs. > > CONFIG["EGREP"]·=·"/usr/bin/grep·-E" > > If these CONFIG variables are used for something at runtime, then this > will become a practical problem as soon as Debian starts using merged-/usr > buildds. The problem scenario is: > > - ruby3.0 is built on a merged-/usr buildd > - /usr/bin/grep is recorded in rbconfig.rb > - this build of ruby3.0 is installed on a non-merged-/usr system during > the upgrade from Debian 11 to Debian 12 > - whatever feature uses CONFIG["EGREP"] will not work, because > non-merged-/usr systems only have /bin/grep > > Technical Committee resolution > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994388#110 recommends > that this class of bug is treated as release-critical, so I'm raising the > severity of this bug report. > > If none of the affected CONFIG variables are actually used for anything > on installed systems, then the severity of this bug can be downgraded > to non-RC (but it would be better to fix it anyway, because reproducible > builds are a useful goal for other reasons). Those variables are read from config.status during the builds. Maybe this should be fixed centrally in autoconf instead? > > Patch attached which passes variables to configure to use the > > non-usrmerge locations, as usrmerge installations typically have > > compatibility symlinks, but not vice-versa. > > To clarify: in Debian, merged-/usr installations are *guaranteed* to > have these compatibility symlinks. The patch looks appropriate to me, > although I have not tested it. Sure.
signature.asc
Description: PGP signature
