Bug#913582: marked as done (gpg-zip: wrong default TAR path if built on a merged-/usr system and used on an unmerged-/usr system)

Sun, 18 Nov 2018 15:09:31 -0800 

Your message dated Sun, 18 Nov 2018 23:04:19 +0000
with message-id <e1gow71-0007pf...@fasolo.debian.org>
and subject line Bug#913582: fixed in gnupg2 2.2.11-1
has caused the Debian Bug report #913582,
regarding gpg-zip: wrong default TAR path if built on a merged-/usr system and 
used on an unmerged-/usr system
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
913582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913582
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: gnupg-utils
Version: 2.2.10-3
Severity: normal
User: m...@linux.it
Usertags: usrmerge

gnupg2 appears to have a build bug that can be reproduced as follows
(I haven't actually tested this myself):

* Have two systems/chroots/containers, one with merged /usr (/bin is a
  symlink to /usr/bin) and one without
* Build gnupg2 on the first system
* Install it on the second system and use gpg-zip

Expected result:

* gpg-zip invokes /bin/tar (or just tar as found in PATH) and succeeds

Actual result:

* gpg-zip invokes /usr/bin/tar and fails

----

I recently added a new point of variation (#901473) to Debian's
reproducible builds infrastructure: the first build is done in a
traditional Debian system with separate /bin and /usr/bin, while the
second is done with merged /usr (/bin is a symbolic link to /usr/bin).

gnupg2 appears to have the class of bug that this was meant to detect.
If you look at
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/gnupg2.html
you'll see that in the first build, gpg-zip has

VERSION=2.2.10
TAR=/bin/tar
GPG=gpg

whereas in the second, gpg-zip has

VERSION=2.2.10
TAR=/usr/bin/tar
GPG=gpg

When gpg-zip invokes $TAR, for example in "$TAR -xvf -", on a system
without merged /usr, it will only work if TAR is /bin/tar (or just "tar").

This can probably be fixed by passing TAR=/bin/tar to the configure script.

Mitigation: if you do source-only uploads, the older debootstrap currently
in use on buildds will create non-merged-/usr schroot tarballs, so users
will not currently experience this bug. (However, if stretch-backports'
debootstrap is brought up to date with buster and deployed to buildds
without first applying #913228, that mitigation will go away.)

    smcv

--- End Message ---
--- Begin Message --- 
Source: gnupg2
Source-Version: 2.2.11-1

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Nov 2018 17:38:30 -0500
Source: gnupg2
Binary: gpgconf gnupg-agent gpg-agent gpg-wks-server gpg-wks-client scdaemon 
gpgsm gpg gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb gpgv-static gpgv-win32 
gnupg-l10n gnupg-utils
Architecture: source
Version: 2.2.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Description:
 dirmngr    - GNU privacy guard - network certificate management service
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-agent - GNU privacy guard - cryptographic agent (dummy transitional packa
 gnupg-l10n - GNU privacy guard - localization files
 gnupg-utils - GNU privacy guard - utility programs
 gnupg2     - GNU privacy guard - a free PGP replacement (dummy transitional pa
 gpg        - GNU Privacy Guard -- minimalist public key operations
 gpg-agent  - GNU privacy guard - cryptographic agent
 gpg-wks-client - GNU privacy guard - Web Key Service client
 gpg-wks-server - GNU privacy guard - Web Key Service server
 gpgconf    - GNU privacy guard - core configuration utilities
 gpgsm      - GNU privacy guard - S/MIME version
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-static - minimal signature verification tool (static build)
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
 gpgv2      - GNU privacy guard - signature verification tool (dummy transition
 scdaemon   - GNU privacy guard - smart card support
Closes: 913582
Changes:
 gnupg2 (2.2.11-1) unstable; urgency=medium
 .
   * new upstream release
   * refresh patches
   * refresh upstream/signing-key.asc
   * deprecate gpg-zip
   * gnupg-utils: ship gpgtar, since gpg-zip is deprecated
   * Make gpg-zip use tar from $PATH (Closes: #913582)
   * fix spelling mistakes in tools documentation
Checksums-Sha1:
 d50f46b8015b88006f539fe72d3a24392571d8dc 3136 gnupg2_2.2.11-1.dsc
 c762d300c6c5616c14abff1cfaa099baa5fcbd2c 6652480 gnupg2_2.2.11.orig.tar.bz2
 f23c05b0ea8af18a5351905a986631e5338f8eaf 534 gnupg2_2.2.11.orig.tar.bz2.asc
 9e29ba9ac083fa428a34627383c074d28335399d 64288 gnupg2_2.2.11-1.debian.tar.xz
 861e2fa7541859f5f5335ba885251fb8a46936aa 19314 gnupg2_2.2.11-1_amd64.buildinfo
Checksums-Sha256:
 801f2f70ff85aee23f1c90c96701316f2294033bd781ed8436f270f4e68d42dd 3136 
gnupg2_2.2.11-1.dsc
 496c3e123ef53f35436ddccca58e82acaa901ca4e21174e77386c0cea0c49cd9 6652480 
gnupg2_2.2.11.orig.tar.bz2
 e4803cb7ea52bf1da6cdfbd52ca33b408663962821dc2a247db65fd6092b8ccc 534 
gnupg2_2.2.11.orig.tar.bz2.asc
 45337cd881a25bdc72541f90f25bc35d9aea099e5c814da72d05168da23842a0 64288 
gnupg2_2.2.11-1.debian.tar.xz
 6361a85ed7072afa29957f5dbb9726856237e53fe70e867eb8a0645818bfe4c0 19314 
gnupg2_2.2.11-1_amd64.buildinfo
Files:
 fa68c4078c495a728ef849ae57407e91 3136 utils optional gnupg2_2.2.11-1.dsc
 e23a896d634e8b81681314780f5158a4 6652480 utils optional 
gnupg2_2.2.11.orig.tar.bz2
 550a655fd8f94df811c2a36749a93e62 534 utils optional 
gnupg2_2.2.11.orig.tar.bz2.asc
 cfe9cf4433e9508cb8fe065aa95fe6a4 64288 utils optional 
gnupg2_2.2.11-1.debian.tar.xz
 8f4328f2d5f34473446094037ddf06c4 19314 utils optional 
gnupg2_2.2.11-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCW/Ht6wAKCRBsHx7ezFD6
U7TVAP9ROqttA1K4jVCUcnDS0MS6Hy1maQ/Yp9vSq22jbfes3gEAgXVYTN4cbgJq
0Mas3a4VcHf5+WxIfFW1MHgi7ZHEIwU=
=V5IP
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to