Web lists-archives.com

Re: Our build system may be broken: /bin vs /usr/bin

Am 19.11.18 um 15:55 schrieb Dirk Eddelbuettel:
> tl;dr:  We may be messing up /bin and /usr/bin on some platforms
> Sorry for the alarming headline but #913982 was filed, indepedently
> corrobated and simultaneously discovered by upstream.
> GNU R has long been relying on sed, tar, bzip2, ... and many more base
> tools. No issues there. Generally looked for in /bin and found there.
> Starting with binary rebuild r-base_3.5.1-1+b2 however, /usr/bin/* path crept
> in while the binaries where still in the wrong place.  It looked like a
> one-off so I uploaded 3.5.1-2 which built fine for me on amd64 ...but
> apparently is already borked again on i386.
> I am at bit of loss here. Any ideas?

Most packages which are affected by this issue I've seen so far search
for the binaries in $PATH and encode the full path of the first find.
Since PATH is typically set to something like


the first find will be /usr/bin/sed on a merged-/usr system.
I suspect if you had a locally installed sed in /usr/local/bin, your
package would encode that as full path, i.e. would be misbuilt.
In the end it's a bug in your package which should be fixed there.

As Marco said, the obvious and simplest approach is to nail down the
paths during build to a path that is known to work everywhere, i.e. in
your case /bin/sed.
A more elaborate fix would be, to not use any hard-coded paths.

Such issues are tracked at [1]

See [2] as an example for such a fix using canonical paths during configure.

Afaik, Simon has asked the schroot maintainer to default to
non-merged-/usr for the time being and this change should have been
merged by now #913228.

That said we also now use reproducibe-builds.org to more systematically
find such issues, see #901473. Thanks a lot for that to all involved!

Short summary: Don't panic, the buildds will for the time being default
to non-merged-/usr but please do fix issues as #913982 properly by
either not hard-coding path at all or by pinning them to paths that are
known to work everywhere.

On the package tracker page, e.g. [3] in your case, you'll find a link
labelled "reproducibility". If your package fails to build reproducibly
and you find something like


in the diff, you'll know that your package is affected.


[3] https://tracker.debian.org/pkg/r-base

Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature