Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Andreas Metzler <ametzler@debian.org>: Bug#990338; Package src:autogen.
(Sat, 26 Jun 2021 03:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Andreas Metzler <ametzler@debian.org>.
(Sat, 26 Jun 2021 03:57:03 GMT) (full text, mbox, link).
Source: autogen
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: shell
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Depending on what /bin/sh symlinks to, either /bin/sh or /bin/bash is
embedded in autoopts-config:
https://tests.reproducible-builds.org/debian/rb-pkg/experimental/amd64/diffoscope-results/autogen.html
./usr/bin/autoopts-config
#!·/bin/bash
vs.
#!·/bin/sh
The attached patch fixes this by hard-coding CONFIG_SHELL=/bin/sh in
configure.ac.
I tried passing to configure or setting it in the environment, but both
approaches were ineffective.
Applying this patch *should* make autogen build reproducibly.
Thanks for maintaining autogen!
live well,
vagrant
Marked as found in versions autogen/1:5.19.96-1.
Request was from Andreas Metzler <ametzler@bebt.de>
to control@bugs.debian.org.
(Sat, 26 Jun 2021 12:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>: Bug#990338; Package src:autogen.
(Sat, 26 Jun 2021 13:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(Sat, 26 Jun 2021 13:09:02 GMT) (full text, mbox, link).
To: Vagrant Cascadian <vagrant@reproducible-builds.org>,
990338@bugs.debian.org
Subject: Re: Bug#990338: autogen: reproducible-builds: embeds /bin/sh or
/bin/bash in autoopts-config
Date: Sat, 26 Jun 2021 15:05:49 +0200
On 2021-06-26 Vagrant Cascadian <vagrant@reproducible-builds.org> wrote:
> Source: autogen
> Severity: normal
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: shell
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> Depending on what /bin/sh symlinks to, either /bin/sh or /bin/bash is
> embedded in autoopts-config:
> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/amd64/diffoscope-results/autogen.html
> ./usr/bin/autoopts-config
> #!·/bin/bash
> vs.
> #!·/bin/sh
> The attached patch fixes this by hard-coding CONFIG_SHELL=/bin/sh in
> configure.ac.
> I tried passing to configure or setting it in the environment, but both
> approaches were ineffective.
> Applying this patch *should* make autogen build reproducibly.
[...]
> -[CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
> -f=`${CONFIG_SHELL} -c 'echo true | (
> - exec 2>/dev/null ; read -u0 line ; echo $line ; )'`
> -test X$f = Xtrue || CONFIG_SHELL=`command -v bash`]
> +CONFIG_SHELL=/bin/sh
> AC_SUBST(CONFIG_SHELL)
> AC_DEFINE_UNQUOTED(CONFIG_SHELL,$CONFIG_SHELL,
> [Define this to a working Bourne shell])
[...]
Hello Vagrant,
thanks for the report. The ./configure test checks whether $CONFIG_SHELL
supports (non-posix) read -u and uses bash otherwise. This test succeeds
if /bin/sh happens to point to bash. However autogen shell code seems to
actually makes use of the read -u option and therefore an autogen binary
with the patch or built on a system with /bin/sh=bash will likely be
broken, not properly working on system with /bin/sh=dash.
So I think the proper fix (for the very real bug) would be to pass
CONFIG_SHELL=/bin/bash to configure.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>: Bug#990338; Package src:autogen.
(Sat, 26 Jun 2021 17:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(Sat, 26 Jun 2021 17:00:03 GMT) (full text, mbox, link).
On 2021-06-26, Andreas Metzler wrote:
> On 2021-06-26 Vagrant Cascadian <vagrant@reproducible-builds.org> wrote:
>> Depending on what /bin/sh symlinks to, either /bin/sh or /bin/bash is
>> embedded in autoopts-config:
>
>> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/amd64/diffoscope-results/autogen.html
>
>> ./usr/bin/autoopts-config
>
>> #!·/bin/bash
>> vs.
>> #!·/bin/sh
>
>> The attached patch fixes this by hard-coding CONFIG_SHELL=/bin/sh in
>> configure.ac.
>
>> I tried passing to configure or setting it in the environment, but both
>> approaches were ineffective.
>
>> Applying this patch *should* make autogen build reproducibly.
> [...]
>> -[CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
>> -f=`${CONFIG_SHELL} -c 'echo true | (
>> - exec 2>/dev/null ; read -u0 line ; echo $line ; )'`
>> -test X$f = Xtrue || CONFIG_SHELL=`command -v bash`]
>> +CONFIG_SHELL=/bin/sh
>> AC_SUBST(CONFIG_SHELL)
>> AC_DEFINE_UNQUOTED(CONFIG_SHELL,$CONFIG_SHELL,
>> [Define this to a working Bourne shell])
> [...]
>
> Hello Vagrant,
>
> thanks for the report. The ./configure test checks whether $CONFIG_SHELL
> supports (non-posix) read -u and uses bash otherwise. This test succeeds
> if /bin/sh happens to point to bash. However autogen shell code seems to
> actually makes use of the read -u option and therefore an autogen binary
> with the patch or built on a system with /bin/sh=bash will likely be
> broken, not properly working on system with /bin/sh=dash.
> So I think the proper fix (for the very real bug) would be to pass
> CONFIG_SHELL=/bin/bash to configure.
I believe I did at one point try that, but will test again to be sure.
live well,
vagrant
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>: Bug#990338; Package src:autogen.
(Sat, 26 Jun 2021 18:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bruce Korb <bruce.korb@gmail.com>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(Sat, 26 Jun 2021 18:06:03 GMT) (full text, mbox, link).
To: Andreas Metzler <ametzler@bebt.de>, 990338@bugs.debian.org,
Vagrant Cascadian <vagrant@reproducible-builds.org>
Subject: Re: Bug#990338: autogen: reproducible-builds: embeds /bin/sh or
/bin/bash in autoopts-config
Date: Sat, 26 Jun 2021 11:03:54 -0700
On 6/26/21 6:05 AM, Andreas Metzler wrote:
> thanks for the report. The ./configure test checks whether $CONFIG_SHELL
> supports (non-posix) read -u and uses bash otherwise. This test succeeds
"read -u4" avoids redirecting stdin and avoiding that keeps the
activities from being done in a subshell. If you do stuff in a subshell,
the information stashed in variables is invisible. I think the "-u"
option is a couple of decades old now. I wonder what the POSIX point of
resistance is on that feature.
I believe Andreas' solution should be correct: force CONFIG_SHELL to a
shell that supports "read -u".
It is possible the dependence on "-u" can be removed, if my scan over
the code is correct. It looks like the templates I use use that option
only to avoid an otherwise unnecessary fork() call. If so, the loops
involved can be fixed up with a "done <&4" at the end and removing the
"-u" option.
There's still the issue of "mk-unlocked-io.sh" tho:
> do_stdio() {
> while read -u4 line
> do
> [[ "$line" =~ $extern_line ]] || continue
> [[ "$line" =~ $close_decl ]] || {
> read -u4 args || die "no close for $line"
> line+="$args"
> }
>
> ct=$(sed 's/.*( *//;s/ *).*//' <<<"$line")
> if (( ${#ct} > 0 )) && [[ "$ct" != "void" ]]
> then
> ct=$(sed 's/[^,]//g' <<<"$ct")
> ct=$(( (${#ct} * 3) + 2 ))
> args='_w,_x,_y,_z'
> args=${args:$(( ${#args} - ct )):$ct}
> else
> args='' ct=0
> fi
> do_func "$line" "$args"
> done
> }
That may be trickier, but I am uncertain of its use anymore. :) (I
stopped being a programmer 6 years ago now. I'm retired. It's been a
long time.) I think that is an AutoGen developer only script for
fabricating an "autoopts/unlocked-io.h" header. It should not be
relevant to reproducible builds. But I cannot be certain anymore.
Cheers - Bruce
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>: Bug#990338; Package src:autogen.
(Sun, 27 Jun 2021 11:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(Sun, 27 Jun 2021 11:57:02 GMT) (full text, mbox, link).
To: Vagrant Cascadian <vagrant@reproducible-builds.org>,
990338@bugs.debian.org
Subject: Re: Bug#990338: autogen: reproducible-builds: embeds /bin/sh or
/bin/bash in autoopts-config
Date: Sun, 27 Jun 2021 13:54:13 +0200
On 2021-06-26 Vagrant Cascadian <vagrant@reproducible-builds.org> wrote:
> On 2021-06-26, Andreas Metzler wrote:
[...]
>> So I think the proper fix (for the very real bug) would be to pass
>> CONFIG_SHELL=/bin/bash to configure.
> I believe I did at one point try that, but will test again to be sure.
diffomatic seems to be happy with
diff --git a/debian/rules b/debian/rules
index 2204e82..8f298af 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,7 +21,8 @@ override_dh_auto_configure:
--enable-timeout=78 \
--with-libxml2-libs="$(shell $(DEB_HOST_GNU_TYPE)-pkg-config --libs libxml-2.0)" \
--with-libxml2-cflags="$(shell $(DEB_HOST_GNU_TYPE)-pkg-config --cflags libxml-2.0)" \
- GREP=/bin/grep POSIX_SHELL=/bin/sh SHELL=/bin/sh
+ GREP=/bin/grep POSIX_SHELL=/bin/sh SHELL=/bin/sh \
+ CONFIG_SHELL=/bin/bash
override_dh_auto_build:
dh_auto_build --verbose
cu Andreas
Reply sent
to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(Sun, 04 Jul 2021 16:51:03 GMT) (full text, mbox, link).
Notification sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer.
(Sun, 04 Jul 2021 16:51:03 GMT) (full text, mbox, link).
Source: autogen
Source-Version: 1:5.19.96-2
Done: Andreas Metzler <ametzler@debian.org>
We believe that the bug you reported is fixed in the latest version of
autogen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 990338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated autogen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Jul 2021 14:57:43 +0200
Source: autogen
Architecture: source
Version: 1:5.19.96-2
Distribution: experimental
Urgency: medium
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 990338
Changes:
autogen (1:5.19.96-2) experimental; urgency=medium
.
* Build with CONFIG_SHELL=/bin/bash to make sure the shell supports
"read -u". Closes: #990338
* [lintian] Use v4 watchfile.
* Upgrade to debhelper v13.
Checksums-Sha1:
8c47328f25ea4477d5de55448ba494088e49805e 2400 autogen_5.19.96-2.dsc
429b2e1a7610dfe9f32a4903705fbfd4584e9586 21760 autogen_5.19.96-2.debian.tar.xz
Checksums-Sha256:
ddac1b4f6a4c4f111883c863c80afa9b5e33dddc1344f277865de174f636a333 2400 autogen_5.19.96-2.dsc
d3d7b47ea1951125b577420cd7df65954041034768f5210fae2d8179c6394ae5 21760 autogen_5.19.96-2.debian.tar.xz
Files:
a7bb7a64ec2701f3c6393446df4c7a79 2400 devel optional autogen_5.19.96-2.dsc
566babc6bbfb502ca7ed113d9a992638 21760 devel optional autogen_5.19.96-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmDh4y8ACgkQpU8BhUOC
FIT4Xg//bWlTGCdEknmmJO6wbVpSvutCeODo/ziIx1w1eSNeIpdBvXvG+idNoAcy
i1fgq/mv98uStGhuZb8nRX7bvGNyj69GFeGQn6MXwGlbu5RJT4N2XQD8Fzqe3wNX
V3dR6dOhLppNiEas5grtKneQ8La221uB+lFT8V/DIFFDqIwokuBN9QHd1L9+fG40
UyABun4HmmfX7Wvgd58+X02P/TsOzTHRUkr0rySIE10SBg4uaSPWre98lrNv3u2w
WPLqHJYLjwI8HUQFzpdNfNqY7VOqYd3RwYK08KVaQDw5q4hNoQ6rT25cCrw6ZS91
oYo5RIMIdH7oKNA/BmAEDPFSwuO+8fHuLbT2N782SoLWhdPiHvlelJ4jvDJlUXGA
UJWmPBiWw2WnDUwnIyFk1nYVvLVJ6SBqBougAd9yBL5UhN9a8CwhjN4zVHhw3Lkr
9YducsuOmAR1u4Hk93AhuQ0QGsGnl/JkrtDDTnXri1Unuj7MZO+YD+EsxOHIzYKk
2LhP7dvzpEpEeRO4QMlRYbMZF4KNrexpuIMoSwgkcJNB6y2TMqjuMVkeZYmIJiSW
BtYweSxY/KIeg3Rxy1s4dRAGo7ClDzyn2Ijwqp2kQHdAetZVjiko+4juBzFecHBj
ZfHBJNxprx1EL0MnZ2INoR064Ko6kCKIBoFrEzTKW47qkMwnIfI=
=qqQw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Aug 2021 07:25:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.