[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 32bit arch packages are built with wrong ownership due to fakeroot bug

Hi,

Quoting Santiago Vila (2023-02-09 17:32:08)
> El 9/2/23 a las 15:37, Johannes Schauer Marin Rodrigues escribió:
> > I wanted to bring fakeroot bugs #1023286 and #1030638 to the attention of a
> > wider audience because even though I filed these bugs,
> 
> Thanks for bringing this up!
> 
> Can you confirm if all this is correct?
> 
> - Only packages uploaded after 2022-08-07 (when glibc 2.34 hit unstable) are
> potentially affected.

Correct. 2022-08-07 is a lower bound.

Or in a bit more detail: only packages rebuilt after toolchain packages have
been rebuilt with glibc 2.34 can be affected. For example all problems I
observed so far came from coreutils (cp, chown, chgrp) which was only rebuilt
with glibc 2.34 when 9.1-1 was uploaded in October 2022. But of course there
could be other software that modifies ownership information during builds that
was rebuilt with glibc 2.34 earlier than that and that I just do not know
about. So 2022-08-07 is a lower bound but not necessarily the largest lower
bound.

> - Packages with "Rules-Requires-Root: no" are never affected.

Only packages built inside fakeroot are affected. As far as I understand it,
fakeroot is not used by dpkg-buildpackage if Rules-Requires-Root is set to
"no".

> - No intervention from individual maintainers is required for fixing this, as
> we already have a binNMU mechanism which we already use for transitions.

Once fakeroot is fixed, binNMUs can be used to fix packages, yes. Without the
fakeroot fix in place, individual maintainers could do things to fix their
packages on the affected architectures but I do not think doing so is a good
idea.

> - A minor observation: Only packages which use dh_fixperms with -X (or
> --exclude) are apparently affected. Those which instead do chmod/chown after
> dh_fixperms are apparently not affected, at least after the first fakeroot
> bug (2022-11) was fixed.

I do not understand what makes you think that only packages using dh_fixperms
-X are affected? I think what makes the two packages that I found fail to have
correct permissions is that they both use dh_install which in turn uses 'cp -a'
which is broken under fakeroot on our 32bit architectures right now. I patched
mutt and added an 'ls -lha' in execute_before_dh_builddeb to show the problem:

$ ls -lha debian/tmp/usr/bin/mutt_dotlock debian/mutt/usr/bin/mutt_dotlock
-rwxr-sr-x 1 root root 9.6K Feb  9 22:06 debian/mutt/usr/bin/mutt_dotlock
-rwxr-sr-x 1 root mail  28K Feb  9 22:05 debian/tmp/usr/bin/mutt_dotlock

So the chgrp call in Makefile.am worked correctly and set the group owner to
"mail" but after dh_install moved mutt_dotlock from debian/tmp/ to debian/mutt/
using 'cp -a' (if I'm reading the code correctly) the group ownership
information is lost.

Thanks!

cheers, josch
Reply to: