Hi Sebastian, all,Hi,
Will this fix be enough for addressing all cases, though?
I'm thinking specifically of cases where tarball repacking
is involved, for example when using git-buildpackage's
"gbp import-orig --uscan" where uscan is used to download and
repack the upstream tarball, because the package at hand has
a Files-Excluded field in its debian/copyright header stanza.
As far as I can tell, Devscripts::Compression would need to be
updated to specify -T1 for xz compressions.
I believe there are also some cases where git-buildpackage
itself does repacking, so we'd probably want to update its gbp.pkg.compressor's Opts to pass in -T1 for xz.
Thanks,
-a
On 2024-03-11 00:05:54 [+0000], Amin Bandali wrote:
Hi Sebastian, all,Hi,
Will this fix be enough for addressing all cases, though?
I think so. Do you have a test case for me to check?
I'm thinking specifically of cases where tarball repacking
is involved, for example when using git-buildpackage's
"gbp import-orig --uscan" where uscan is used to download and
repack the upstream tarball, because the package at hand has
a Files-Excluded field in its debian/copyright header stanza.
As far as I can tell, Devscripts::Compression would need to be
updated to specify -T1 for xz compressions.
I believe there are also some cases where git-buildpackage
itself does repacking, so we'd probably want to update its gbp.pkg.compressor's Opts to pass in -T1 for xz.
Who is handling the compression in the first place here?
The idea is to pass -T1 to xz if nothing was recorded in pristine-tar's
delta information. If the -T argument then everything keeps working
as-is. If you use gbp to repack the tar archive then I would recommend
to no pass -T1 and to use multi-threaded compression. pristine-tar
will recongnise this and record this information.
Sebastian
Hi,Hi,
On Mon, Mar 11, 2024 at 05:55:31PM +0100, Sebastian Andrzej Siewior wrote:
On 2024-03-11 00:05:54 [+0000], Amin Bandali wrote:
Hi Sebastian, all,Hi,
Will this fix be enough for addressing all cases, though?
I think so. Do you have a test case for me to check?
Not about pristine-xz specifically; I meant more in the context of
other devel tools like gbp et al.
Who is handling the compression in the first place here?
In the case of "gbp import-orig --uscan", gbp invokes uscan, part of
the devscripts package which has several perl modules including Devscripts::Compression which is a sort of a wrapper around dpkg's Dpkg::Compression, which will ultimately run the 'xz' executable.
In some other cases like "gbp import-orig --filter" mentioned by
Andrey, gbp does the compression itself. Which is why I suggested
that 'Opts' in gbp.pkg.compressor may need to be updated to add '-T1'
for calls to 'xz'.
The idea is to pass -T1 to xz if nothing was recorded in pristine-tar's delta information. If the -T argument then everything keeps working
as-is. If you use gbp to repack the tar archive then I would recommend
to no pass -T1 and to use multi-threaded compression. pristine-tar
will recongnise this and record this information.
Sorry I don't think I fully understood this bit. Could you please
explain again, perhaps a bit more verbosely?
To clarify, the use-cases described earlier involving gbp and
devscripts aren't necessarily related to pristine-xz, used for
regenerating pristine xz files; rather, about the generation or
repacking of xz files *before* they are handed to pristine-xz for
processing and storage in the repo. I was trying to imply that
similarly to how you sent patches for pristine-tar to adapt it for
changes in xz-utils, that similar patches are probably also needed
for gbp and devscripts. Does that make sense?
Thanks,
-amin
Could someone check this, please?
Did you try running autopkgtests on this version? The autopkgtests fail for me.
I assume that the largest use of pristine-tar in Debian is with git-buildpackage. The 1.50+nmu1 upload **caused** pristine-tar to
break in many cases for me. If I revert back to 1.50, I no longer get mismatched tarballs errors. Here are some test cases to demonstrate:
Test Case 1
==========
gbp clone --add-upstream-vcs https://salsa.debian.org/jbicha/pangomm2.48
cd pangomm2.48
gbp import-orig --uscan
gbp buildpackage
What happens
------
The exact hashes will probably vary but I get an error like this:
gbp:error: Pristine-tar couldn't verify
"pangomm2.48_2.50.2.orig.tar.xz": pristine-tar: /home/jeremy/build-area/pangomm2.48_2.50.2.orig.tar.xz does not match
stored hash (expected e99b6a9c89e9c284bf44f5ae8125c06515d6ab8f8577d75d2887726dacb5a372, got 826ad52f53ac8e15c9ceba4dc6e616efddae5e089f36bf4e60081c177d80d4b6)
Other info
-----
pangomm2.48 uses Files-Excluded in debian/copyright so uscan will
rebuild a tarball and its hash will vary depending on the time it was created. (Perhaps the hash should be reproducible but that's not
relevant to this bug.)
Test Case 2
=========
gbp clone https://salsa.debian.org/gnome-team/gtk4
cd gtk4
gbp buildpackage
What happens
------------
gbp:error: Pristine-tar couldn't verify "gtk4_4.12.5+ds.orig.tar.xz": pristine-tar: /home/jeremy/devel/pkg-gnome/temp/build-area/gtk4_4.12.5+ds.orig.tar.xz
does not match stored hash (expected 3338a691d774ae031af65299e9a1c6207f543f13b256539717a1970f752358cb, got 70ac33e0f37dc1b657d6560f1b8a40b3f4b67e956936633ced495d8b880d3fb0)
Other info
----
This pristine-tar tarball was committed January 19 so it did not use
either the new xz-utils or pristine-tar.
Test Case 3
=========
gbp clone https://salsa.debian.org/gnome-team/pango
cd pango
gbp buildpackage
What happens
-------------------
gbp:error: Pristine-tar couldn't verify
"pango1.0_1.52.1+ds.orig.tar.xz": pristine-tar: /home/jeremy/devel/pkg-gnome/temp/build-area/pango1.0_1.52.1+ds.orig.tar.xz does not match stored hash (expected 12d67d8182cbb2ae427406df9bab5ce2ff5619102bf2a0fc6331d80a9914b139, got a641d29d2d7df7843e44762a0733987dc8220d238b697b382dd96fafe5fc890a)
Other info
-------------
This tarball was committed a few days ago with the new xz-utils and pristine-tar 1.50+nmu1.
pango also uses Files-Excluded
Conclusion
========
Test cases 1, 2, and 3 pass with pristine-tar 1.50 but fail with
pristine-tar 1.50+nmu1
Thank you,
Jeremy Bícha
tried with 1.50+nmu2 which is in deferred for the next 11h. So tomorrow
it should be all good.
On Tue, Mar 12, 2024 at 4:13 PM Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:
On 2024-03-12 09:26:32 [-0400], Jeremy Bícha wrote:
Could someone check this, please?
Did you try running autopkgtests on this version? The autopkgtests fail for me.
autopkgtests were the first thing that pointed me here and they passed.
If you say they fail for you then I may have used the wrong xz version…
I tried running the autopkgtests locally using a version of 1.50+nmu2
that I built using your patch and the autopkgtests failed.
None of the 3 test cases passed for me with that version or with 1.50+nmu1.
Given what has unfolded over the past few days regarding xz-utils and CVE-2024-3094 [0], should we revisit the patches applied here and for #1063252? Are they still needed?
Thank you,
tony
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 06:05:39 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,021 |