1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1065751: pristine-tar: diff for NMU version 1.50+nmu2

    From Andrey Rakhmatullin@21:1/5 to Amin Bandali on Mon Mar 11 09:10:01 2024
    On Mon, Mar 11, 2024 at 12:05:54AM +0000, Amin Bandali wrote:
    I believe there are also some cases where git-buildpackage
    itself does repacking
    E.g. `gbp import-orig --filter`

    --
    WBR, wRAR

    -----BEGIN PGP SIGNATURE-----

    iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmXuuZstFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh GPAQAIrjRba5uKA6LV892Y511YN1WdRVK4NHnCIa6D1fd/3Pikau9sTuu6KysuJO FDAq3H9MiNUuEn10boIxdmMhUDBEksIxNnOv4BuBhS/ATjPmAI/EB7H/I3gM0pYv TsQ753bQPmNpLOdcDRAWXTpmPW3Z5zI6P8VVptIk3t82X++Y0Cxfia8389lxSS7K iRnN7pMTRwH1UVG/d7nSG/0bRsUVneez08Vo98HfxAP/EgxPS4gTDoWsxs4tKxHV ZGNavjQL5KikntXsNi3iqOdRiNG2p1MnU/foVhfAoU4UfQydKkwlEXy7aUGe1iJb +50xXn68yJ5kOXAsA1as7cEbX6KzTDOyO4ApibSS/0lf5KxiN5M+Z0740X590CO8 aiBsvSvssQO4yX7mA+tl2/IgmU9v1IH3zwRVGzfYKMXPkHD00tHDNGwrs03sSsHR hk0py6EVMSYGcdIgvkU3vuFJSWe4ElVS1Dz48QNfwaAZGi9GQUr7WApfNSjgQtCe M3vRLWN9CuWyiWxh4ojkCd+AusgKN+empkaGpA7mFnfayJskeEt07WQVRBRtSoYF zuV95WQh03POJ/B8q/TXmMqV1i6ELw+UOSAKDGuAQt2l2kJgb8t53qzS9peFe1c0 A2kBwVnmM0vKst8NonK7oHYIcAUzf0g1WT5uAJu0+Q91ET/Y
    =bUzJ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy =?UTF-8?Q?B=C3=ADcha?=@21:1/5 to sebastian@breakpoint.cc on Tue Mar 12 14:40:01 2024
    On Sun, Mar 10, 2024 at 4:46 PM Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:
    I've prepared an NMU for pristine-tar (versioned as 1.50+nmu2) and
    uploaded it to DELAYED/2. Please feel free to tell me if I
    should delay it longer.

    Could someone check this, please?

    Did you try running autopkgtests on this version? The autopkgtests fail for me.

    I assume that the largest use of pristine-tar in Debian is with git-buildpackage. The 1.50+nmu1 upload **caused** pristine-tar to
    break in many cases for me. If I revert back to 1.50, I no longer get mismatched tarballs errors. Here are some test cases to demonstrate:

    Test Case 1
    ==========
    gbp clone --add-upstream-vcs https://salsa.debian.org/jbicha/pangomm2.48

    cd pangomm2.48

    gbp import-orig --uscan

    gbp buildpackage

    What happens
    ------
    The exact hashes will probably vary but I get an error like this:

    gbp:error: Pristine-tar couldn't verify
    "pangomm2.48_2.50.2.orig.tar.xz": pristine-tar: /home/jeremy/build-area/pangomm2.48_2.50.2.orig.tar.xz does not match
    stored hash (expected e99b6a9c89e9c284bf44f5ae8125c06515d6ab8f8577d75d2887726dacb5a372, got 826ad52f53ac8e15c9ceba4dc6e616efddae5e089f36bf4e60081c177d80d4b6)

    Other info
    -----
    pangomm2.48 uses Files-Excluded in debian/copyright so uscan will
    rebuild a tarball and its hash will vary depending on the time it was
    created. (Perhaps the hash should be reproducible but that's not
    relevant to this bug.)

    Test Case 2
    =========
    gbp clone https://salsa.debian.org/gnome-team/gtk4
    cd gtk4
    gbp buildpackage

    What happens
    ------------
    gbp:error: Pristine-tar couldn't verify "gtk4_4.12.5+ds.orig.tar.xz": pristine-tar: /home/jeremy/devel/pkg-gnome/temp/build-area/gtk4_4.12.5+ds.orig.tar.xz
    does not match stored hash (expected 3338a691d774ae031af65299e9a1c6207f543f13b256539717a1970f752358cb, got 70ac33e0f37dc1b657d6560f1b8a40b3f4b67e956936633ced495d8b880d3fb0)

    Other info
    ----
    This pristine-tar tarball was committed January 19 so it did not use
    either the new xz-utils or pristine-tar.

    Test Case 3
    =========
    gbp clone https://salsa.debian.org/gnome-team/pango
    cd pango
    gbp buildpackage

    What happens
    -------------------
    gbp:error: Pristine-tar couldn't verify
    "pango1.0_1.52.1+ds.orig.tar.xz": pristine-tar: /home/jeremy/devel/pkg-gnome/temp/build-area/pango1.0_1.52.1+ds.orig.tar.xz does not match stored hash (expected 12d67d8182cbb2ae427406df9bab5ce2ff5619102bf2a0fc6331d80a9914b139, got a641d29d2d7df7843e44762a0733987dc8220d238b697b382dd96fafe5fc890a)

    Other info
    -------------
    This tarball was committed a few days ago with the new xz-utils and pristine-tar 1.50+nmu1.
    pango also uses Files-Excluded

    Conclusion
    ========
    Test cases 1, 2, and 3 pass with pristine-tar 1.50 but fail with
    pristine-tar 1.50+nmu1

    Thank you,
    Jeremy Bícha

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy =?UTF-8?Q?B=C3=ADcha?=@21:1/5 to sebastian@breakpoint.cc on Tue Mar 12 22:30:01 2024
    On Tue, Mar 12, 2024 at 4:13 PM Sebastian Andrzej Siewior <sebastian@breakpoint.cc> wrote:

    On 2024-03-12 09:26:32 [-0400], Jeremy Bícha wrote:
    Could someone check this, please?

    Did you try running autopkgtests on this version? The autopkgtests fail for me.

    autopkgtests were the first thing that pointed me here and they passed.
    If you say they fail for you then I may have used the wrong xz version…

    I tried running the autopkgtests locally using a version of 1.50+nmu2
    that I built using your patch and the autopkgtests failed.

    None of the 3 test cases passed for me with that version or with 1.50+nmu1.

    Thank you,
    Jeremy Bícha

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From tony mancill@21:1/5 to All on Sun Mar 31 21:50:02 2024
    On Wed, Mar 13, 2024 at 01:50:47PM -0400, Jeremy Bícha wrote:
    The 3 test cases pass for me now with the uploaded 1.50+nmu2. Maybe my earlier test build used the old version of xz-utils. Thank you for
    your upload!

    Given what has unfolded over the past few days regarding xz-utils and CVE-2024-3094 [0], should we revisit the patches applied here and for
    #1063252? Are they still needed?

    I'm not making any assertions about the validity of the changes, only suggesting that we should review changes made to accommodate the
    xz-utils versions related to the CVE.

    (It is still not clear why some gbp workflows using pristine-tar started failing [1] around the same time that changes were being introduced to
    xz-utils and pristine-tar. Perhaps it is a coicidence, but it seems potentially related.)

    Thank you,
    tony

    [0] https://security-tracker.debian.org/tracker/CVE-2024-3094
    [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065445

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmYJvJ8ACgkQIdIFiZdL PpaSixAAjvCae2H+TDphbpy2wBhMgSubFErgqbIZ9Ec/dANqFZjAGPwldYXEbLEQ zoUz6buZO8RfPSYHntrbk/GaoOPIzwZegCrPZuxqGUNsWEWSpTAwQStx8mnKxJxf /FooHSDJbppVFEbAoe7coeWWIL+Ipfk7WLhxJlQ+bgBH5/s7bjMElpGqDf420B+0 qHX/6sYqFzMtlIzSHU50n0T1f2lHUJXoLlw+z8V8sdP31yKhAEsupHCXFU9+ck00 SoAj7ZRhQ5XWTpfH6TACF58lRUslJ46czfJoozbgtyqCWBnbAcrEJwmkG6jRyE/a 6bBlMqMQcJfDOjhdxJ9OQGZOt+LLXv2CrAFBRGs3+ndhgiUEQTZgDLDr3DMKwIW4 ubybEqgshFQKXCeu7JmxzyK9XdYN57udMhoTG47zg4gQg2PNKZ9W5y8fTczIZdP1 7Gl5r97lXRmODowY6UY85MPuHHne1LwCJhB1SRfqUa2fo0MP3oCAalUDrjglodfz ixTAf0n0AUw0TcP8xs5XyK4IHDP4UpiVVYt6FscQ6+sM+u5Z7zSt+ozuFIe7QqLQ b33YvjgXpdL0br00ZeN1uUQSrO+gDq2Kk0rod6EVCL1+dOX7savyY/7dGUCn15HD p0RuWk+/ZlUDtEzJCpmeMLn+oNU4oH9kV1eDoU4pXuVeCbuuQ0o=
    =idWa
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)