Summary
Bookworm examples that compile native binaries via the C toolchain produce different SHA1 hashes after the gcc-12 update (12.2.0-14 → 12.2.0-14+deb12u1) that shipped in Debian bookworm 12.11 (2025-05-17).
This update fixed CVE-2023-4039 which changed -fstack-protector handling, affecting the generated binary output.
Affected languages:
- C —
hello-world_1.0.0-1_amd64.deb
- Rust —
hello-world-rust_1.0.0-1_amd64.deb
- Nim —
hello-world-nim_1.0.0-1_amd64.deb
All three compile to native code via gcc, which is why they are affected while other languages (Go, Java, JavaScript, etc.) are not.
Noble is unaffected as its toolchain has not changed since the hashes were set.
Resolution
Hashes have been updated to match the current bookworm toolchain output. Weekly scheduled tests will detect future drift.
Root cause
The sbuild chroot is created fresh from the current bookworm repo on each CI run. When Debian pushes toolchain updates (like the gcc-12 stack protector fix), the build output changes. There is no chroot pinning in pkg-builder's test workflow, unlike eth-nodes where the chroot tarball is saved as a release asset.
See #39 for implementing chroot pinning.
Summary
Bookworm examples that compile native binaries via the C toolchain produce different SHA1 hashes after the gcc-12 update (12.2.0-14 → 12.2.0-14+deb12u1) that shipped in Debian bookworm 12.11 (2025-05-17).
This update fixed CVE-2023-4039 which changed
-fstack-protectorhandling, affecting the generated binary output.Affected languages:
hello-world_1.0.0-1_amd64.debhello-world-rust_1.0.0-1_amd64.debhello-world-nim_1.0.0-1_amd64.debAll three compile to native code via gcc, which is why they are affected while other languages (Go, Java, JavaScript, etc.) are not.
Noble is unaffected as its toolchain has not changed since the hashes were set.
Resolution
Hashes have been updated to match the current bookworm toolchain output. Weekly scheduled tests will detect future drift.
Root cause
The sbuild chroot is created fresh from the current bookworm repo on each CI run. When Debian pushes toolchain updates (like the gcc-12 stack protector fix), the build output changes. There is no chroot pinning in pkg-builder's test workflow, unlike eth-nodes where the chroot tarball is saved as a release asset.
See #39 for implementing chroot pinning.