Comment 20 for bug 1642386

Yeah, valgrind is a bit noisy always because we are building the cache in memory before (1) writing it to the disk and the write includes unused regions and (2) we are hashing the entire thing before writing it, including the uninitialised bytes. So that means while we do have a few uninitialized bytes, it's actually safe.

This bug is fairly strange. Especially git vs packages. The only thing different when building via git is that hardening flags are not used. You could export those:

  DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags
  export CXXFLAGS LDFLAGS CPPFLAGS

but I seriously doubt that's the problem (if git always worked instead of always failed, this might have made sense).
If I had a user account on an affected machine, where

If I had a user account on an affected machine (it needs to be reproducible by creating a fake root directory, and copying etc/apt and var/lib/apt to it, then I can use -o Dir=$PATH_TO_FAKE_ROOT instead of needing root), where I can build apt and have tools like valgrind, gdb; I could (try to) debug that myself.