[pkg-gnupg-maint] Bug#835465: [Reproducible-builds] Bug#835465: python-apt: FTBFS: AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'

Julian Andres Klode jak at debian.org
Tue Aug 30 12:49:20 UTC 2016


On Tue, Aug 30, 2016 at 06:35:07AM -0400, Daniel Kahn Gillmor wrote:
> Control: affects 835465 + gnupg2
> 
> Hi python-apt folks--
> 
> On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote:
> > Source: python-apt
> > Version: 1.1.0~beta4
> > Severity: serious
> > Justification: fails to build from source
> > User: reproducible-builds at lists.alioth.debian.org
> > Usertags: ftbfs
> > X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org
> >
> > Dear Maintainer,
> >
> > python-apt fails to build from source in unstable/amd64:
> >
> >   set -e; for python in python2.7 python3.5 ; do \
> >   	$python tests/test_all.py -q || [ "linux" = "hurd" ]; \
> >   done;
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> >   Warning: apt-key output should not be parsed (stdout is not a terminal)
> 
> this warning is advice about one of the things that might be going wrong
> in some places in the test suite ;)  I see that in upstream
> 7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i
> strongly caution against this.
> 
> >   [tests] Running on 2.7.12+ (default, Aug  4 2016, 20:04:34) [GCC 6.1.1 20160724]
> >   Using library_dir: '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   WARNING: Failed to read mirror file
> >   ======================================================================
> >   ERROR: testAddKeyFromServer (test_auth.TestAuthKeys)
> >   Install a GnuPG key from a remote server.
> >   ----------------------------------------------------------------------
> >   Traceback (most recent call last):
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 220, in testAddKeyFromServer
> >       "hkp://localhost:%d" % self.keyserver_port)
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 128, in add_key_from_keyserver
> >       _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir)
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 156, in _add_key_from_keyserver
> >       keyserver, keyid))
> >   AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'
> 
> apt/auth.py appears to want to force gnupg to store its secret key
> material in secring.gpg.  This isn't a best practice, and modern
> versions of gpg do not do so by default.  I'd recommend dropping
> tmp_secret_keyring entirely.

Hmm, there should not even be any secret key material, as apt only
deals with public keys.

> 
> furthermore, recent versions of gnupg (>= 2.1) do not fetch things from
> keyservers directly -- if you want modern gpg to talk to the network,
> you'll need to ensure that dirmngr is installed.
> 
> If you prefer to keep this test intact, you might want to build-depend
> on dirmngr.
> 
> >   ======================================================================
> >   FAIL: testAddAndExportKey (test_auth.TestAuthKeys)
> >   Add an example key.
> >   ----------------------------------------------------------------------
> >   Traceback (most recent call last):
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 157, in testAddAndExportKey
> >       WHEEZY_KEY.split("\n")[2:])
> >   AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', 'mQINBE+a7rUBEADQiEKtLOgq...
> >   
> >   First differing element 0:
> >   'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38'
> >   ''
> >   
> >   Second list contains 1 additional elements.
> >   First extra element 81:
> >   '-----END PGP PUBLIC KEY BLOCK-----'
> >   
> >   Diff is 5698 characters long. Set self.maxDiff to None to see it.
> 
> This change is due to the fact that upstream has stopped emitting the
> Version: pseudoheader at all as of 2.1.14.  Perhaps your build-dependency on
> gnupg should be (>= 2.1.14) and you should strike the Version:
> pseudoheader in WHEEZY_KEY in tests/test_auth.py
> 
> >   ======================================================================
> >   FAIL: testAddAndListKey (test_auth.TestAuthKeys)
> >   Add an example key and test if it is correctly returned by
> >   ----------------------------------------------------------------------
> >   Traceback (most recent call last):
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 168, in testAddAndListKey
> >       "Debian Archive Automatic Signing Key (7.0/wheezy) "
> >   AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
> >   
> >   ======================================================================
> >   FAIL: testAddKeyFromFile (test_auth.TestAuthKeys)
> >   Test adding a key from file.
> >   ----------------------------------------------------------------------
> >   Traceback (most recent call last):
> >     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 185, in testAddKeyFromFile
> >       "Debian Archive Automatic Signing Key (7.0/wheezy) "
> >   AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
> >   
> >   ----------------------------------------------------------------------
> >   Ran 93 tests in 585.254s
> >   
> >   FAILED (failures=3, errors=1, skipped=1)
> 
> These failures appear to be due to using the old non-fixed list-mode.
> 
> modern versions of gpg have been defaulting to fixed-list-mode for quite
> some time, and anything doing routine parsing should explicitly rely on
> fixed-list-mode, and the parsing should clean up that output.
> 
> Aside from a normalization of the lines of output, in --fixed-list-mode,
> dates are returned in unix timestamps and key IDs are 64 bits long
> instead of 32.
> 
> ------
> 
> You might find the attached patch useful in addressing the above
> explanations.
> 
> I'll be releasing a new version of gnupg shortly that will explicitly
> declare that it Breaks: python-apt (<= 1.1.0~beta4).

I think that's a bit overkill. While this part of python-apt is broken
with the new gnupg, the rest works fine; and nobody uses the apt.auth
module. Not to mention that I'm deprecating it, as we deprecated the gpg
stuff in apt-key.

> 
> Ideally, the next version of python-apt can have these bugs fixed and it
> will work cleanly with the modern version of gnupg.

Sure. But we should really support both old and new gpg versions, otherwise
it gets a bit annoying.

Maybe there's also an option to display fingerprints instead of keyids
in --with-colons --list-keys?

> 
> However, if your next upload of python-apt can't be built or run against
> modern versions of GnuPG

That would be silly :)

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.



More information about the pkg-gnupg-maint mailing list