[Reproducible-builds] Bug#835465: python-apt: FTBFS: AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 30 10:35:07 UTC 2016 

Control: affects 835465 + gnupg2

Hi python-apt folks--

On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote:
> Source: python-apt
> Version: 1.1.0~beta4
> Severity: serious
> Justification: fails to build from source
> User: reproducible-builds at lists.alioth.debian.org
> Usertags: ftbfs
> X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org
>
> Dear Maintainer,
>
> python-apt fails to build from source in unstable/amd64:
>
>   set -e; for python in python2.7 python3.5 ; do \
>   	$python tests/test_all.py -q || [ "linux" = "hurd" ]; \
>   done;
>   Warning: apt-key output should not be parsed (stdout is not a terminal)
>   Warning: apt-key output should not be parsed (stdout is not a terminal)
>   Warning: apt-key output should not be parsed (stdout is not a terminal)
>   Warning: apt-key output should not be parsed (stdout is not a terminal)
>   Warning: apt-key output should not be parsed (stdout is not a terminal)
>   Warning: apt-key output should not be parsed (stdout is not a terminal)

this warning is advice about one of the things that might be going wrong
in some places in the test suite ;)  I see that in upstream
7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i
strongly caution against this.

>   [tests] Running on 2.7.12+ (default, Aug  4 2016, 20:04:34) [GCC 6.1.1 20160724]
>   Using library_dir: '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   WARNING: Failed to read mirror file
>   ======================================================================
>   ERROR: testAddKeyFromServer (test_auth.TestAuthKeys)
>   Install a GnuPG key from a remote server.
>   ----------------------------------------------------------------------
>   Traceback (most recent call last):
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 220, in testAddKeyFromServer
>       "hkp://localhost:%d" % self.keyserver_port)
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 128, in add_key_from_keyserver
>       _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir)
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 156, in _add_key_from_keyserver
>       keyserver, keyid))
>   AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'

apt/auth.py appears to want to force gnupg to store its secret key
material in secring.gpg.  This isn't a best practice, and modern
versions of gpg do not do so by default.  I'd recommend dropping
tmp_secret_keyring entirely.

furthermore, recent versions of gnupg (>= 2.1) do not fetch things from
keyservers directly -- if you want modern gpg to talk to the network,
you'll need to ensure that dirmngr is installed.

If you prefer to keep this test intact, you might want to build-depend
on dirmngr.

>   ======================================================================
>   FAIL: testAddAndExportKey (test_auth.TestAuthKeys)
>   Add an example key.
>   ----------------------------------------------------------------------
>   Traceback (most recent call last):
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 157, in testAddAndExportKey
>       WHEEZY_KEY.split("\n")[2:])
>   AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', 'mQINBE+a7rUBEADQiEKtLOgq...
>   
>   First differing element 0:
>   'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38'
>   ''
>   
>   Second list contains 1 additional elements.
>   First extra element 81:
>   '-----END PGP PUBLIC KEY BLOCK-----'
>   
>   Diff is 5698 characters long. Set self.maxDiff to None to see it.

This change is due to the fact that upstream has stopped emitting the
Version: pseudoheader at all as of 2.1.14.  Perhaps your build-dependency on
gnupg should be (>= 2.1.14) and you should strike the Version:
pseudoheader in WHEEZY_KEY in tests/test_auth.py

>   ======================================================================
>   FAIL: testAddAndListKey (test_auth.TestAuthKeys)
>   Add an example key and test if it is correctly returned by
>   ----------------------------------------------------------------------
>   Traceback (most recent call last):
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 168, in testAddAndListKey
>       "Debian Archive Automatic Signing Key (7.0/wheezy) "
>   AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
>   
>   ======================================================================
>   FAIL: testAddKeyFromFile (test_auth.TestAuthKeys)
>   Test adding a key from file.
>   ----------------------------------------------------------------------
>   Traceback (most recent call last):
>     File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 185, in testAddKeyFromFile
>       "Debian Archive Automatic Signing Key (7.0/wheezy) "
>   AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
>   
>   ----------------------------------------------------------------------
>   Ran 93 tests in 585.254s
>   
>   FAILED (failures=3, errors=1, skipped=1)

These failures appear to be due to using the old non-fixed list-mode.

modern versions of gpg have been defaulting to fixed-list-mode for quite
some time, and anything doing routine parsing should explicitly rely on
fixed-list-mode, and the parsing should clean up that output.

Aside from a normalization of the lines of output, in --fixed-list-mode,
dates are returned in unix timestamps and key IDs are 64 bits long
instead of 32.

------

You might find the attached patch useful in addressing the above
explanations.

I'll be releasing a new version of gnupg shortly that will explicitly
declare that it Breaks: python-apt (<= 1.1.0~beta4).

Ideally, the next version of python-apt can have these bugs fixed and it
will work cleanly with the modern version of gnupg.

However, if your next upload of python-apt can't be built or run against
modern versions of GnuPG, then you probably need to state this package's
dependency on gnupg as gnupg (<= 2.1).

Regards,

        --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 835465.patch
Type: text/x-diff
Size: 4747 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160830/92140335/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160830/92140335/attachment.sig>

More information about the Reproducible-builds mailing list