Bug#835465: [Reproducible-builds] Bug#835465: python-apt: FTBFS: AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'
Julian Andres Klode
jak at debian.org
Tue Aug 30 12:49:20 UTC 2016
On Tue, Aug 30, 2016 at 06:35:07AM -0400, Daniel Kahn Gillmor wrote:
> Control: affects 835465 + gnupg2
>
> Hi python-apt folks--
>
> On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote:
> > Source: python-apt
> > Version: 1.1.0~beta4
> > Severity: serious
> > Justification: fails to build from source
> > User: reproducible-builds at lists.alioth.debian.org
> > Usertags: ftbfs
> > X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org
> >
> > Dear Maintainer,
> >
> > python-apt fails to build from source in unstable/amd64:
> >
> > set -e; for python in python2.7 python3.5 ; do \
> > $python tests/test_all.py -q || [ "linux" = "hurd" ]; \
> > done;
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
> > Warning: apt-key output should not be parsed (stdout is not a terminal)
>
> this warning is advice about one of the things that might be going wrong
> in some places in the test suite ;) I see that in upstream
> 7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i
> strongly caution against this.
>
> > [tests] Running on 2.7.12+ (default, Aug 4 2016, 20:04:34) [GCC 6.1.1 20160724]
> > Using library_dir: '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > WARNING: Failed to read mirror file
> > ======================================================================
> > ERROR: testAddKeyFromServer (test_auth.TestAuthKeys)
> > Install a GnuPG key from a remote server.
> > ----------------------------------------------------------------------
> > Traceback (most recent call last):
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 220, in testAddKeyFromServer
> > "hkp://localhost:%d" % self.keyserver_port)
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 128, in add_key_from_keyserver
> > _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir)
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 156, in _add_key_from_keyserver
> > keyserver, keyid))
> > AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'
>
> apt/auth.py appears to want to force gnupg to store its secret key
> material in secring.gpg. This isn't a best practice, and modern
> versions of gpg do not do so by default. I'd recommend dropping
> tmp_secret_keyring entirely.
Hmm, there should not even be any secret key material, as apt only
deals with public keys.
>
> furthermore, recent versions of gnupg (>= 2.1) do not fetch things from
> keyservers directly -- if you want modern gpg to talk to the network,
> you'll need to ensure that dirmngr is installed.
>
> If you prefer to keep this test intact, you might want to build-depend
> on dirmngr.
>
> > ======================================================================
> > FAIL: testAddAndExportKey (test_auth.TestAuthKeys)
> > Add an example key.
> > ----------------------------------------------------------------------
> > Traceback (most recent call last):
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 157, in testAddAndExportKey
> > WHEEZY_KEY.split("\n")[2:])
> > AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', 'mQINBE+a7rUBEADQiEKtLOgq...
> >
> > First differing element 0:
> > 'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38'
> > ''
> >
> > Second list contains 1 additional elements.
> > First extra element 81:
> > '-----END PGP PUBLIC KEY BLOCK-----'
> >
> > Diff is 5698 characters long. Set self.maxDiff to None to see it.
>
> This change is due to the fact that upstream has stopped emitting the
> Version: pseudoheader at all as of 2.1.14. Perhaps your build-dependency on
> gnupg should be (>= 2.1.14) and you should strike the Version:
> pseudoheader in WHEEZY_KEY in tests/test_auth.py
>
> > ======================================================================
> > FAIL: testAddAndListKey (test_auth.TestAuthKeys)
> > Add an example key and test if it is correctly returned by
> > ----------------------------------------------------------------------
> > Traceback (most recent call last):
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 168, in testAddAndListKey
> > "Debian Archive Automatic Signing Key (7.0/wheezy) "
> > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
> >
> > ======================================================================
> > FAIL: testAddKeyFromFile (test_auth.TestAuthKeys)
> > Test adding a key from file.
> > ----------------------------------------------------------------------
> > Traceback (most recent call last):
> > File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 185, in testAddKeyFromFile
> > "Debian Archive Automatic Signing Key (7.0/wheezy) "
> > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster at debian.org>'
> >
> > ----------------------------------------------------------------------
> > Ran 93 tests in 585.254s
> >
> > FAILED (failures=3, errors=1, skipped=1)
>
> These failures appear to be due to using the old non-fixed list-mode.
>
> modern versions of gpg have been defaulting to fixed-list-mode for quite
> some time, and anything doing routine parsing should explicitly rely on
> fixed-list-mode, and the parsing should clean up that output.
>
> Aside from a normalization of the lines of output, in --fixed-list-mode,
> dates are returned in unix timestamps and key IDs are 64 bits long
> instead of 32.
>
> ------
>
> You might find the attached patch useful in addressing the above
> explanations.
>
> I'll be releasing a new version of gnupg shortly that will explicitly
> declare that it Breaks: python-apt (<= 1.1.0~beta4).
I think that's a bit overkill. While this part of python-apt is broken
with the new gnupg, the rest works fine; and nobody uses the apt.auth
module. Not to mention that I'm deprecating it, as we deprecated the gpg
stuff in apt-key.
>
> Ideally, the next version of python-apt can have these bugs fixed and it
> will work cleanly with the modern version of gnupg.
Sure. But we should really support both old and new gpg versions, otherwise
it gets a bit annoying.
Maybe there's also an option to display fingerprints instead of keyids
in --with-colons --list-keys?
>
> However, if your next upload of python-apt can't be built or run against
> modern versions of GnuPG
That would be silly :)
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
More information about the Reproducible-builds
mailing list