Bug#835465: [Reproducible-builds] Bug#835465: python-apt: FTBFS: AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Aug 30 13:32:15 UTC 2016
On Tue 2016-08-30 08:49:20 -0400, Julian Andres Klode wrote:
>> apt/auth.py appears to want to force gnupg to store its secret key
>> material in secring.gpg. This isn't a best practice, and modern
>> versions of gpg do not do so by default. I'd recommend dropping
>> tmp_secret_keyring entirely.
>
> Hmm, there should not even be any secret key material, as apt only
> deals with public keys.
agreed, all the more reason to strip out those extra directives ;)
>> I'll be releasing a new version of gnupg shortly that will explicitly
>> declare that it Breaks: python-apt (<= 1.1.0~beta4).
>
> I think that's a bit overkill. While this part of python-apt is broken
> with the new gnupg, the rest works fine; and nobody uses the apt.auth
> module. Not to mention that I'm deprecating it, as we deprecated the gpg
> stuff in apt-key.
If you want me to remove the Breaks: i can do so -- my goal was to
address the concerns raised in https://bugs.debian.org/835349.
If you'd rather that i not provide a Breaks: or a Conflicts: for
python-apt, i can avoid it -- speak up though, i'm hoping to release the
next version of gnupg2 to unstable shortly :)
>> Ideally, the next version of python-apt can have these bugs fixed and it
>> will work cleanly with the modern version of gnupg.
>
> Sure. But we should really support both old and new gpg versions, otherwise
> it gets a bit annoying.
>
> Maybe there's also an option to display fingerprints instead of keyids
> in --with-colons --list-keys?
sure!
gpg --fixed-list-mode --with-fingerprint --with-fingerprint --with-colons --list-keys
will produce lines of the form:
fpr:::::::::0EE5BE979282D80B9F7540F1CCD2ED94D21739E9:
The hex string shows up in $10 for "awk -F:", fields[9] in python after
fields = line.split(":").
providingn --with-fingerprint twice ensures that you get fingerprints
for both primary keys and subkeys -- if that's what you want.
>> However, if your next upload of python-apt can't be built or run against
>> modern versions of GnuPG
>
> That would be silly :)
i'm glad it will be straightforward to sort it out ;)
Thanks for your work on this,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160830/e8c5cf62/attachment.sig>
More information about the Reproducible-builds
mailing list