Bug#849425: diffoscope: test_openssh_pub_key.test_diff fails on jessie after ssh-keygen output format change

Brett Smith debbug at brettcsmith.org
Tue Dec 27 01:05:26 UTC 2016 

Source: diffoscope
Version: git as of 011987f
Severity: minor
Tags: upstream

On jessie, test_openssh_pub_key.test_diff fails like this:

=================================== FAILURES ===================================
__________________________________ test_diff ___________________________________

differences = [<Difference ssh-keygen -l -f {} -- ssh-keygen -l -f {} []>]

    @skip_unless_tools_exist('ssh-keygen')
    def test_diff(differences):
        expected_diff = open(data('openssh_pub_key_expected_diff')).read()
>       assert differences[0].unified_diff == expected_diff
E       assert '@@ -1 +1 @@\...2.pub (RSA)\n' == '@@ -1 +1 @@\n...Test2 (RSA)\n'
E           @@ -1 +1 @@
E         - -1024 0a:57:8d:93:be:8b:5c:47:7a:b6:5c:91:16:87:cd:1e /home/brett/repos/diffoscope/tests/data/test_openssh_pub_key1.pub (DSA)
E         - +4096 8a:a5:52:0a:3f:af:8d:2d:76:52:72:e1:a8:0a:a2:47 /home/brett/repos/diffoscope/tests/data/test_openssh_pub_key2.pub (RSA)
E         + -1024 SHA256:v/O+0ETvi2H5TGRXky1RhQ1/WFwLlPpxch5E2Mrj6FM Test1 (DSA)
E         + +4096 SHA256:9dH1CMkA6DSfPWU7vNwdPKS5/ppN4LMdvHTP60l7aSA Test2 (RSA)

tests/comparators/test_openssh_pub_key.py:47: AssertionError
====================== 1 failed, 3 passed in 0.14 seconds ======================

This happens because, since jessie, ssh-keygen has added the -E option to
specify the fingerprint hash algorithm, and defaulted it to SHA256.  Older
versions used the colon-separated format (md5?).

I was working on a patch for this, but unfortunately the right thing to do
isn't obvious.  Older versions of ssh-keygen, as in jessie, don't support
the -E option at all.  This makes it difficult to ensure diffoscope's
output is consistent regardless of the version of ssh-keygen on the
underlying host.

We could have the comparator try to specify -E md5, and then fall back to
omitting the -E option if that fails, but that seems a little regressive
since md5 is basically deprecated.

We could have the test sniff for the host's ssh-keygen version, and expect a
different diff based on when it started outputting sha256 fingerprints by
default, but that punts on the consistent output issue.

What do the maintainers think?

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Reproducible-builds mailing list