Control: affects 835465 + gnupg2 Hi python-apt folks--
On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote: > Source: python-apt > Version: 1.1.0~beta4 > Severity: serious > Justification: fails to build from source > User: reproducible-bui...@lists.alioth.debian.org > Usertags: ftbfs > X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org > > Dear Maintainer, > > python-apt fails to build from source in unstable/amd64: > > set -e; for python in python2.7 python3.5 ; do \ > $python tests/test_all.py -q || [ "linux" = "hurd" ]; \ > done; > Warning: apt-key output should not be parsed (stdout is not a terminal) > Warning: apt-key output should not be parsed (stdout is not a terminal) > Warning: apt-key output should not be parsed (stdout is not a terminal) > Warning: apt-key output should not be parsed (stdout is not a terminal) > Warning: apt-key output should not be parsed (stdout is not a terminal) > Warning: apt-key output should not be parsed (stdout is not a terminal) this warning is advice about one of the things that might be going wrong in some places in the test suite ;) I see that in upstream 7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i strongly caution against this. > [tests] Running on 2.7.12+ (default, Aug 4 2016, 20:04:34) [GCC 6.1.1 > 20160724] > Using library_dir: > '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: > Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > WARNING: Failed to read mirror file > ====================================================================== > ERROR: testAddKeyFromServer (test_auth.TestAuthKeys) > Install a GnuPG key from a remote server. > ---------------------------------------------------------------------- > Traceback (most recent call last): > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > line 220, in testAddKeyFromServer > "hkp://localhost:%d" % self.keyserver_port) > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", > line 128, in add_key_from_keyserver > _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir) > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", > line 156, in _add_key_from_keyserver > keyserver, keyid)) > AptKeyError: recv from 'hkp://localhost:19191' failed for > '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553' apt/auth.py appears to want to force gnupg to store its secret key material in secring.gpg. This isn't a best practice, and modern versions of gpg do not do so by default. I'd recommend dropping tmp_secret_keyring entirely. furthermore, recent versions of gnupg (>= 2.1) do not fetch things from keyservers directly -- if you want modern gpg to talk to the network, you'll need to ensure that dirmngr is installed. If you prefer to keep this test intact, you might want to build-depend on dirmngr. > ====================================================================== > FAIL: testAddAndExportKey (test_auth.TestAuthKeys) > Add an example key. > ---------------------------------------------------------------------- > Traceback (most recent call last): > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > line 157, in testAddAndExportKey > WHEEZY_KEY.split("\n")[2:]) > AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', > 'mQINBE+a7rUBEADQiEKtLOgq... > > First differing element 0: > 'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38' > '' > > Second list contains 1 additional elements. > First extra element 81: > '-----END PGP PUBLIC KEY BLOCK-----' > > Diff is 5698 characters long. Set self.maxDiff to None to see it. This change is due to the fact that upstream has stopped emitting the Version: pseudoheader at all as of 2.1.14. Perhaps your build-dependency on gnupg should be (>= 2.1.14) and you should strike the Version: pseudoheader in WHEEZY_KEY in tests/test_auth.py > ====================================================================== > FAIL: testAddAndListKey (test_auth.TestAuthKeys) > Add an example key and test if it is correctly returned by > ---------------------------------------------------------------------- > Traceback (most recent call last): > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > line 168, in testAddAndListKey > "Debian Archive Automatic Signing Key (7.0/wheezy) " > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) > <ftpmas...@debian.org>' > > ====================================================================== > FAIL: testAddKeyFromFile (test_auth.TestAuthKeys) > Test adding a key from file. > ---------------------------------------------------------------------- > Traceback (most recent call last): > File > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > line 185, in testAddKeyFromFile > "Debian Archive Automatic Signing Key (7.0/wheezy) " > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) > <ftpmas...@debian.org>' > > ---------------------------------------------------------------------- > Ran 93 tests in 585.254s > > FAILED (failures=3, errors=1, skipped=1) These failures appear to be due to using the old non-fixed list-mode. modern versions of gpg have been defaulting to fixed-list-mode for quite some time, and anything doing routine parsing should explicitly rely on fixed-list-mode, and the parsing should clean up that output. Aside from a normalization of the lines of output, in --fixed-list-mode, dates are returned in unix timestamps and key IDs are 64 bits long instead of 32. ------ You might find the attached patch useful in addressing the above explanations. I'll be releasing a new version of gnupg shortly that will explicitly declare that it Breaks: python-apt (<= 1.1.0~beta4). Ideally, the next version of python-apt can have these bugs fixed and it will work cleanly with the modern version of gnupg. However, if your next upload of python-apt can't be built or run against modern versions of GnuPG, then you probably need to state this package's dependency on gnupg as gnupg (<= 2.1). Regards, --dkg
diff --git a/apt/auth.py b/apt/auth.py index 78ee089..2a909d1 100644 --- a/apt/auth.py +++ b/apt/auth.py @@ -179,6 +179,7 @@ def _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir): "--keyring", tmp_export_keyring, "--fingerprint", "--batch", + "--fixed-list-mode", "--with-colons", ], stdout=subprocess.PIPE, @@ -257,12 +258,16 @@ def list_keys(): # The output of `apt-key list` is difficult to parse since the # --with-colons parameter isn't user output = _call_apt_key_script("adv", "--with-colons", "--batch", - "--list-keys") + "--fixed-list-mode", "--list-keys") res = [] for line in output.split("\n"): fields = line.split(":") if fields[0] == "pub": - key = TrustedKey(fields[9], fields[4][-8:], fields[5]) + keyid = fields[4] + if fields[0] == "uid": + uid = fields[9] + creation_date = fields[5] + key = TrustedKey(uid, keyid, creation_date) res.append(key) return res diff --git a/debian/control b/debian/control index 655e81c..7f121ff 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,9 @@ Build-Depends: apt (>= 1.0.9.4), apt-utils, debhelper (>= 9), dh-python, + dirmngr (>= 2.1), fakeroot, + gnupg (>= 2.1.14), libapt-pkg-dev (>= 1.1~exp9), python-all-dev (>= 2.7), python-all-dbg, @@ -46,6 +48,7 @@ Breaks: packagekit-backend-apt (<= 0.4.8-0ubuntu4), gdebi (<< 0.6.1), germinate (<< 1.21), gnome-codec-install (<< 0.4.5), + gnupg (<< 2.1), mini-dinstall (<< 0.6.28), python-cdd (<< 0.0.10), rebuildd (<< 0.3.9), diff --git a/tests/test_auth.py b/tests/test_auth.py index ac1e97c..621376d 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -28,7 +28,6 @@ import apt.auth import testcommon WHEEZY_KEY = """-----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.12 (GNU/Linux) mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38 cA3kK1iB5XYElbZ5b/x3vWiufHK2semOpn5MG2GRJUwmKxZbt3HLZiHtAadkby2l @@ -153,7 +152,7 @@ class TestAuthKeys(testcommon.TestCase): # Strip the headers from the keys to avoid test errors because # the exported key used a differenct GnuPG version than the # original example key - self.assertEqual(apt.auth.export_key("46925553").split("\n")[2:], + self.assertEqual(apt.auth.export_key("8B48AD6246925553").split("\n")[2:], WHEEZY_KEY.split("\n")[2:]) def testAddAndListKey(self): @@ -167,8 +166,8 @@ class TestAuthKeys(testcommon.TestCase): self.assertEqual(key.name, "Debian Archive Automatic Signing Key (7.0/wheezy) " "<ftpmas...@debian.org>") - self.assertEqual(key.keyid, "46925553") - self.assertEqual(key.date, "2012-04-27") + self.assertEqual(key.keyid, "8B48AD6246925553") + self.assertEqual(key.date, "1335553717") def testAddKeyFromFile(self): """Test adding a key from file.""" @@ -184,14 +183,14 @@ class TestAuthKeys(testcommon.TestCase): self.assertEqual(key.name, "Debian Archive Automatic Signing Key (7.0/wheezy) " "<ftpmas...@debian.org>") - self.assertEqual(key.keyid, "46925553") - self.assertEqual(key.date, "2012-04-27") + self.assertEqual(key.keyid, "8B48AD6246925553") + self.assertEqual(key.date, "1335553717") def test_add_key_from_keyserver_too_short(self): """Ensure that short keyids are not imported""" with self.assertRaises(apt.auth.AptKeyError): apt.auth.add_key_from_keyserver( - "46925553", "hkp://localhost:19191") + "8B48AD6246925553", "hkp://localhost:19191") def test_add_key_from_server_mitm(self): """Verify that the key fingerprint is verified after download""" @@ -225,8 +224,8 @@ class TestAuthKeys(testcommon.TestCase): self.assertEqual(key.name, "Debian Archive Automatic Signing Key (7.0/wheezy) " "<ftpmas...@debian.org>") - self.assertEqual(key.keyid, "46925553") - self.assertEqual(key.date, "2012-04-27") + self.assertEqual(key.keyid, "8B48AD6246925553") + self.assertEqual(key.date, "1335553717") def _start_keyserver(self): """Start a fake keyserver on http://localhost:19191
signature.asc
Description: PGP signature