Control: affects 835465 + gnupg2
Hi python-apt folks--
On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote:
> Source: python-apt
> Version: 1.1.0~beta4
> Severity: serious
> Justification: fails to build from source
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: ftbfs
> X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org
>
> Dear Maintainer,
>
> python-apt fails to build from source in unstable/amd64:
>
> set -e; for python in python2.7 python3.5 ; do \
> $python tests/test_all.py -q || [ "linux" = "hurd" ]; \
> done;
> Warning: apt-key output should not be parsed (stdout is not a terminal)
> Warning: apt-key output should not be parsed (stdout is not a terminal)
> Warning: apt-key output should not be parsed (stdout is not a terminal)
> Warning: apt-key output should not be parsed (stdout is not a terminal)
> Warning: apt-key output should not be parsed (stdout is not a terminal)
> Warning: apt-key output should not be parsed (stdout is not a terminal)
this warning is advice about one of the things that might be going wrong
in some places in the test suite ;) I see that in upstream
7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i
strongly caution against this.
> [tests] Running on 2.7.12+ (default, Aug 4 2016, 20:04:34) [GCC 6.1.1 20160724]
> Using library_dir: '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> WARNING: Failed to read mirror file
> ======================================================================
> ERROR: testAddKeyFromServer (test_auth.TestAuthKeys)
> Install a GnuPG key from a remote server.
> ----------------------------------------------------------------------
> Traceback (most recent call last):
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 220, in testAddKeyFromServer
> "hkp://localhost:%d" % self.keyserver_port)
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 128, in add_key_from_keyserver
> _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir)
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", line 156, in _add_key_from_keyserver
> keyserver, keyid))
> AptKeyError: recv from 'hkp://localhost:19191' failed for '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553'
apt/auth.py appears to want to force gnupg to store its secret key
material in secring.gpg. This isn't a best practice, and modern
versions of gpg do not do so by default. I'd recommend dropping
tmp_secret_keyring entirely.
furthermore, recent versions of gnupg (>= 2.1) do not fetch things from
keyservers directly -- if you want modern gpg to talk to the network,
you'll need to ensure that dirmngr is installed.
If you prefer to keep this test intact, you might want to build-depend
on dirmngr.
> ======================================================================
> FAIL: testAddAndExportKey (test_auth.TestAuthKeys)
> Add an example key.
> ----------------------------------------------------------------------
> Traceback (most recent call last):
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 157, in testAddAndExportKey
> WHEEZY_KEY.split("\n")[2:])
> AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', 'mQINBE+a7rUBEADQiEKtLOgq...
>
> First differing element 0:
> 'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38'
> ''
>
> Second list contains 1 additional elements.
> First extra element 81:
> '-----END PGP PUBLIC KEY BLOCK-----'
>
> Diff is 5698 characters long. Set self.maxDiff to None to see it.
This change is due to the fact that upstream has stopped emitting the
Version: pseudoheader at all as of 2.1.14. Perhaps your build-dependency on
gnupg should be (>= 2.1.14) and you should strike the Version:
pseudoheader in WHEEZY_KEY in tests/test_auth.py
> ======================================================================
> FAIL: testAddAndListKey (test_auth.TestAuthKeys)
> Add an example key and test if it is correctly returned by
> ----------------------------------------------------------------------
> Traceback (most recent call last):
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 168, in testAddAndListKey
> "Debian Archive Automatic Signing Key (7.0/wheezy) "
> AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>'
>
> ======================================================================
> FAIL: testAddKeyFromFile (test_auth.TestAuthKeys)
> Test adding a key from file.
> ----------------------------------------------------------------------
> Traceback (most recent call last):
> File "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", line 185, in testAddKeyFromFile
> "Debian Archive Automatic Signing Key (7.0/wheezy) "
> AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>'
>
> ----------------------------------------------------------------------
> Ran 93 tests in 585.254s
>
> FAILED (failures=3, errors=1, skipped=1)
These failures appear to be due to using the old non-fixed list-mode.
modern versions of gpg have been defaulting to fixed-list-mode for quite
some time, and anything doing routine parsing should explicitly rely on
fixed-list-mode, and the parsing should clean up that output.
Aside from a normalization of the lines of output, in --fixed-list-mode,
dates are returned in unix timestamps and key IDs are 64 bits long
instead of 32.
------
You might find the attached patch useful in addressing the above
explanations.
I'll be releasing a new version of gnupg shortly that will explicitly
declare that it Breaks: python-apt (<= 1.1.0~beta4).
Ideally, the next version of python-apt can have these bugs fixed and it
will work cleanly with the modern version of gnupg.
However, if your next upload of python-apt can't be built or run against
modern versions of GnuPG, then you probably need to state this package's
dependency on gnupg as gnupg (<= 2.1).
Regards,
--dkg
diff --git a/apt/auth.py b/apt/auth.py
index 78ee089..2a909d1 100644
--- a/apt/auth.py
+++ b/apt/auth.py
@@ -179,6 +179,7 @@ def _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir):
"--keyring", tmp_export_keyring,
"--fingerprint",
"--batch",
+ "--fixed-list-mode",
"--with-colons",
],
stdout=subprocess.PIPE,
@@ -257,12 +258,16 @@ def list_keys():
# The output of `apt-key list` is difficult to parse since the
# --with-colons parameter isn't user
output = _call_apt_key_script("adv", "--with-colons", "--batch",
- "--list-keys")
+ "--fixed-list-mode", "--list-keys")
res = []
for line in output.split("\n"):
fields = line.split(":")
if fields[0] == "pub":
- key = TrustedKey(fields[9], fields[4][-8:], fields[5])
+ keyid = fields[4]
+ if fields[0] == "uid":
+ uid = fields[9]
+ creation_date = fields[5]
+ key = TrustedKey(uid, keyid, creation_date)
res.append(key)
return res
diff --git a/debian/control b/debian/control
index 655e81c..7f121ff 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,9 @@ Build-Depends: apt (>= 1.0.9.4),
apt-utils,
debhelper (>= 9),
dh-python,
+ dirmngr (>= 2.1),
fakeroot,
+ gnupg (>= 2.1.14),
libapt-pkg-dev (>= 1.1~exp9),
python-all-dev (>= 2.7),
python-all-dbg,
@@ -46,6 +48,7 @@ Breaks: packagekit-backend-apt (<= 0.4.8-0ubuntu4),
gdebi (<< 0.6.1),
germinate (<< 1.21),
gnome-codec-install (<< 0.4.5),
+ gnupg (<< 2.1),
mini-dinstall (<< 0.6.28),
python-cdd (<< 0.0.10),
rebuildd (<< 0.3.9),
diff --git a/tests/test_auth.py b/tests/test_auth.py
index ac1e97c..621376d 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -28,7 +28,6 @@ import apt.auth
import testcommon
WHEEZY_KEY = """-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.12 (GNU/Linux)
mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38
cA3kK1iB5XYElbZ5b/x3vWiufHK2semOpn5MG2GRJUwmKxZbt3HLZiHtAadkby2l
@@ -153,7 +152,7 @@ class TestAuthKeys(testcommon.TestCase):
# Strip the headers from the keys to avoid test errors because
# the exported key used a differenct GnuPG version than the
# original example key
- self.assertEqual(apt.auth.export_key("46925553").split("\n")[2:],
+ self.assertEqual(apt.auth.export_key("8B48AD6246925553").split("\n")[2:],
WHEEZY_KEY.split("\n")[2:])
def testAddAndListKey(self):
@@ -167,8 +166,8 @@ class TestAuthKeys(testcommon.TestCase):
self.assertEqual(key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>")
- self.assertEqual(key.keyid, "46925553")
- self.assertEqual(key.date, "2012-04-27")
+ self.assertEqual(key.keyid, "8B48AD6246925553")
+ self.assertEqual(key.date, "1335553717")
def testAddKeyFromFile(self):
"""Test adding a key from file."""
@@ -184,14 +183,14 @@ class TestAuthKeys(testcommon.TestCase):
self.assertEqual(key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>")
- self.assertEqual(key.keyid, "46925553")
- self.assertEqual(key.date, "2012-04-27")
+ self.assertEqual(key.keyid, "8B48AD6246925553")
+ self.assertEqual(key.date, "1335553717")
def test_add_key_from_keyserver_too_short(self):
"""Ensure that short keyids are not imported"""
with self.assertRaises(apt.auth.AptKeyError):
apt.auth.add_key_from_keyserver(
- "46925553", "hkp://localhost:19191")
+ "8B48AD6246925553", "hkp://localhost:19191")
def test_add_key_from_server_mitm(self):
"""Verify that the key fingerprint is verified after download"""
@@ -225,8 +224,8 @@ class TestAuthKeys(testcommon.TestCase):
self.assertEqual(key.name,
"Debian Archive Automatic Signing Key (7.0/wheezy) "
"<ftpmaster@debian.org>")
- self.assertEqual(key.keyid, "46925553")
- self.assertEqual(key.date, "2012-04-27")
+ self.assertEqual(key.keyid, "8B48AD6246925553")
+ self.assertEqual(key.date, "1335553717")
def _start_keyserver(self):
"""Start a fake keyserver on http://localhost:19191
Attachment:
signature.asc
Description: PGP signature