On Tue, Aug 30, 2016 at 06:35:07AM -0400, Daniel Kahn Gillmor wrote: > Control: affects 835465 + gnupg2 > > Hi python-apt folks-- > > On Thu 2016-08-25 20:55:27 -0400, Chris Lamb wrote: > > Source: python-apt > > Version: 1.1.0~beta4 > > Severity: serious > > Justification: fails to build from source > > User: reproducible-builds@lists.alioth.debian.org > > Usertags: ftbfs > > X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org > > > > Dear Maintainer, > > > > python-apt fails to build from source in unstable/amd64: > > > > set -e; for python in python2.7 python3.5 ; do \ > > $python tests/test_all.py -q || [ "linux" = "hurd" ]; \ > > done; > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > Warning: apt-key output should not be parsed (stdout is not a terminal) > > this warning is advice about one of the things that might be going wrong > in some places in the test suite ;) I see that in upstream > 7a9a292fd604bc164eed3d3fee1dc9167141d88c you're deprecating this, but i > strongly caution against this. > > > [tests] Running on 2.7.12+ (default, Aug 4 2016, 20:04:34) [GCC 6.1.1 > > 20160724] > > Using library_dir: > > '/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7'WARNING: > > Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > WARNING: Failed to read mirror file > > ====================================================================== > > ERROR: testAddKeyFromServer (test_auth.TestAuthKeys) > > Install a GnuPG key from a remote server. > > ---------------------------------------------------------------------- > > Traceback (most recent call last): > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > > line 220, in testAddKeyFromServer > > "hkp://localhost:%d" % self.keyserver_port) > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", > > line 128, in add_key_from_keyserver > > _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir) > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/build/lib.linux-x86_64-2.7/apt/auth.py", > > line 156, in _add_key_from_keyserver > > keyserver, keyid)) > > AptKeyError: recv from 'hkp://localhost:19191' failed for > > '0xa1bD8E9D78F7FE5C3E65D8AF8B48AD6246925553' > > apt/auth.py appears to want to force gnupg to store its secret key > material in secring.gpg. This isn't a best practice, and modern > versions of gpg do not do so by default. I'd recommend dropping > tmp_secret_keyring entirely.
Hmm, there should not even be any secret key material, as apt only deals with public keys. > > furthermore, recent versions of gnupg (>= 2.1) do not fetch things from > keyservers directly -- if you want modern gpg to talk to the network, > you'll need to ensure that dirmngr is installed. > > If you prefer to keep this test intact, you might want to build-depend > on dirmngr. > > > ====================================================================== > > FAIL: testAddAndExportKey (test_auth.TestAuthKeys) > > Add an example key. > > ---------------------------------------------------------------------- > > Traceback (most recent call last): > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > > line 157, in testAddAndExportKey > > WHEEZY_KEY.split("\n")[2:]) > > AssertionError: Lists differ: ['mQINBE+a7rUBEADQiEKtLOgqiq8Y... != ['', > > 'mQINBE+a7rUBEADQiEKtLOgq... > > > > First differing element 0: > > 'mQINBE+a7rUBEADQiEKtLOgqiq8YY/p7IFODMqGPR+o1vtXaksie8iTOh3Vxab38' > > '' > > > > Second list contains 1 additional elements. > > First extra element 81: > > '-----END PGP PUBLIC KEY BLOCK-----' > > > > Diff is 5698 characters long. Set self.maxDiff to None to see it. > > This change is due to the fact that upstream has stopped emitting the > Version: pseudoheader at all as of 2.1.14. Perhaps your build-dependency on > gnupg should be (>= 2.1.14) and you should strike the Version: > pseudoheader in WHEEZY_KEY in tests/test_auth.py > > > ====================================================================== > > FAIL: testAddAndListKey (test_auth.TestAuthKeys) > > Add an example key and test if it is correctly returned by > > ---------------------------------------------------------------------- > > Traceback (most recent call last): > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > > line 168, in testAddAndListKey > > "Debian Archive Automatic Signing Key (7.0/wheezy) " > > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) > > <ftpmas...@debian.org>' > > > > ====================================================================== > > FAIL: testAddKeyFromFile (test_auth.TestAuthKeys) > > Test adding a key from file. > > ---------------------------------------------------------------------- > > Traceback (most recent call last): > > File > > "/home/lamby/temp/cdt.20160826014142.YuAeJNcC8b.db.python-apt/python-apt-1.1.0~beta4/tests/test_auth.py", > > line 185, in testAddKeyFromFile > > "Debian Archive Automatic Signing Key (7.0/wheezy) " > > AssertionError: '' != 'Debian Archive Automatic Signing Key (7.0/wheezy) > > <ftpmas...@debian.org>' > > > > ---------------------------------------------------------------------- > > Ran 93 tests in 585.254s > > > > FAILED (failures=3, errors=1, skipped=1) > > These failures appear to be due to using the old non-fixed list-mode. > > modern versions of gpg have been defaulting to fixed-list-mode for quite > some time, and anything doing routine parsing should explicitly rely on > fixed-list-mode, and the parsing should clean up that output. > > Aside from a normalization of the lines of output, in --fixed-list-mode, > dates are returned in unix timestamps and key IDs are 64 bits long > instead of 32. > > ------ > > You might find the attached patch useful in addressing the above > explanations. > > I'll be releasing a new version of gnupg shortly that will explicitly > declare that it Breaks: python-apt (<= 1.1.0~beta4). I think that's a bit overkill. While this part of python-apt is broken with the new gnupg, the rest works fine; and nobody uses the apt.auth module. Not to mention that I'm deprecating it, as we deprecated the gpg stuff in apt-key. > > Ideally, the next version of python-apt can have these bugs fixed and it > will work cleanly with the modern version of gnupg. Sure. But we should really support both old and new gpg versions, otherwise it gets a bit annoying. Maybe there's also an option to display fingerprints instead of keyids in --with-colons --list-keys? > > However, if your next upload of python-apt can't be built or run against > modern versions of GnuPG That would be silly :) -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you. _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds