Hello, Please note that this comment was generated automatically by https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py If you feel that this output has mistakes, please open an issue at https://pagure.io/releng/ Your package (fedmsg) Fails To Install in Fedora 41: can't install python3-fedmsg: - nothing provides python3.12dist(requests) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python3.12dist(setuptools) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python3.12dist(six) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python3.12dist(pyzmq) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python3.12dist(arrow) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python3.12dist(kitchen) needed by python3-fedmsg-1.1.7-6.fc40.noarch - nothing provides python(abi) = 3.12 needed by python3-fedmsg-1.1.7-6.fc40.noarch If you know about this problem and are planning on fixing it, please acknowledge so by setting the bug status to ASSIGNED. If you don't have time to maintain this package, consider orphaning it, so maintainers of dependent packages realize the problem. If you don't react accordingly to the policy for FTBFS/FTI bugs (https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/), your package may be orphaned in 8+ weeks. P.S. The data was generated solely from koji buildroot, so it might be newer than the latest compose or the content on mirrors. To reproduce, use the koji/local repo only, e.g. in mock: $ mock -r fedora-41-x86_64 --config-opts mirrored=False install python3-fedmsg P.P.S. If this bug has been reported in the middle of upgrading multiple dependent packages, please consider using side tags: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-dependent-packages Thanks!
Hello, Please note that this comment was generated automatically by https://pagure.io/releng/blob/main/f/scripts/ftbfs-fti/follow-policy.py If you feel that this output has mistakes, please open an issue at https://pagure.io/releng/ This package fails to install and maintainers are advised to take one of the following actions: - Fix this bug and close this bugzilla once the update makes it to the repository. (The same script that posted this comment will eventually close this bugzilla when the fixed package reaches the repository, so you don't have to worry about it.) or - Move this bug to ASSIGNED if you plan on fixing this, but simply haven't done so yet. or - Orphan the package if you no longer plan to maintain it. If you do not take one of these actions, the process at https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/#_package_removal_for_long_standing_ftbfs_and_fti_bugs will continue. This package may be orphaned in 7+ weeks. This is the first reminder (step 3) from the policy. Don't hesitate to ask for help on https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/ if you are unsure how to fix this bug.
fedmsg fails to build with Python 3.13.0b2 7 tests fail in total. 6 tests fail, because Logger has no attribute 'warn'. The alias has been removed and it has to be replaced with 'warning' instead. This leaves 1 with the traceback below: =================================== FAILURES =================================== __________ FedmsgConsumerReplayTests.test_backlog_message_validation ___________ self = <fedmsg.tests.consumers.test_consumers.FedmsgConsumerReplayTests testMethod=test_backlog_message_validation> def test_backlog_message_validation(self): """Assert messages fetched from datanommer pass signature validation.""" with open(os.path.join(FIXTURES_DIR, 'sample_datanommer_response.json')) as fd: replay_messages = json.load(fd) self.consumer.get_datagrepper_results = mock.Mock( return_value=replay_messages['raw_messages']) last_message = json.dumps({'message': {'body': {'msg_id': 'myid', 'timestamp': 0}}}) # This places all the messages from a call to "get_datagrepper_results" in the # "incoming" queue.Queue self.consumer._backlog(last_message) while not self.consumer.incoming.empty(): > self.consumer.validate(self.consumer.incoming.get()) fedmsg/tests/consumers/test_consumers.py:72: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <fedmsg.tests.consumers.test_consumers.DummyConsumer object at 0x7fc9bc7a01a0> message = {'body': {'certificate': 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVUakNDQTdlZ0F3SUJBZ0lDQVBZd0RRWUpL\nb1pJaHZjTkFRRU...ora-25-x86_64', 'copr': 'minsh', 'ip': '172.25.94.204', ...}, ...}, 'topic': 'org.fedoraproject.prod.copr.build.start'} def validate(self, message): """ Validate the message before the consumer processes it. This needs to raise an exception, caught by moksha. Args: message (dict): The message as a dictionary. This must, at a minimum, contain the 'topic' key with a unicode string value and 'body' key with a dictionary value. However, the message might also be an object with a ``__json__`` method that returns a dict with a 'body' key that can be a unicode string that is JSON-encoded. Raises: RuntimeWarning: If the message is not valid. UnicodeDecodeError: If the message body is not unicode or UTF-8 and also happens to contain invalid UTF-8 binary. """ if hasattr(message, '__json__'): message = message.__json__() if isinstance(message['body'], six.text_type): message['body'] = json.loads(message['body']) elif isinstance(message['body'], six.binary_type): # Try to decode the message body as UTF-8 since it's very likely # that that was the encoding used. This API should eventually only # accept unicode strings inside messages. If a UnicodeDecodeError # happens, let that bubble up. warnings.warn('Message body is not unicode', DeprecationWarning) message['body'] = json.loads(message['body'].decode('utf-8')) # Massage STOMP messages into a more compatible format. if not isinstance(message['body'], dict) or 'topic' not in message['body']: message['body'] = { 'topic': message.get('topic'), 'msg': message['body'], } # If we're not validating, then everything is valid. # If this is turned on globally, our child class can override it. if not self.validate_signatures: return # We assume these match inside fedmsg.crypto, so we should enforce it. if not message['topic'] == message['body']['topic']: raise RuntimeWarning("Topic envelope mismatch.") if not fedmsg.crypto.validate(message['body'], **self.hub.config): > raise RuntimeWarning("Failed to authn message.") E RuntimeWarning: Failed to authn message.
So, fixing the warn vs warning gets further, but there's then a failing test on verify... https://kojipkgs.fedoraproject.org/work/tasks/4043/119474043/build.log Not sure why that is happening...will try and investigate more.
The code is raising an error right after calling `fedmsg.crypto.validate(message['body'], **self.hub.config):` I wonder if this could be related to m2crypto? Has the fixed build of that landed yet? https://bugzilla.redhat.com/show_bug.cgi?id=2291556
Yeah, I tried just now again since thats landed and it still fails in the same way it seems. ;(
The mass rebuild attempt failed with: ========== 55 failed, 170 passed, 101 skipped, 109 warnings in 16.32s ========== 49 tests failed with E cryptography.exceptions.UnsupportedAlgorithm: sha1 is not supported by this backend for RSA signing. This is likely https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer 5 test fails with E AttributeError: 'Logger' object has no attribute 'warn' This is a Python 3.13 change. Use warning instead, as told in comment #2. ------- That leaves the test_backlog_message_validation failure, as reported in comment #2.
This probably means fedmsg.crypto.validate(...) returned False-like value: if not fedmsg.crypto.validate(message['body'], **self.hub.config): > raise RuntimeWarning("Failed to authn message.") E RuntimeWarning: Failed to authn message. Looking at the function: ======================================================================== def validate(message, **config): """ Return true or false if the message is signed appropriately. """ if not _validate_implementations: init(**config) cfg = copy.deepcopy(config) if 'gpg_home' not in cfg: cfg['gpg_home'] = os.path.expanduser('~/.gnupg/') if 'ssldir' not in cfg: cfg['ssldir'] = '/etc/pki/fedmsg' if 'crypto' in message: if not message['crypto'] in _possible_backends: log.warn("Message specified an impossible crypto backend") return False try: backend = _possible_backends[message['crypto']] except Exception as e: log.warn("Failed to load %r %r" % (message['crypto'], e)) return False # fedmsg 0.7.2 and earlier did not specify which crypto backend a message # was signed with. As long as we care about interoperability with those # versions, attempt to guess the backend to use elif 'certificate' in message: backend = x509 elif 'signature' in message: backend = gpg else: log.warn('Could not determine crypto backend. Message unsigned?') return False if backend in _validate_implementations: return backend.validate(message, **cfg) else: log.warn("Crypto backend %r is disallowed" % backend) return False ======================================================================== All `return False` call log.warn() which is not possible in Python 3.13 -> I belive this falls into `return backend.validate(message, **cfg)` backend could be anything, depending on the message. But message is obfuscated in the logs... Running pytest with -vvv -k test_backlog_message_validation I see: ERROR fedmsg.crypto.x509_ng:x509_ng.py:182 certificate signature failure That thing calls OpenSSL.crypto from pyOpenSSL, not m2crypto.
Adding a raise: fedmsg/consumers/__init__.py:276: in validate if not fedmsg.crypto.validate(message['body'], **self.hub.config): fedmsg/crypto/__init__.py:244: in validate return backend.validate(message, **cfg) fedmsg/crypto/x509_ng.py:180: in validate _validate_signing_cert(ca_certificate, certificate, crl) fedmsg/crypto/x509_ng.py:242: in _validate_signing_cert cert_store_context.verify_certificate() /usr/lib/python3.13/site-packages/OpenSSL/crypto.py:2000: in verify_certificate self._verify_certificate() _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <OpenSSL.crypto.X509StoreContext object at 0x7f03d9c0ed50> def _verify_certificate(self) -> Any: """ Verifies the certificate and runs an X509_STORE_CTX containing the results. :raises X509StoreContextError: If an error occurred when validating a certificate in the context. Sets ``certificate`` attribute to indicate which certificate caused the error. """ store_ctx = _lib.X509_STORE_CTX_new() _openssl_assert(store_ctx != _ffi.NULL) store_ctx = _ffi.gc(store_ctx, _lib.X509_STORE_CTX_free) ret = _lib.X509_STORE_CTX_init( store_ctx, self._store._store, self._cert._x509, self._chain ) _openssl_assert(ret == 1) ret = _lib.X509_verify_cert(store_ctx) if ret <= 0: > raise self._exception_from_context(store_ctx) E OpenSSL.crypto.X509StoreContextError: certificate signature failure /usr/lib/python3.13/site-packages/OpenSSL/crypto.py:1975: X509StoreContextError
Looking at https://koschei.fedoraproject.org/package/fedmsg?collection=f40 and https://koschei.fedoraproject.org/package/fedmsg?collection=f39 this is not Python 3.13 related. That test has been failing everywhere since April/May.
Downgrading all listed packages from https://koschei.fedoraproject.org/build/17789231 in a f40 mock does not fix this. Could the failure be related to kernel etc.?
Gentle ping.
Fedora Infrastructure (except for one last app which is being moved) no longer uses fedmsg, and we plan on taking down the fedmsg bus as soon as that last app is moved to fedora-messaging. I am not sure if there's anyone out there that is using fedmsg to run their own bus, so I just orphaned these packages.
This package has been orphaned. You can pick it up at https://src.fedoraproject.org/rpms/fedmsg by clicking button "Take". If nobody picks it up, it will be retired and removed from a distribution.
Automation has figured out the package is retired in rawhide. If you like it to be unretired, please open a ticket at https://pagure.io/releng/new_issue?template=package_unretirement