Bug#910634: spice: FTBFS on all architectures (Bug #910634)
Control: found -1 0.14.0-1 Control: tags -1 + confirmed Control: retitle -1 spice: FTBFS if openssl/1.1.1-1 is installed (with new defaults via /etc/ssl/openssl.cnf) Hi Bernhard, On Tue, Oct 09, 2018 at 02:36:55PM +0200, Bernhard ??belacker wrote: > Hello Salvatore Bonaccorso, > just tried to find some information without deeper knowledge > of spice or openssl. > > In the end I think the update of openssl from 1.1.0h-4 to > 1.1.1-4 makes the difference. > > Since some 1.1.1 version /etc/ssl/openssl.cnf seems to contain: > CipherString = DEFAULT@SECLEVEL=2 > > This level is responsible to not accept the 80 bits used in > the certificate in this test, while we need at least 112 bits. Thanks for tracking this down, with a detailed analysis, this is indeed seems the problem. Previous installations of the chroots did not contain the openssl package, and correlating then with the openssl update as well 0.14.0-1 would fail. ca-certificates is not part of the needed Build-Depends, but recently buildd chroots started to include apt-transport-https, inclduing openssl as dependency and now uncovering this issue. > Therefore I assume upstream should replace this certificate. Ack, this seems right. Salvatore
Bug#910634: spice: FTBFS on all architectures (Bug #910634)
Hello Salvatore Bonaccorso, just tried to find some information without deeper knowledge of spice or openssl. In the end I think the update of openssl from 1.1.0h-4 to 1.1.1-4 makes the difference. Since some 1.1.1 version /etc/ssl/openssl.cnf seems to contain: CipherString = DEFAULT@SECLEVEL=2 This level is responsible to not accept the 80 bits used in the certificate in this test, while we need at least 112 bits. Therefore I assume upstream should replace this certificate. "Generating self-signed certificates" ([1],[2]) may give some pointers how these files were generated. [1] https://www.spice-space.org/spice-user-manual.html [2] https://cgit.freedesktop.org/spice/spice/commit/server/tests/pki?id=7b5e294a363e1500ab1a5b143da1602c9fed0547 More information in following links: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907518 https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 Kind regards, Bernhard apt update apt dist-ugprade apt build-dep spice apt install devscripts gdb mkdir spice/orig -p cdspice/orig apt source spice cd ../.. mkdir libssl1.1/orig -p cdlibssl1.1/orig apt source libssl1.1 cd ../.. mkdir libssl1.1-buster/orig -p cdlibssl1.1-buster/orig dget http://http.debian.net/debian/pool/main/o/openssl/openssl_1.1.0h-4.dsc cd ../.. cd spice cp -a orig try1 cd try1/spice-0.14.0/ dpkg-buildpackage -> Builds in buster -> Switch to unstable apt update apt dist-upgrade Die folgenden Pakete werden aktualisiert (Upgrade): autopoint ca-certificates console-setup console-setup-linux cpp debhelper dirmngr dmidecode dpkg dpkg-dev g++ gcc gettext gettext-base gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv gzip ifupdown keyboard-configuration libdpkg-perl libegl-mesa0 libegl1-mesa-dev libgbm1 libgl1-mesa-dev libgl1-mesa-dri libglapi-mesa libgles2-mesa-dev libglx-mesa0 libgnutls-dane0 libgnutls30 libgpgme11 libio-socket-ssl-perl libltdl7 libnet-dns-sec-perl libnet-ssleay-perl libnghttp2-14 libpython3.6-minimal libpython3.6-stdlib libsoup2.4-1 libssl-dev libssl1.1 libtool linux-image-4.18.0-1-amd64 linux-image-amd64 linux-libc-dev mesa-common-dev openssl publicsuffix python3-gpg python3.6 python3.6-minimal wget apt autoremove reboot apt install libglib2.0-0-dbgsym cd spice cp -a orig try2 cd try2/spice-0.14.0/ dpkg-buildpackage PASS: test-stat-file ../../test-driver: Zeile 107: 14389 Trace/Breakpoint ausgelöst "$@" > $log_file 2>&1 FAIL: test-leaks PASS: test-vdagent PASS: test-fail-on-null-core-interface PASS: test-empty-success PASS: test-channel === spice 0.14.0: server/tests/test-suite.log === # TOTAL: 13 # PASS: 12 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test-leaks /server/server leaks: (./test-leaks:14389): Spice-WARNING **: 10:38:37.328: reds.c:2860:reds_init_ssl: Could not load certificates from /home/benutzer/spice/try2/spice-0.14.0/server/tests/pki/server-cert.pem FAIL test-leaks (exit status: 133) Testsuite summary for spice 0.14.0 # TOTAL: 13 # PASS: 12 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 See server/tests/test-suite.log Please report to spice-de...@lists.freedesktop.org make[8]: *** [Makefile:1301: test-suite.log] Fehler 1 cd server/tests gdb -q --args ./test-leaks set height 0 set width 0 set pagination off directory /home/benutzer/spice/try2/spice-0.14.0/server directory /home/benutzer/libssl1.1/orig/openssl-1.1.1/ssl run benutzer@debian:~/spice/try2/spice-0.14.0/server/tests$ gdb -q --args ./test-leaks Reading symbols from ./test-leaks...done. (gdb) set height 0 (gdb) set width 0 (gdb) set pagination off (gdb) run Starting program: /home/benutzer/spice/try2/spice-0.14.0/server/tests/test-leaks [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". /server/server leaks: (/home/benutzer/spice/try2/spice-0.14.0/server/tests/test-leaks:14700): Spice-WARNING **: 10:45:48.291: reds.c:2860:reds_init_ssl: Could not load certificates from /home/benutzer/spice/try2/spice-0.14.0/server/tests/pki/server-cert.pem Program received signal SIGTRAP, Trace/breakpoint trap. 0x76add9f5 in _g_log_abort () at ../../../../glib/gmessages.c:554 554 ../../../../glib/gmessages.c: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 0x76add9f5 in _g_log_abort (breakpoint=1) at ../../../../glib/gmessages.c:554 #1 0x76aded0d in g_logv
Bug#910634: spice: FTBFS on all architectures
Source: spice Version: 0.14.0-1.1 Severity: serious Justification: FTBFS everywhere Hi The NMU I uploaded as 0.14.0-1.1 FTBFS on *all* architectures. https://buildd.debian.org/status/package.php?p=spice This was almost sure not the case when I prepared the NMU, at least when building in my usual pbuilder envionment. Which possible change or difference causes this? Regards, Salvatore
