Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1000182: python-jira: network access during the build
61 views
Skip to first unread message
Mattia Rizzolo
Nov 19, 2021, 4:10:03 AM11/19/21
to
Source: python-jira
Version: 3.0-1
Severity: serious
Dear maintainer,
It has been brought to our attention[1] that python-jira is doing
network access during its build.
On a build with network enabled:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|intersphinx inventory has moved: https://pip.readthedocs.io/en/stable/objects.inv -> https://pip.pypa.io/en/stable/objects.inv
On a build with a skewed clock:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests.kennethreitz.org/en/master/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='requests.kennethreitz.org', port=443): Max retries exceeded with url: /en/master/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://ipython.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='ipython.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests-oauthlib.readthedocs.io/en/latest/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='requests-oauthlib.readthedocs.io', port=443): Max retries exceeded with url: /en/latest/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://pip.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='pip.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://docs.python.org/3.7/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='docs.python.org', port=443): Max retries exceeded with url: /3.7/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
On a build with network blocked:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests-oauthlib.readthedocs.io/en/latest/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='requests-oauthlib.readthedocs.io', port=443): Max retries exceeded with url: /en/latest/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681cd0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://ipython.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='ipython.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681b20>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://docs.python.org/3.7/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='docs.python.org', port=443): Max retries exceeded with url: /3.7/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681700>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://pip.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='pip.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f70416a1580>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests.kennethreitz.org/en/master/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='requests.kennethreitz.org', port=443): Max retries exceeded with url: /en/master/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f70426c1fa0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Even *attempting* network access is forbidden for Debian main packages,
see Policy §4.9 "Main building script: debian/rules":
For packages in the main archive, required targets must not attempt
network access, except, via the loopback interface, to services on
the build host that have been started by the build.
[1] https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20211115/013319.html
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Version: 3.0-1
Severity: serious
Dear maintainer,
It has been brought to our attention[1] that python-jira is doing
network access during its build.
On a build with network enabled:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|intersphinx inventory has moved: https://pip.readthedocs.io/en/stable/objects.inv -> https://pip.pypa.io/en/stable/objects.inv
On a build with a skewed clock:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests.kennethreitz.org/en/master/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='requests.kennethreitz.org', port=443): Max retries exceeded with url: /en/master/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://ipython.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='ipython.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests-oauthlib.readthedocs.io/en/latest/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='requests-oauthlib.readthedocs.io', port=443): Max retries exceeded with url: /en/latest/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://pip.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='pip.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://docs.python.org/3.7/objects.inv' not fetchable due to <class 'requests.exceptions.SSLError'>: HTTPSConnectionPool(host='docs.python.org', port=443): Max retries exceeded with url: /3.7/objects.inv (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
On a build with network blocked:
|PYTHONPATH=. http_proxy='127.0.0.1:9' python3 -m sphinx -N -bhtml docs/ build/html # HTML generator
|Running Sphinx v4.2.0
|making output directory... done
|loading intersphinx inventory from https://docs.python.org/3.7/objects.inv...
|loading intersphinx inventory from https://requests.kennethreitz.org/en/master/objects.inv...
|loading intersphinx inventory from https://requests-oauthlib.readthedocs.io/en/latest/objects.inv...
|loading intersphinx inventory from https://ipython.readthedocs.io/en/stable/objects.inv...
|loading intersphinx inventory from https://pip.readthedocs.io/en/stable/objects.inv...
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests-oauthlib.readthedocs.io/en/latest/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='requests-oauthlib.readthedocs.io', port=443): Max retries exceeded with url: /en/latest/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681cd0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://ipython.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='ipython.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681b20>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://docs.python.org/3.7/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='docs.python.org', port=443): Max retries exceeded with url: /3.7/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7041681700>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://pip.readthedocs.io/en/stable/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='pip.readthedocs.io', port=443): Max retries exceeded with url: /en/stable/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f70416a1580>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
|WARNING: failed to reach any of the inventories with the following issues:
|intersphinx inventory 'https://requests.kennethreitz.org/en/master/objects.inv' not fetchable due to <class 'requests.exceptions.ConnectionError'>: HTTPSConnectionPool(host='requests.kennethreitz.org', port=443): Max retries exceeded with url: /en/master/objects.inv (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f70426c1fa0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Even *attempting* network access is forbidden for Debian main packages,
see Policy §4.9 "Main building script: debian/rules":
For packages in the main archive, required targets must not attempt
network access, except, via the loopback interface, to services on
the build host that have been started by the build.
[1] https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20211115/013319.html
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Neil Williams
Nov 19, 2021, 4:30:03 AM11/19/21
to
clone 1000182 sphinx-common
retitle -1 python3-sphinx: intersphinx_mapping causes network access despite proxy setting
thanks
Does dh_sphinxdoc need to also disable https: or does
intersphinx_mapping have to be patched out of every package using Sphinx?
This will inevitably cause another difference between the upstream
documentation and the packaged documentation, unless some sort of cache
can be created. The way that upstream builds are proceeding, it may
soon be pointless building Python documentation on Debian buildds.
For python-jira and a number of other Python packages, the only
solution for now is to patch out intersphinx support entirely.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
retitle -1 python3-sphinx: intersphinx_mapping causes network access despite proxy setting
thanks
Does dh_sphinxdoc need to also disable https: or does
intersphinx_mapping have to be patched out of every package using Sphinx?
This will inevitably cause another difference between the upstream
documentation and the packaged documentation, unless some sort of cache
can be created. The way that upstream builds are proceeding, it may
soon be pointless building Python documentation on Debian buildds.
For python-jira and a number of other Python packages, the only
solution for now is to patch out intersphinx support entirely.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
Neil Williams
Nov 19, 2021, 5:00:04 AM11/19/21
to
tag 1000184 - pending
thanks
Does dh_sphinxdoc need to also disable https: or does
intersphinx_mapping have to be patched out of every package using Sphinx?
This will inevitably cause another difference between the upstream
documentation and the packaged documentation, unless some sort of cache
can be created.
Does dh_sphinxdoc need to also disable https: or does
intersphinx_mapping have to be patched out of every package using Sphinx?
This will inevitably cause another difference between the upstream
documentation and the packaged documentation, unless some sort of cache
can be created.
For python-jira and a number of other Python packages, the only
solution for now is to patch out intersphinx support entirely.
(Spotted via a reproducibility failure).
solution for now is to patch out intersphinx support entirely.
Dmitry Shachnev
Nov 21, 2021, 11:30:04 AM11/21/21
to
Hi Neil!
On Fri, Nov 19, 2021 at 09:48:56AM +0000, Neil Williams wrote:
> tag 1000184 - pending
> thanks
>
> Does dh_sphinxdoc need to also disable https: or does
> intersphinx_mapping have to be patched out of every package using Sphinx?
dh_sphinxdoc is a packaging helper that is called *after* the documentation
is built and installed. It cannot affect the docs build process in any way.
If you want to disable network access, you should set the environment
variables yourself in debian/rules. http_proxy is not enough, you need to
set https_proxy to the same value.
> This will inevitably cause another difference between the upstream
> documentation and the packaged documentation, unless some sort of cache
> can be created.
>
> For python-jira and a number of other Python packages, the only
> solution for now is to patch out intersphinx support entirely.
>
> (Spotted via a reproducibility failure).
You can make it link to packaged versions of documentation. See what I do
in packaging of sphinx itself:
https://salsa.debian.org/python-team/packages/sphinx/-/blob/debian/master/debian/patches/intersphinx_local.diff
--
Dmitry Shachnev
On Fri, Nov 19, 2021 at 09:48:56AM +0000, Neil Williams wrote:
> tag 1000184 - pending
> thanks
>
> Does dh_sphinxdoc need to also disable https: or does
> intersphinx_mapping have to be patched out of every package using Sphinx?
is built and installed. It cannot affect the docs build process in any way.
If you want to disable network access, you should set the environment
variables yourself in debian/rules. http_proxy is not enough, you need to
set https_proxy to the same value.
> This will inevitably cause another difference between the upstream
> documentation and the packaged documentation, unless some sort of cache
> can be created.
>
> For python-jira and a number of other Python packages, the only
> solution for now is to patch out intersphinx support entirely.
>
> (Spotted via a reproducibility failure).
in packaging of sphinx itself:
https://salsa.debian.org/python-team/packages/sphinx/-/blob/debian/master/debian/patches/intersphinx_local.diff
--
Dmitry Shachnev
0 new messages