Bug #9074
python-xmpp broken in Jessie which breaks otr-bot
100%
Description
All the Chatting with some friend over XMPP and with OTR*
scenarios are broken when the test suite is run in a Jessie environment, resulting in this error from features/scripts/otr-bot.py
:
Traceback (most recent call last):
File "/tails-share/features/scripts/otr-bot.py", line 197, in <module>
otr_bot.serve_forever()
File "/usr/lib/python2.7/dist-packages/jabberbot.py", line 715, in serve_forever
conn = self.connect()
File "/tails-share/features/scripts/otr-bot.py", line 82, in connect
conres = conn.connect((conn_server, int(conn_port)))
File "/usr/lib/python2.7/dist-packages/xmpp/client.py", line 205, in connect
while not self.TLS.starttls and self.Process(1): pass
File "/usr/lib/python2.7/dist-packages/xmpp/dispatcher.py", line 303, in dispatch
handler['func'](session,stanza)
File "/usr/lib/python2.7/dist-packages/xmpp/transports.py", line 330, in StartTLSHandler
self._startSSL()
File "/usr/lib/python2.7/dist-packages/xmpp/transports.py", line 309, in _startSSL
tcpsock._sslIssuer = tcpsock._sslObj.issuer()
AttributeError: '_ssl._SSLSocket' object has no attribute 'issuer'
Apparently, xmpppy, i.e. the python-xmpp
package in Debian, is abandoned, and is experiencing bit rot vs newer versions python. There’s a fork which fixes a number of issues, including a fix for the above bug:
--- xmpp/transports.py.orig 2010-04-06 21:05:04.000000000 +0800
+++ xmpp/transports.py 2010-04-06 21:05:20.000000000 +0800
@@ -27,7 +27,7 @@ Transports are stackable so you - f.e. T
Also exception 'error' is defined to allow capture of this module specific exceptions.
"""
-import socket,select,base64,dispatcher,sys
+import socket,ssl,select,base64,dispatcher,sys
from simplexml import ustr
from client import PlugIn
from protocol import *
@@ -312,9 +312,9 @@ class TLS(PlugIn):
""" Immidiatedly switch socket to TLS mode. Used internally."""
""" Here we should switch pending_data to hint mode."""
tcpsock=self._owner.Connection
- tcpsock._sslObj = socket.ssl(tcpsock._sock, None, None)
- tcpsock._sslIssuer = tcpsock._sslObj.issuer()
- tcpsock._sslServer = tcpsock._sslObj.server()
+ tcpsock._sslObj = ssl.wrap_socket(tcpsock._sock, None, None)
+ tcpsock._sslIssuer = tcpsock._sslObj.getpeercert().get('issuer')
+ tcpsock._sslServer = tcpsock._sslObj.getpeercert().get('server')
tcpsock._recv = tcpsock._sslObj.read
tcpsock._send = tcpsock._sslObj.write
I have verified that this patch fixes the issue for us.
Already reported as Debian bug #766475
Subtasks
Related issues
Blocks Tails - |
Resolved | 2014-10-20 |
History
#1 Updated by anonym 2015-03-18 16:11:34
- blocks
Feature #8165: Make our automated test suite run in a Jessie environment added
#2 Updated by anonym 2015-03-18 16:13:34
Since this blocks Feature #8165 we may want to use some temporary solution until there’s a fix from Jessie backports. What about building our own package (with the above patch) and have an APT suite dedicated for the test suite in Jessie?
#3 Updated by intrigeri 2015-03-18 18:02:58
> Since this blocks Feature #8165 we may want to use some temporary solution until there’s a fix from Jessie backports. What about building our own package and have an APT dedicated for the test suite in Jessie?
Yes, we can of course do that. Still, I’d like to first see if it’s doable to have this fixed in Jessie. I’m not sure how to assert the severity of this bug in Debian, with the info I have so far (and the Debian bug report isn’t exactly clear either).
- How can one minimally reproduce the bug?
- Does this bug affect any XMPP connection over TLS?
#4 Updated by intrigeri 2015-03-18 18:03:30
- Assignee set to anonym
- QA Check set to Info Needed
#5 Updated by intrigeri 2015-03-19 09:50:42
- Type of work changed from Wait to Debian
#6 Updated by intrigeri 2015-03-19 09:52:05
- Priority changed from Normal to Elevated
- Target version changed from Tails_1.4 to Tails_1.3.2
Raising priority, and setting a closer milestone for now, as our last chance to have this fixed in Jessie is approaching.
#7 Updated by anonym 2015-03-19 10:58:27
- Assignee changed from anonym to intrigeri
intrigeri wrote:
> > Since this blocks Feature #8165 we may want to use some temporary solution until there’s a fix from Jessie backports. What about building our own package and have an APT dedicated for the test suite in Jessie?
>
> Yes, we can of course do that. Still, I’d like to first see if it’s doable to have this fixed in Jessie. I’m not sure how to assert the severity of this bug in Debian, with the info I have so far (and the Debian bug report isn’t exactly clear either).
>
> * How can one minimally reproduce the bug?
Here’s an example:
import xmpp
xmpp.Client("jabber.ccc.de").connect()
(If srv lookups is an issue, you can pass use_srv = False
to connect()
)
I’ll pass this on to the Debian bug.
> * Does this bug affect any XMPP connection over TLS?
Yes, so far I’ve only seen this for TLS. In fact, the last debug message before the above error is:
DEBUG: tls ok Got starttls proceed response. Switching to TLS/SSL...
Interestingly, explicitly forcing SSL/TLS to be on or off works around this particular error, i.e. this doesn’t throw the exception:
import xmpp
xmpp.Client("jabber.ccc.de").connect(secure = 1)
and this doesn’t throw the exception:
import xmpp
xmpp.Client("jabber.ccc.de").connect(secure = 0)
So it seems the SSL/TLS auto-detection code triggers the error.
However, if I modify otr-bot’s connect()
to use either secure
settings, then we get other errors, and this also happens on Debian Wheezy. With secure = 0
then the authentication fails (but no exception thrown) with:
DEBUG: gen_auth error No result node arrived! Aborting...
And with secure = 1
:
[...]
DEBUG: tls start Plugging <xmpp.transports.TLS instance at 0x7f5911a51248> into <xmpp.client.Client instance at 0x7f5911a4e518>
Traceback (most recent call last):
File "features/scripts/otr-bot.py", line 199, in <module>
otr_bot.serve_forever()
File "/usr/lib/python2.7/dist-packages/jabberbot.py", line 715, in serve_forever
conn = self.connect()
File "features/scripts/otr-bot.py", line 88, in connect
authres = conn.auth(self.jid.getNode(), self.__password, self.res)
File "/usr/lib/python2.7/dist-packages/xmpp/client.py", line 214, in auth
while not self.Dispatcher.Stream._document_attrs and self.Process(1): pass
AttributeError: Client instance has no attribute 'Dispatcher'
I tested this with the xmpppy
fork I mentioned in the ticket description, and both these errors persist. So, yeah, xmpppy
/@python-xmpp@ is not in a good shape, but integrating the above patch would save us in the short term.
Unless a serious (upstream) maintainer for xmpppy
steps up I think python-xmpp
should be dropped from Debian since it’s just going to continue to rot. Then our long-term fix would be to migrate to some other python XMPP library. In Jessie we have:
python-pyxmpp
python-sleekxmpp
python-nbxmpp
Porting python-jabberbot
to any of them would make us the new upstream since it also seems abandoned, so we’d have to either just hack in the minimal bot infrastructure we need (quite easy, I actually did that before discovering jabberbot
). Otherwise, there’s the whistler bot, based on python-sleekxmpp
, which “is easy to extend”, but isn’t packaged in Debian.
So, what do you think about all this?
#8 Updated by intrigeri 2015-03-19 11:55:54
>> * How can one minimally reproduce the bug?
> Here’s an example:
>
> import xmpp
> xmpp.Client("jabber.ccc.de").connect()
>
Ah, indeed that seems to be very much broken. Such a regression may arguably qualify as RC. However:
> Interestingly, explicitly forcing SSL/TLS to be on or off works around this particular error, i.e. this doesn’t throw the exception:
The fact that there’s an easy workaround (that could be documented in NEWS.Debian) argues a little bit in favor of not making this a RC bug.
> However, if I modify otr-bot’s connect()
to use either secure
settings, then we get other errors, […]
This is a bit strange, no?
> And with secure = 1
:
>
> [...]
> DEBUG: tls start Plugging <xmpp.transports.TLS instance at 0x7f5911a51248> into <xmpp.client.Client instance at 0x7f5911a4e518>
> Traceback (most recent call last):
> File "features/scripts/otr-bot.py", line 199, in <module>
> otr_bot.serve_forever()
> File "/usr/lib/python2.7/dist-packages/jabberbot.py", line 715, in serve_forever
> conn = self.connect()
> File "features/scripts/otr-bot.py", line 88, in connect
> authres = conn.auth(self.jid.getNode(), self.__password, self.res)
> File "/usr/lib/python2.7/dist-packages/xmpp/client.py", line 214, in auth
> while not self.Dispatcher.Stream._document_attrs and self.Process(1): pass
> AttributeError: Client instance has no attribute 'Dispatcher'
>
I don’t see secure = 1
being passed here. Is that expected?
> I tested this with the xmpppy
fork I mentioned in the ticket description, and both these errors persist. So, yeah, xmpppy
/@python-xmpp@ is not in a good shape, but integrating the above patch would save us in the short term.
OK.
> Unless a serious (upstream) maintainer for xmpppy
steps up I think python-xmpp
should be dropped from Debian since it’s just going to continue to rot.
Agreed. Note that the version in Debian is… a CVS (!) snapshot from 2008 (!).
> Then our long-term fix would be to migrate to some other python XMPP library. In Jessie we have:
> * python-pyxmpp
> * python-sleekxmpp
> * python-nbxmpp
I can evaluate the Debian side of these ones, if you wish, once you’ve looked into how actively maintained they are upstream. python-nbxmpp
is used by Gajim, so I hope it’ll be properly maintained.
> Porting python-jabberbot
to any of them would make us the new upstream since it also seems abandoned,
Indeed, there have been no commits upstream since August, 2012. However, there’s no ticket open either, so maybe the authors consider it to be stable. Before jumping to another solution (be it a new in-house implementation, or another bot framework that we may have to maintain in Debian), I’d like to see us tell upstream about the problems we see with xmpppy, and ask them if they would consider porting to a XMPP library that’s properly maintained.
Also see that discussion: https://bugs.debian.org/592010. Getting in touch with Carl Chenet might be useful.
Note that python-jabberbot
in Git (http://sourceforge.net/p/pythonjabberbot/code/commit_browser) has support for specifying the connect server, so our overloading of its connect
method wouldn’t be needed with a new upstream release.
> so we’d have to either just hack in the minimal bot infrastructure we need (quite easy, I actually did that before discovering jabberbot
). Otherwise, there’s the whistler bot, based on python-sleekxmpp
, which “is easy to extend”, but isn’t packaged in Debian.
Good to know we have alternate solutions if the other ones don’t work.
#9 Updated by intrigeri 2015-03-19 11:59:47
- Assignee changed from intrigeri to anonym
- QA Check deleted (
Info Needed)
#10 Updated by anonym 2015-03-19 14:41:44
- Assignee changed from anonym to intrigeri
- QA Check set to Info Needed
intrigeri wrote:
> > Interestingly, explicitly forcing SSL/TLS to be on or off works around this particular error, i.e. this doesn’t throw the exception:
>
> The fact that there’s an easy workaround (that could be documented in NEWS.Debian) argues a little bit in favor of not making this a RC bug.
It’s not a workaround since it causes other errors.
> > However, if I modify otr-bot’s connect()
to use either secure
settings, then we get other errors, […]
>
> This is a bit strange, no?
Yup. That said, from my reading of the code, you may not end up with the exact same results when forcing the setting as when the setting is auto-detected.
> > And with secure = 1
:
> > […]
>
> I don’t see secure = 1
being passed here. Is that expected?
It’s expected as we override connect()
, and that call had succeeded earlier and isn’t part of the stack any more. The connect()
we see in this stack trace is just another call, cause that’s how jabberbot works — it calls connect()
for each thing it does, which will return the socket and only the first time does it actually do the connect stuff.
> > Unless a serious (upstream) maintainer for xmpppy
steps up I think python-xmpp
should be dropped from Debian since it’s just going to continue to rot.
>
> Agreed. Note that the version in Debian is… a CVS (!) snapshot from 2008 (!).
Yup…
> > Then our long-term fix would be to migrate to some other python XMPP library. In Jessie we have:
>
> > * python-pyxmpp
> > * python-sleekxmpp
> > * python-nbxmpp
>
> I can evaluate the Debian side of these ones, if you wish, once you’ve looked into how actively maintained they are upstream. python-nbxmpp
is used by Gajim, so I hope it’ll be properly maintained.
Ok:
python-pyxmpp
: no commit in the official repo since Aug 23, 2011. There’s a rewrite with last commit on Jan 12, 2014.
python-sleekxmpp
: last commit in the official repo on Nov 10, 2014. Has quite a few issues and pull requests that has been ignored since then.
python-nbxmpp
: last commit in official repo was 8 days ago. Looks promising.
> > Porting python-jabberbot
to any of them would make us the new upstream since it also seems abandoned,
>
> Indeed, there have been no commits upstream since August, 2012. However, there’s no ticket open either, so maybe the authors consider it to be stable. Before jumping to another solution (be it a new in-house implementation, or another bot framework that we may have to maintain in Debian), I’d like to see us tell upstream about the problems we see with xmpppy, and ask them if they would consider porting to a XMPP library that’s properly maintained.
I sent an inquiry to Thomas Perl. To be continued.
> Also see that discussion: https://bugs.debian.org/592010. Getting in touch with Carl Chenet might be useful.
> Note that python-jabberbot
in Git (http://sourceforge.net/p/pythonjabberbot/code/commit_browser) has support for specifying the connect server, so our overloading of its connect
method wouldn’t be needed with a new upstream release.
Right.
So, is there anything you can do, intrigeri, as a Debian developer, to accelerate the inclusion of the patch into python-xmpp
? Anything else I can do except what I’ve done on the Debian bug?
#11 Updated by intrigeri 2015-03-19 16:32:59
> * python-pyxmpp
: no commit in the official repo since Aug 23, 2011. There’s a rewrite with last commit on Jan 12, 2014.
Team-maintained, no upload since almost 3 years, build-depends on an orphaned (m2crypto) package. The only open Debian bug has been fixed upstream 4 years ago, and possibly fixed in recent Debian uploads too. Popcon: 148 submitters, 10 voters. Probably not a safe bet.
> * python-sleekxmpp
: last commit in the official repo on Nov 10, 2014. Has quite a few issues and pull requests that has been ignored since then.
Supports Python 3. The package in Debian is a pre-1.0 beta, while upstream is at 1.3.1. The maintainer is more or less trying to hand the package over, without much success yet. Popcon: 94 submitters, 7 voters. Probably not a safe bet either.
> * python-nbxmpp
: last commit in official repo was 8 days ago. Looks promising.
Supports Python 3. Accepted in Debian 6 months ago, and Popcon is already much way higher than the other ones (probably both caused by Gajim switching from a python-xmpppy
fork to python-nbxmpp
). Package is maintained by the Gajim Debian maintainer and seems to be in a pretty good shape. Seems to be the best bet. Note, though, that the coupling of this project with Gajim has one good side (as long as they need it, they’ll maintain it) and one concerning side (any feature or behaviour Gajim doesn’t need itself may bitrot, or be dropped, or whatnot).
> So, is there anything you can do, intrigeri, as a Debian developer, to accelerate the inclusion of the patch into python-xmpp
? Anything else I can do except what I’ve done on the Debian bug?
Prepared a minimal patch, proposed a NMU => please test and report back there.
#12 Updated by intrigeri 2015-03-19 16:42:02
- Assignee changed from intrigeri to anonym
#13 Updated by intrigeri 2015-03-19 18:19:04
- Assignee changed from anonym to intrigeri
- QA Check deleted (
Info Needed)
#14 Updated by intrigeri 2015-03-19 18:19:46
My plan is to NMU on Sunday. Please ping me if it’s not done by Monday noon CET.
#15 Updated by intrigeri 2015-03-20 23:22:26
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 30
The maintainer agrees I should NMU => will do that soonish.
#16 Updated by intrigeri 2015-03-21 14:40:47
- % Done changed from 30 to 40
Uploaded. Will request a freeze exception once it’s built on all architectures, if the release team doesn’t unblock it themselves before I ask.
#17 Updated by intrigeri 2015-03-22 16:25:14
- % Done changed from 40 to 80
Unblocked, now waiting for it to migrate to testing.
#18 Updated by intrigeri 2015-03-28 09:36:01
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
It has migrated.