nondeterministic failure when no keyring backends are available
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| | Python Keyring |
New
|
Unknown
|
|||
| python-keyring (Ubuntu) | Status tracked in Focal | |||||
| | Eoan |
Medium
|
Dan Streetman | |||
| | Focal |
Medium
|
Dan Streetman | |||
| python-launchpadlib (Ubuntu) | Status tracked in Focal | |||||
| | Eoan |
Medium
|
Dan Streetman | |||
| | Focal |
Medium
|
Dan Streetman | |||
Bug Description
[impact]
when no backends are available for python-keyring, it will sometimes silently ignore all requests to set or get credentials, and sometimes it will raise RuntimeError for all requests.
[test case]
when there are no backends, there are 2 built-in backends that will be the only ones available, the 'chainer' backend and the 'fail' backend. The 'fail' backend always has priority 0, while the 'chainer' backend has priority 10 if it contains any actual backends, and priority 0 if it is empty. So in the situtation where there are no actual backends, both 'chainer' and 'fail' will have priority 0. Since the 'backends' class stores its backend implementation instances in a python set(), which is unordered, it is non-deterministic which of those backends are used at any given time.
Since the behavior is non-deterministic, simply trying this multiple times may result in each behavior. Rebooting or logout/login can help 'switch' the behavior, although simply re-running the test multiple times should be enough to eventually test both backends.
>>> import keyring
>>> [keyring.
the above python code will show the current list of backends, and since they both have the same priority (in this situation) the first in the list will be used. If the list looks like:
[[<keyring.
with 'ChainerBackend' first, all keyring functions will return silently with None, e.g.:
>>> keyring.
>>> keyring.
>>>
with 'fail.Keyring' first, all keyring functions will raise RuntimeError:
>>> import keyring
>>> [keyring.
[[<keyring.
>>> keyring.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
_keyring_
File "/usr/lib/
raise RuntimeError(msg)
RuntimeError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https:/
>>> keyring.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
return _keyring_
File "/usr/lib/
raise RuntimeError(msg)
RuntimeError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https:/
[regression potential]
And regressions would likely occur when no keyring backends, or only a single keyring backend, are/is availble, since this lowers the priority of the 'chainer' keyring backend, and the intention of this is to fix the existing problem when there is no keyring backend.
It should be noted that because the current behavior is non-deterministic, alternating between no error at all and raised RuntimeError, some existing users of python-keyring that occasionally do not see any error (but then also occasionally see RuntimeError raised) will now always see NoKeyringError raised (which does inherit from RuntimeError, to keep backwards compatibility for users that currently catch RuntimeError).
That is not actually a regression, since the behavior was non-deterministic; one way had to be chosen, and always raising error when there are no keyring backends is more appropriate than always silently failing when there are no keyring backends.
[scope]
This affects Eoan and later, including upstream.
This does not affect Bionic or earlier, as they do not have the commit that introduces the bug.
this was introduced upstream by commit 0114733e91f2492
[other info]
this affects any application that uses the python-launchpadlib library, as that internally uses keyrings.
Opened upstream PR to at least make the behavior deterministic:
https:/
Also adds new 'NoKeyringError' so callers can catch that specific error instead of raising generic RuntimeError.
| Changed in python-keyring (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in python-keyring: | |
| status: | Unknown → New |
| description: | updated |
| Changed in python-keyring (Ubuntu Eoan): | |
| importance: | Undecided → Medium |
| Changed in python-launchpadlib (Ubuntu Eoan): | |
| importance: | Undecided → Medium |
| Changed in python-launchpadlib (Ubuntu Focal): | |
| importance: | Undecided → Medium |
| description: | updated |
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #1 |
| Changed in python-keyring (Ubuntu Eoan): | |
| status: | New → Confirmed |
| Changed in python-keyring (Ubuntu): | |
| status: | New → Confirmed |
| Changed in python-launchpadlib (Ubuntu Eoan): | |
| status: | New → Confirmed |
| Changed in python-launchpadlib (Ubuntu): | |
| status: | New → Confirmed |
| Dan Streetman (ddstreet) wrote : | #5 |
waiting on upstream python-keyring review before fixing this in Debian/Ubuntu:
https:/
| Changed in python-keyring (Ubuntu Focal): | |
| assignee: | nobody → Dan Streetman (ddstreet) |
| Changed in python-keyring (Ubuntu Eoan): | |
| assignee: | nobody → Dan Streetman (ddstreet) |
| Changed in python-launchpadlib (Ubuntu Eoan): | |
| assignee: | nobody → Dan Streetman (ddstreet) |
| Changed in python-launchpadlib (Ubuntu Focal): | |
| assignee: | nobody → Dan Streetman (ddstreet) |
| status: | Confirmed → In Progress |
| Changed in python-launchpadlib (Ubuntu Eoan): | |
| status: | Confirmed → In Progress |
| Changed in python-keyring (Ubuntu Focal): | |
| status: | Confirmed → In Progress |
| Changed in python-keyring (Ubuntu Eoan): | |
| status: | Confirmed → In Progress |
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package python-keyring - 18.0.1-2ubuntu1
---------------
python-keyring (18.0.1-2ubuntu1) focal; urgency=medium
* d/p/lp1864204/
d/p/
d/p/
- make failure deterministic when no keyring backends are available
(LP: #1864204)
-- Dan Streetman <email address hidden> Sat, 14 Mar 2020 07:45:55 -0400
| Changed in python-keyring (Ubuntu Focal): | |
| status: | In Progress → Fix Released |
Hello Dan, or anyone else affected,
Accepted python-keyring into eoan-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in python-keyring (Ubuntu Eoan): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-eoan |
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (python-keyring/18.0.1-1ubuntu1) | #8 |
All autopkgtests for the newly accepted python-keyring (18.0.1-1ubuntu1) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:
salt/2018.
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
| Dan Streetman (ddstreet) wrote : | #9 |
eoan verification:
ubuntu@
ii python3-keyring 18.0.1-1 all store and access your passwords safely - Python 3 version of the package
ubuntu@
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[GCC 9.2.1 20191008] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import keyring
>>> [keyring.
[[<keyring.
>>> keyring.
>>>
ubuntu@
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[GCC 9.2.1 20191008] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import keyring
>>> [keyring.
[[<keyring.
>>> keyring.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
_keyring_
File "/usr/lib/
raise RuntimeError(msg)
RuntimeError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https:/
ubuntu@
ii python3-keyring 18.0.1-1ubuntu1 all store and access your passwords safely - Python 3 version of the package
ubuntu@
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[GCC 9.2.1 20191008] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import keyring
>>> [keyring.
[[<keyring.
>>> keyring.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
_keyring_
File "/usr/lib/
raise NoKeyringError(msg)
keyring.
| tags: |
added: verification-done verification-done-eoan removed: verification-needed verification-needed-eoan |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package python-keyring - 18.0.1-1ubuntu1
---------------
python-keyring (18.0.1-1ubuntu1) eoan; urgency=medium
* d/p/lp1864204/
d/p/
d/p/
- make failure deterministic when no keyring backends are available
(LP: #1864204)
-- Dan Streetman <email address hidden> Sat, 14 Mar 2020 07:45:55 -0400
| Changed in python-keyring (Ubuntu Eoan): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for python-keyring has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Status changed to 'Confirmed' because the bug affects multiple users.