Ubuntu
python3.10 package

Programs using netrc with containing an entry without a password fail with an exception "malformed machine entry <> terminated by ''"

Bug #2067361 reported by Eero Aaltonen
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python3.10 (Ubuntu)
Incomplete
Medium
Eero Aaltonen
Jammy
New
Undecided
Unassigned

Bug Description

Some services use provide token authentication, where the users token is input as the "username" field, resulting in a netrc entry containing
```
machine SOME_ADDRESS
login SOME_TOKEN
```

but no password entry.

Trying to run some python based program, that uses netrc, such as
```
ansible-galaxy collection install SOME_PACKAGE
```

with this such a netrc file will fail with an exception
"malformed machine entry SOME_ADDRESS terminated by ''".

This is upstream bug https://bugs.python.org/issue34908 fixed in python3.11.

[ Impact ]

 * Users are not able to run Python based programs using netrc credentials, such as ansible.

[ Test Plan ]

 * Install ansible with `sudo apt install ansible`

 * Add an entry to ~/.netrc containing only the "machine" and "login" tokens

 * observe failure when trying to run `ansible-galaxy collection install community.crypto`

[ Where problems could occur ]

 * Some over specific test suite relying on current overly strict parsing. However such a test suite would have to be fixed for python3.11 anyway.

[ Other Info ]

Revision history for this message
Eero Aaltonen (ejn) wrote :
Dan Bungert (dbungert)
Changed in python3.10 (Ubuntu):
assignee: nobody → Dan Bungert (dbungert)
Revision history for this message
Dan Bungert (dbungert) wrote :

Hi Eero, thanks for the patch. Some comments:

* I targeted this bug to Jammy, since that's the only relevant series with py3.10
* changelog: note that we should close the bug with a syntax like LP: #2067361 instead of "Closes"

Now about the content - this patch is described as a "Minimal change of upstream fix". I get that this is a minimal backport, which is nice from a SRU perspective in terms of lines of code. That said, the logic in that commit and what's shown here are quite a bit different, much more than I expected to see from the "Minimal change" description, so plainly there are going to be differences in what is present in py3.11 and what would be supported here. I'm not sure I would call this an "obviously safe patch" per https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases

The upstream commit does have unit tests, I think it would be sensible to include relevant tests, and I'd suggest a discussion here on the merits of the current backported logic versus what the full upstream commit would offer.

My primary concern here is to not make some existing use cases worse while making this case better.

I'm going to unsubscribe Sponsors for the moment, please update this bug with your thoughts.

Changed in python3.10 (Ubuntu):
assignee: Dan Bungert (dbungert) → Eero Aaltonen (ejn)
status: New → Incomplete
importance: Undecided → Medium
Revision history for this message
Eero Aaltonen (ejn) wrote :
Revision history for this message
Eero Aaltonen (ejn) wrote :

Hi Dan, thanks for taking a look.

I fixed the changelog entry on patch-V2.

Regarding the upstream commit 7f5ddb4a75fcb64046e3fc2af885960d2800a5b3, I think that cannot be be cherry-picked to a stable release as is, due to the added security check. While the security check makes sense, an affected user would see this as an error out of nowhere.

I've picked here only the changes required to avoid the parsing exception in an effort to meet the criteria for an "obviously safe patch", since with a smaller change it's easier to reason about the extent of possible effects.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.