Source: postgresql-17 Version: 17.3-2 Severity: serious Justification: FTBFS Tags: trixie sid ftbfs User: lu...@debian.org Usertags: ftbfs-20250215 ftbfs-trixie
Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): > make[2]: Entering directory > '/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl' > echo "# +++ tap check in src/test/ssl +++" && rm -rf > '/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl'/tmp_check && > /bin/mkdir -p > '/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl'/tmp_check && > cd /build/reproducible-path/postgresql-17-17.3/build/../src/test/ssl && > TESTLOGDIR='/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl/tmp_check/log' > > TESTDATADIR='/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl/tmp_check' > > PATH="/build/reproducible-path/postgresql-17-17.3/build/tmp_install/usr/lib/postgresql/17/bin:/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl:$PATH" > > LD_LIBRARY_PATH="/build/reproducible-path/postgresql-17-17.3/build/tmp_install/usr/lib/x86_64-linux-gnu" > > INITDB_TEMPLATE='/build/reproducible-path/postgresql-17-17.3/build'/tmp_install/initdb-template > PGPORT='65432' > top_builddir='/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl/../../..' > > PG_REGRESS='/build/reproducible-path/postgresql-17-17.3/build/src/test/ssl/../../../src/test/regress/pg_regress' > /usr/bin/prove -I > /build/reproducible-path/postgresql-17-17.3/build/../src/test/perl/ -I > /build/reproducible-path/postgresql-17-17.3/build/../src/test/ssl --verbose > t/*.pl > # +++ tap check in src/test/ssl +++ > > # Failed test 'pg_stat_ssl with client certificate: exit code 0' > # at t/001_ssltests.pl line 731. > > # Failed test 'pg_stat_ssl with client certificate: no stderr' > # at t/001_ssltests.pl line 731. > # got: 'psql: error: connection to server at "127.0.0.1", port 23938 > failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections? > # ' > # expected: '' > > # Failed test 'pg_stat_ssl with client certificate: matches' > # at t/001_ssltests.pl line 731. > # '' > # doesn't match > '(?^mx:^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n > # > ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,\d+,/?CN\=Test\ CA\ for\ > PostgreSQL\ SSL\ regression\ test\ client\ certs\r?$)' > > # Failed test 'certificate authorization fails because of file permissions: > matches' > # at t/001_ssltests.pl line 755. > # 'psql: error: connection to server at "127.0.0.1", port > 23938 failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # doesn't match '(?^:private key file \".*client_wrongperms\.key\" has > group or world access)' > > # Failed test 'certificate authorization fails with client cert belonging > to another user: matches' > # at t/001_ssltests.pl line 766. > # 'psql: error: connection to server at "127.0.0.1", port > 23938 failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # doesn't match '(?^:certificate authentication failed for user > "anotheruser")' > > # Failed test 'certificate authorization fails with revoked client cert: > matches' > # at t/001_ssltests.pl line 778. > # 'psql: error: connection to server at "127.0.0.1", port > 23938 failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # doesn't match '(?^:SSL error: ssl[a-z0-9/]* alert certificate revoked)' > > # Failed test 'auth_option clientcert=verify-full succeeds with matching > username and Common Name' > # at t/001_ssltests.pl line 797. > # got: '2' > # expected: '0' > > # Failed test 'auth_option clientcert=verify-full succeeds with matching > username and Common Name: no stderr' > # at t/001_ssltests.pl line 797. > # got: 'psql: error: connection to server at "127.0.0.1", port 23938 > failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # expected: '' > > # Failed test 'auth_option clientcert=verify-full succeeds with matching > username and Common Name: log matches' > # at > /build/reproducible-path/postgresql-17-17.3/build/../src/test/perl/PostgreSQL/Test/Cluster.pm > line 2445. > # '' > # doesn't match '(?^:connection authenticated: user="ssltestuser" > method=trust)' > > # Failed test 'auth_option clientcert=verify-full fails with mismatching > username and Common Name: matches' > # at t/001_ssltests.pl line 804. > # 'psql: error: connection to server at "127.0.0.1", port > 23938 failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # doesn't match '(?^:FATAL: .* "trust" authentication failed for user > "anotheruser")' > > # Failed test 'auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name' > # at t/001_ssltests.pl line 815. > # got: '2' > # expected: '0' > > # Failed test 'auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name: no stderr' > # at t/001_ssltests.pl line 815. > # got: 'psql: error: connection to server at "127.0.0.1", port 23938 > failed: Connection refused > # Is the server running on that host and accepting TCP/IP connections?' > # expected: '' > > # Failed test 'auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name: log matches' > # at > /build/reproducible-path/postgresql-17-17.3/build/../src/test/perl/PostgreSQL/Test/Cluster.pm > line 2445. > # '' > # doesn't match '(?^:connection authenticated: user="yetanotheruser" > method=trust)' > # Looks like you failed 13 tests of 205. > t/001_ssltests.pl .. > # setting up data directory > # initializing database system by copying initdb template > ok 1 - ssl_library parameter > # testing password-protected keys > ok 2 - restart fails with password-protected key file with wrong password > ok 3 - restart succeeds with password-protected key file > ok 4 - restart fails with incorrect SSL protocol bounds > ok 5 - restart succeeds with correct SSL protocol bounds > # running client tests > ok 6 - server doesn't accept non-SSL connections > ok 7 - server doesn't accept non-SSL connections: matches > ok 8 - connect without server root cert sslmode=require > ok 9 - connect without server root cert sslmode=require: no stderr > ok 10 - connect without server root cert sslmode=verify-ca > ok 11 - connect without server root cert sslmode=verify-ca: matches > ok 12 - connect without server root cert sslmode=verify-full > ok 13 - connect without server root cert sslmode=verify-full: matches > ok 14 - connect with wrong server root cert sslmode=require > ok 15 - connect with wrong server root cert sslmode=require: matches > ok 16 - connect with wrong server root cert sslmode=verify-ca > ok 17 - connect with wrong server root cert sslmode=verify-ca: matches > ok 18 - connect with wrong server root cert sslmode=verify-full > ok 19 - connect with wrong server root cert sslmode=verify-full: matches > ok 20 - connect with server CA cert, without root CA > ok 21 - connect with server CA cert, without root CA: matches > ok 22 - connect with correct server CA cert file sslmode=require > ok 23 - connect with correct server CA cert file sslmode=require: no stderr > ok 24 - connect with correct server CA cert file sslmode=verify-ca > ok 25 - connect with correct server CA cert file sslmode=verify-ca: no stderr > ok 26 - connect with correct server CA cert file sslmode=verify-full > ok 27 - connect with correct server CA cert file sslmode=verify-full: no > stderr > ok 28 - cert root file that contains two certificates, order 1 > ok 29 - cert root file that contains two certificates, order 1: no stderr > ok 30 - cert root file that contains two certificates, order 2 > ok 31 - cert root file that contains two certificates, order 2: no stderr > ok 32 - connect with sslcertmode=disable > ok 33 - connect with sslcertmode=disable: no stderr > ok 34 - connect with sslcertmode=allow > ok 35 - connect with sslcertmode=allow: no stderr > ok 36 - connect with sslcertmode=require fails without a client certificate > ok 37 - connect with sslcertmode=require fails without a client certificate: > matches > ok 38 - sslcrl option with invalid file name > ok 39 - sslcrl option with invalid file name: no stderr > ok 40 - CRL belonging to a different CA > ok 41 - CRL belonging to a different CA: matches > ok 42 - directory CRL belonging to a different CA > ok 43 - directory CRL belonging to a different CA: matches > ok 44 - CRL with a non-revoked cert > ok 45 - CRL with a non-revoked cert: no stderr > ok 46 - directory CRL with a non-revoked cert > ok 47 - directory CRL with a non-revoked cert: no stderr > ok 48 - mismatch between host name and server certificate sslmode=require > ok 49 - mismatch between host name and server certificate sslmode=require: no > stderr > ok 50 - mismatch between host name and server certificate sslmode=verify-ca > ok 51 - mismatch between host name and server certificate sslmode=verify-ca: > no stderr > ok 52 - mismatch between host name and server certificate sslmode=verify-full > ok 53 - mismatch between host name and server certificate > sslmode=verify-full: matches > ok 54 - IP address in the Common Name > ok 55 - IP address in the Common Name: no stderr > ok 56 - mismatch between host name and server certificate IP address > ok 57 - mismatch between host name and server certificate IP address: matches > ok 58 - IP address in a dNSName > ok 59 - IP address in a dNSName: no stderr > ok 60 - host name matching with X.509 Subject Alternative Names 1 > ok 61 - host name matching with X.509 Subject Alternative Names 1: no stderr > ok 62 - host name matching with X.509 Subject Alternative Names 2 > ok 63 - host name matching with X.509 Subject Alternative Names 2: no stderr > ok 64 - host name matching with X.509 Subject Alternative Names wildcard > ok 65 - host name matching with X.509 Subject Alternative Names wildcard: no > stderr > ok 66 - host name not matching with X.509 Subject Alternative Names > ok 67 - host name not matching with X.509 Subject Alternative Names: matches > ok 68 - host name not matching with X.509 Subject Alternative Names wildcard > ok 69 - host name not matching with X.509 Subject Alternative Names wildcard: > matches > ok 70 - host name matching with a single X.509 Subject Alternative Name > ok 71 - host name matching with a single X.509 Subject Alternative Name: no > stderr > ok 72 - host name not matching with a single X.509 Subject Alternative Name > ok 73 - host name not matching with a single X.509 Subject Alternative Name: > matches > ok 74 - host name not matching with a single X.509 Subject Alternative Name > wildcard > ok 75 - host name not matching with a single X.509 Subject Alternative Name > wildcard: matches > ok 76 - host matching an IPv4 address (Subject Alternative Name 1) > ok 77 - host matching an IPv4 address (Subject Alternative Name 1): no stderr > ok 78 - host matching an IPv4 address in alternate form (Subject Alternative > Name 1) > ok 79 - host matching an IPv4 address in alternate form (Subject Alternative > Name 1): no stderr > ok 80 - host not matching an IPv4 address (Subject Alternative Name 1) > ok 81 - host not matching an IPv4 address (Subject Alternative Name 1): > matches > ok 82 - host matching an IPv6 address (Subject Alternative Name 2) > ok 83 - host matching an IPv6 address (Subject Alternative Name 2): no stderr > ok 84 - host matching an IPv6 address in alternate form (Subject Alternative > Name 2) > ok 85 - host matching an IPv6 address in alternate form (Subject Alternative > Name 2): no stderr > ok 86 - host matching an IPv6 address in mixed form (Subject Alternative Name > 2) > ok 87 - host matching an IPv6 address in mixed form (Subject Alternative Name > 2): no stderr > ok 88 - host not matching an IPv6 address (Subject Alternative Name 2) > ok 89 - host not matching an IPv6 address (Subject Alternative Name 2): > matches > ok 90 - IPv6 host with CIDR mask does not match > ok 91 - IPv6 host with CIDR mask does not match: matches > ok 92 - certificate with both a CN and SANs 1 > ok 93 - certificate with both a CN and SANs 1: no stderr > ok 94 - certificate with both a CN and SANs 2 > ok 95 - certificate with both a CN and SANs 2: no stderr > ok 96 - certificate with both a CN and SANs ignores CN > ok 97 - certificate with both a CN and SANs ignores CN: matches > ok 98 - certificate with both a CN and IP SANs matches CN > ok 99 - certificate with both a CN and IP SANs matches CN: no stderr > ok 100 - certificate with both a CN and IP SANs matches SAN 1 > ok 101 - certificate with both a CN and IP SANs matches SAN 1: no stderr > ok 102 - certificate with both a CN and IP SANs matches SAN 2 > ok 103 - certificate with both a CN and IP SANs matches SAN 2: no stderr > ok 104 - certificate with both an IP CN and IP SANs 1 > ok 105 - certificate with both an IP CN and IP SANs 1: no stderr > ok 106 - certificate with both an IP CN and IP SANs 2 > ok 107 - certificate with both an IP CN and IP SANs 2: no stderr > ok 108 - certificate with both an IP CN and IP SANs ignores CN > ok 109 - certificate with both an IP CN and IP SANs ignores CN: matches > ok 110 - certificate with both an IP CN and DNS SANs matches CN > ok 111 - certificate with both an IP CN and DNS SANs matches CN: no stderr > ok 112 - certificate with both an IP CN and DNS SANs matches SAN 1 > ok 113 - certificate with both an IP CN and DNS SANs matches SAN 1: no stderr > ok 114 - certificate with both an IP CN and DNS SANs matches SAN 2 > ok 115 - certificate with both an IP CN and DNS SANs matches SAN 2: no stderr > ok 116 - server certificate without CN or SANs sslmode=verify-ca > ok 117 - server certificate without CN or SANs sslmode=verify-ca: no stderr > ok 118 - server certificate without CN or SANs sslmode=verify-full > ok 119 - server certificate without CN or SANs sslmode=verify-full: matches > ok 120 - sslrootcert=system does not connect with private CA > ok 121 - sslrootcert=system does not connect with private CA: matches > ok 122 - sslrootcert=system only accepts sslmode=verify-full > ok 123 - sslrootcert=system only accepts sslmode=verify-full: matches > ok 124 - sslrootcert=system connects with overridden SSL_CERT_FILE > ok 125 - sslrootcert=system connects with overridden SSL_CERT_FILE: no stderr > ok 126 - sslrootcert=system defaults to sslmode=verify-full > ok 127 - sslrootcert=system defaults to sslmode=verify-full: matches > ok 128 - connects without client-side CRL > ok 129 - connects without client-side CRL: no stderr > ok 130 - does not connect with client-side CRL file > ok 131 - does not connect with client-side CRL file: matches > ok 132 - does not connect with client-side CRL directory > ok 133 - does not connect with client-side CRL directory: matches > ok 134 - pg_stat_ssl view without client certificate: exit code 0 > ok 135 - pg_stat_ssl view without client certificate: no stderr > ok 136 - pg_stat_ssl view without client certificate: matches > ok 137 - connection success with correct range of TLS protocol versions > ok 138 - connection success with correct range of TLS protocol versions: no > stderr > ok 139 - connection failure with incorrect range of TLS protocol versions > ok 140 - connection failure with incorrect range of TLS protocol versions: > matches > ok 141 - connection failure with an incorrect SSL protocol minimum bound > ok 142 - connection failure with an incorrect SSL protocol minimum bound: > matches > ok 143 - connection failure with an incorrect SSL protocol maximum bound > ok 144 - connection failure with an incorrect SSL protocol maximum bound: > matches > # running server tests > ok 145 - certificate authorization fails without client cert > ok 146 - certificate authorization fails without client cert: matches > ok 147 - certificate authorization succeeds with correct client cert in PEM > format > ok 148 - certificate authorization succeeds with correct client cert in PEM > format: no stderr > ok 149 - certificate authorization succeeds with correct client cert in DER > format > ok 150 - certificate authorization succeeds with correct client cert in DER > format: no stderr > ok 151 - certificate authorization succeeds with correct client cert in > encrypted PEM format > ok 152 - certificate authorization succeeds with correct client cert in > encrypted PEM format: no stderr > ok 153 - certificate authorization succeeds with correct client cert in > encrypted DER format > ok 154 - certificate authorization succeeds with correct client cert in > encrypted DER format: no stderr > ok 155 - certificate authorization succeeds with correct client cert and > sslcertmode=require > ok 156 - certificate authorization succeeds with correct client cert and > sslcertmode=require: no stderr > ok 157 - certificate authorization succeeds with correct client cert and > sslcertmode=allow > ok 158 - certificate authorization succeeds with correct client cert and > sslcertmode=allow: no stderr > ok 159 - certificate authorization fails with correct client cert and > sslcertmode=disable > ok 160 - certificate authorization fails with correct client cert and > sslcertmode=disable: matches > ok 161 - certificate authorization fails with correct client cert and wrong > password in encrypted PEM format > ok 162 - certificate authorization fails with correct client cert and wrong > password in encrypted PEM format: matches > ok 163 - certificate authorization succeeds with DN mapping > ok 164 - certificate authorization succeeds with DN mapping: no stderr > ok 165 - certificate authorization succeeds with DN mapping: log matches > ok 166 - certificate authorization succeeds with DN regex mapping > ok 167 - certificate authorization succeeds with DN regex mapping: no stderr > ok 168 - certificate authorization succeeds with CN mapping > ok 169 - certificate authorization succeeds with CN mapping: no stderr > ok 170 - certificate authorization succeeds with CN mapping: log matches > not ok 171 # TODO & SKIP Need Pty support > not ok 172 # TODO & SKIP Need Pty support > not ok 173 # TODO & SKIP Need Pty support > not ok 174 # TODO & SKIP Need Pty support > not ok 175 - pg_stat_ssl with client certificate: exit code 0 > not ok 176 - pg_stat_ssl with client certificate: no stderr > not ok 177 - pg_stat_ssl with client certificate: matches > ok 178 - certificate authorization fails because of file permissions > not ok 179 - certificate authorization fails because of file permissions: > matches > ok 180 - certificate authorization fails with client cert belonging to > another user > not ok 181 - certificate authorization fails with client cert belonging to > another user: matches > ok 182 - certificate authorization fails with revoked client cert > not ok 183 - certificate authorization fails with revoked client cert: matches > ok 184 - certificate authorization fails with revoked client cert: log does > not match > not ok 185 - auth_option clientcert=verify-full succeeds with matching > username and Common Name > not ok 186 - auth_option clientcert=verify-full succeeds with matching > username and Common Name: no stderr > not ok 187 - auth_option clientcert=verify-full succeeds with matching > username and Common Name: log matches > ok 188 - auth_option clientcert=verify-full fails with mismatching username > and Common Name > not ok 189 - auth_option clientcert=verify-full fails with mismatching > username and Common Name: matches > ok 190 - auth_option clientcert=verify-full fails with mismatching username > and Common Name: log does not match > not ok 191 - auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name > not ok 192 - auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name: no stderr > not ok 193 - auth_option clientcert=verify-ca succeeds with mismatching > username and Common Name: log matches > ok 194 - intermediate client certificate is provided by client > ok 195 - intermediate client certificate is provided by client: no stderr > ok 196 - intermediate client certificate is missing > ok 197 - intermediate client certificate is missing: matches > ok 198 - logged client certificate Subjects are truncated if they're too long > ok 199 - logged client certificate Subjects are truncated if they're too > long: matches > ok 200 - intermediate client certificate is untrusted > ok 201 - intermediate client certificate is untrusted: matches > ok 202 - certificate authorization fails with revoked client cert with > server-side CRL directory > ok 203 - certificate authorization fails with revoked client cert with > server-side CRL directory: matches > ok 204 - certificate authorization fails with revoked UTF-8 client cert with > server-side CRL directory > ok 205 - certificate authorization fails with revoked UTF-8 client cert with > server-side CRL directory: matches > 1..205 > Dubious, test returned 13 (wstat 3328, 0xd00) > Failed 13/205 subtests > t/002_scram.pl ..... > # setting up data directory > # initializing database system by copying initdb template > ok 1 - Basic SCRAM authentication with SSL > ok 2 - Basic SCRAM authentication with SSL: no stderr > ok 3 - SCRAM with SSL and channel_binding=invalid_value > ok 4 - SCRAM with SSL and channel_binding=invalid_value: matches > ok 5 - SCRAM with SSL and channel_binding=disable > ok 6 - SCRAM with SSL and channel_binding=disable: no stderr > ok 7 - SCRAM with SSL and channel_binding=require > ok 8 - SCRAM with SSL and channel_binding=require: no stderr > ok 9 - MD5 with SSL and channel_binding=require > ok 10 - MD5 with SSL and channel_binding=require: matches > ok 11 - Cert authentication and channel_binding=require > ok 12 - Cert authentication and channel_binding=require: matches > ok 13 - SCRAM with clientcert=verify-full > ok 14 - SCRAM with clientcert=verify-full: no stderr > ok 15 - SCRAM with clientcert=verify-full: log matches > ok 16 - SCRAM with SSL, channel_binding=disable, and > require_auth=scram-sha-256 > ok 17 - SCRAM with SSL, channel_binding=disable, and > require_auth=scram-sha-256: no stderr > ok 18 - channel_binding can fail even when require_auth succeeds > ok 19 - channel_binding can fail even when require_auth succeeds: matches > ok 20 - SCRAM with SSL, channel_binding=require, and > require_auth=scram-sha-256 > ok 21 - SCRAM with SSL, channel_binding=require, and > require_auth=scram-sha-256: no stderr > ok 22 - SCRAM with SSL and channel_binding=require, server certificate uses > 'rsassaPss' > ok 23 - SCRAM with SSL and channel_binding=require, server certificate uses > 'rsassaPss': no stderr > ok 24 - SCRAM with SSL and channel_binding=require, server certificate uses > 'rsassaPss': log matches > 1..24 > ok > t/003_sslinfo.pl ... > # setting up data directory > # initializing database system by copying initdb template > ok 1 - certificate authorization succeeds with correct client cert in PEM > format > ok 2 - certificate authorization succeeds with correct client cert in PEM > format: no stderr > ok 3 - ssl_is_used() for TLS connection > ok 4 - ssl_version() correctly returning TLS protocol > ok 5 - ssl_cipher() compared with pg_stat_ssl > ok 6 - ssl_client_cert_present() for connection with cert > ok 7 - ssl_client_cert_present() for connection without cert > ok 8 - ssl_client_serial() compared with pg_stat_ssl > ok 9 - ssl_client_dn_field() for an invalid field > ok 10 - ssl_client_dn_field() for connection without cert > ok 11 - ssl_client_dn_field() for commonName > ok 12 - ssl_issuer_dn() for connection with cert > ok 13 - ssl_issuer_field() for commonName > ok 14 - extract extension from cert > ok 15 - ssl_client_cert_present() for sslcertmode=allow > ok 16 - ssl_client_cert_present() for sslcertmode=allow sslcert=invalid > ok 17 - ssl_client_cert_present() for sslcertmode=disable > ok 18 - ssl_client_cert_present() for sslcertmode=require > 1..18 > ok > > Test Summary Report > ------------------- > t/001_ssltests.pl (Wstat: 3328 (exited 13) Tests: 205 Failed: 13) > Failed tests: 175-177, 179, 181, 183, 185-187, 189, 191-193 > Non-zero exit status: 13 > Files=3, Tests=247, 15 wallclock secs ( 0.08 usr 0.00 sys + 2.57 cusr 2.18 > csys = 4.83 CPU) > Result: FAIL > make[2]: *** [Makefile:32: check] Error 1 The full build log is available from: http://qa-logs.debian.net/2025/02/15/postgresql-17_17.3-2_unstable.log All bugs filed during this archive rebuild are listed at: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=ftbfs-20250215;users=lu...@debian.org or: https://udd.debian.org/bugs/?release=na&merged=ign&fnewerval=7&flastmodval=7&fusertag=only&fusertagtag=ftbfs-20250215&fusertaguser=lu...@debian.org&allbugs=1&cseverity=1&ctags=1&caffected=1#results A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! If you reassign this bug to another package, please mark it as 'affects'-ing this package. See https://www.debian.org/Bugs/server-control#affects If you fail to reproduce this, please provide a build log and diff it with mine so that we can identify if something relevant changed in the meantime.
