Recent commits to derivepassphrase.git (6c704955736026fc4c77164542682cb2549f3e01) https://git.schokokeks.org/derivepassphrase.git/tree/6c704955736026fc4c77164542682cb2549f3e01 Recent commits feed provided by GitList. Update tooling `ruff` now checks for too many statements in a `try` block (PLW0717), for non-trivial `__init__.py` files (RUF067), for explicitly comparing floats with `__eq__` (RUF069) and for bad control flow in a generator-based context manager (RUF075). We document our intentional RUF069 and RUF075 violations, we fix the other occurrences of RUF075, and we ignore PLW0717 and RUF067 for now. https://git.schokokeks.org/derivepassphrase.git/commit/6c704955736026fc4c77164542682cb2549f3e01 software@the13thletter.info (Marco Ricci) Sun, 14 Jun 2026 22:46:36 +0200 6c704955736026fc4c77164542682cb2549f3e01 Ensure better test suite behavior for regression-only testing Tweak the hypothesis settings for determinism and speed when running the test suite solely for the purpose of regression testing [1], in the new hypothesis profile "regression": test generation will be derandomized, stateful step counts and example counts will be set very low. As all of our slow-running tests are hypothesis-based, and all of our hypothesis-based tests are slow because of the high example count, this change alone immediately makes "regression-only" testing feasible for us without having to skip hypothesis-based tests. (In fact, the hypothesis derandomization feature appears to draw motivation from the same source [1] as we do.) As a counterpoint, mark test cases that are (or probably should be) hypothesis-based, but test for completion or correctness purposes rather than for regression purposes, with a custom marker `correctness_focused`. Also try to add at least one working example and one counterexample to each hypothesis-based test, if feasible. This buys us the flexibility (in the future) to remove test case generation from the "regression" profile, if desired. The test cases would then still run the explicit examples, and thus remain useful, instead of needing another separate set of non-hypothesis tests to cover the same ground. References: 1. Nelson Elhage: [Two kinds of testing][], particularly the section "Test budget". 2. Alex Kladov: [How to Test][], particularly the section "Make Tests Fast". [Two kinds of testing]: https://blog.nelhage.com/post/two-kinds-of-testing/ [How to Test]: https://matklad.github.io/2021/05/31/how-to-test.html#Make-Tests-Fast https://git.schokokeks.org/derivepassphrase.git/commit/bd1fc69133c0bb9cc8634ab9fb18bc5a91e21f4a software@the13thletter.info (Marco Ricci) Sun, 14 Jun 2026 22:46:36 +0200 bd1fc69133c0bb9cc8634ab9fb18bc5a91e21f4a Merge branch 'openssh-bug3967-workaround' * openssh-bug3967-workaround: Ensure the SSH agent unhappy path/misbehavior tests always run Fix the test setup (SSH agent "query" double-response behavior) Harmonize coverage exclusion markers (and fix one slipup) Reorganize and rename SSH agent mock objects Test our handling of the SSH agent "query" double-response behavior Allow testing for mismatched SSH agent communication Work around double-response for "query" extension from ssh-agent (OpenSSH 10.3) Split SSHAgentClient.request in two Turn the SSH agent protocol message numbers into ints For SSH agent failures, print the raw response text https://git.schokokeks.org/derivepassphrase.git/commit/0b4f4a9d7947199dd6111b5b9c2fc7cbc9f7e763 software@the13thletter.info (Marco Ricci) Sun, 14 Jun 2026 13:20:51 +0200 0b4f4a9d7947199dd6111b5b9c2fc7cbc9f7e763 Ensure the SSH agent unhappy path/misbehavior tests always run The tests for various unhappy paths or misbehavior of the SSH agent now run against the stubbed SSH agent, instead of requiring an external SSH agent (and failing or skipping if that external agent is unavailable). The tests need to intercept all I/O from the agent anyway, so there is little point in requiring to connect to an external agent but then not doing any I/O with the agent. It just introduces another unrelated and unnecessary failure mode (e.g., SSH_AUTH_SOCK not set up). We put the fixture for forcing use of the stubbed SSH agent at the top level of the `ssh_agent` module tests, because that currently seems to be the only place where we need to force use of an internal agent over an external one. https://git.schokokeks.org/derivepassphrase.git/commit/30c0d6f46620b6a96e901c8a886db61b2871e137 software@the13thletter.info (Marco Ricci) Sun, 14 Jun 2026 10:05:10 +0200 30c0d6f46620b6a96e901c8a886db61b2871e137 Fix the test setup (SSH agent "query" double-response behavior) The test mocks communication aspects of an SSH agent session, and thus needs a running SSH agent. Also, the xfail markers for some of the parametrization values were overly broad, and were masking failures in the test setup because of a missing running SSH agent. https://git.schokokeks.org/derivepassphrase.git/commit/c61d17b815f52bf49ce840c00fbaa75db8e11b96 software@the13thletter.info (Marco Ricci) Sun, 14 Jun 2026 07:54:14 +0200 c61d17b815f52bf49ce840c00fbaa75db8e11b96 Harmonize coverage exclusion markers (and fix one slipup) Introduce a second coverage exclusion marker in the form of an overridable session-level fixture `skip_if_no_ctypes_windll_support`, similar to the existing `skip_if_no_af_unix_support` fixture. Also update the description of both fixtures to match their current usage. Also also fix a coverage slipup in a failsafe path of the `AgentProtocolResponseQueue` testing machinery. https://git.schokokeks.org/derivepassphrase.git/commit/6da7a92c3285a1f757cbe7530fe17caf680ad468 software@the13thletter.info (Marco Ricci) Sat, 13 Jun 2026 21:28:11 +0200 6da7a92c3285a1f757cbe7530fe17caf680ad468 Reorganize and rename SSH agent mock objects Rename the `Request` and `Response` classes to `AgentProtocolRequest` and `AgentProtocolResponse`, respectively, and move them into the `tests.data` package. Rename the `_RequestResponseIOQueue` class to `AgentProtocolResponseQueue`, and move it into the `tests.machinery` package. Along the way, fix the self-reference of `tests.data` and `tests.machinery` contents within the `tests.machinery` package. https://git.schokokeks.org/derivepassphrase.git/commit/3430fde355127c4e0951bfaa6f5df63bf82b5f32 software@the13thletter.info (Marco Ricci) Sat, 13 Jun 2026 19:22:20 +0200 3430fde355127c4e0951bfaa6f5df63bf82b5f32 Test our handling of the SSH agent "query" double-response behavior Add tests to verify that we gracefully react to an SSH agent replying twice to a "query" extension request. https://git.schokokeks.org/derivepassphrase.git/commit/2323b5742485ed8ab30c57989a399c491b7484ce software@the13thletter.info (Marco Ricci) Sat, 13 Jun 2026 18:52:55 +0200 2323b5742485ed8ab30c57989a399c491b7484ce Allow testing for mismatched SSH agent communication Generalize the mocked SSH agent machinery for simulating error responses slightly, so that instead of passing one-to-one request/response pairs, we pass one-to-many request/list-of-responses pairs. Responses are kept on a queue, and the machinery asserts that the queue is empty at the end of the interaction. This new flexibility is not yet required anywhere, but will be used in the next commit. https://git.schokokeks.org/derivepassphrase.git/commit/0166a2edbd9c81df63e2d9fd5c057212d4ce6b45 software@the13thletter.info (Marco Ricci) Sat, 13 Jun 2026 18:52:55 +0200 0166a2edbd9c81df63e2d9fd5c057212d4ce6b45 Work around double-response for "query" extension from ssh-agent (OpenSSH 10.3) Detect and work around `ssh-agent` (OpenSSH 10.3 only) responding twice when answering a "query" extension request: once with the expected "extension response" or "success" message, and once with an unexpected/additional empty "success" message. We detect the extra empty "success" message in a generic and protocol compliant way, and re-align request-response-pair boundaries for any future requests. From the agent's perspective, the work-around does a read-only operation and should not change any permanent agent state, whether there are extra empty "success" messages or not. As written, the work-around tests specifically for output from OpenSSH 10.3, but is otherwise agnostic to the "extension response" message contents and could be easily adapted to trigger for other content patterns. https://git.schokokeks.org/derivepassphrase.git/commit/20bcd8f960b0655700905e9f20f807de15809188 software@the13thletter.info (Marco Ricci) Sat, 13 Jun 2026 18:52:55 +0200 20bcd8f960b0655700905e9f20f807de15809188