[Bug 2147459] Re: python3-jwt missing RECORD file post-security-patch

Nick Rosbrook 2147459 at bugs.launchpad.net
Wed Apr 8 13:31:26 UTC 2026 

This is caused by dh-python, and was a deliberate change version
6.20230813[1]:

dh-python (6.20230813) unstable; urgency=medium

  * When we build a wheel for tox, with the distutils plugin, make sure
    our .pydistutils.cfg isn't present, so we build it in the standard layout.
  * Remove RECORD files from dist-info, these are incompatible with
    multi-arch.
  * Support for backporting the pyproject plugin to Python < 3.11. Thanks
    Stuart Prescott. (Closes: #1043301)
  * Use values for _PYTHON_HOST_PLATFORM that are closer to Python's defaults.
  * tox: Pass -x testenv.passenv+=_PYTHON_HOST_PLATFORM, so that pip will
    accept the _PYTHON_HOST_PLATFORM that the test wheel was built with.
  * Generate dependencies on using python3-supported-min and
    python3-supported-max.  Allowing dependencies to work correctly on all
    supported python 3 versions.  (Closes: #1028603)
  * pybuild-auto-pkgtest: Run tox tests against the installed package.

I am not sure how pip should behave in this case, but this is now the
expected behavior for Debian packages.

https://launchpad.net/ubuntu/+source/dh-python/6.20230813


** Package changed: pyjwt (Ubuntu) => python-pip (Ubuntu)

** Changed in: python-pip (Ubuntu)
       Status: New => Incomplete

** Changed in: python-pip (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to pyjwt in Ubuntu.
https://bugs.launchpad.net/bugs/2147459

Title:
  python3-jwt missing RECORD file post-security-patch

Status in python-pip package in Ubuntu:
  Incomplete

Bug description:
  On Ubuntu 24.04 and following the security patch made to pyjwt,
  python3-jwt is now missing the RECORD file. This is required for
  proper functionality of pip, in particular in situations such as
  containerised workloads where --break-system-packages is more common.
  There is a workaround by simply deleting /usr/lib/python3/dist-
  packages/PyJWT-2.7.0.dist-info and reinstalling the package via pip,
  but this is clearly far from ideal.

  I verified the issue exists on (at least) arm64 and amd64.

  There is no obvious difference between the unpatched and patched
  packages, either in source or control files, beyond that necessary for
  the patch. Therefore, this looks like a build system issue. The build
  logs at https://launchpadlibrarian.net/853574300/buildlog_ubuntu-
  noble-amd64.pyjwt_2.7.0-1ubuntu0.1_BUILDING.txt.gz show the RECORD
  file being created but it is not present in the final file listing.

  Demonstration of the problem from a clean install:

  # apt install -y python3-jwt=2.7.0-1
  ...
  # ls -al /usr/lib/python3/dist-packages/PyJWT-2.7.0.dist-info
  total 36
  drwxr-xr-x 2 root root 4096 Apr  7 14:46 .
  drwxr-xr-x 9 root root 4096 Apr  7 14:46 ..
  -rw-r--r-- 1 root root  322 Jun 15  2023 AUTHORS.rst
  -rw-r--r-- 1 root root    7 Jun 15  2023 INSTALLER
  -rw-r--r-- 1 root root 4160 Jun 15  2023 METADATA
  -rw-r--r-- 1 root root 1305 Jun 15  2023 RECORD
  -rw-r--r-- 1 root root   92 Jun 15  2023 WHEEL
  -rw-r--r-- 1 root root    4 Jun 15  2023 top_level.txt

  # apt install -y python3-jwt=2.7.0-1ubuntu0.1
  ...
  # ls -al /usr/lib/python3/dist-packages/PyJWT-2.7.0.dist-info
  total 36
  drwxr-xr-x 1 root root 4096 Apr  7 14:46 .
  drwxr-xr-x 1 root root 4096 Apr  7 14:46 ..
  -rw-r--r-- 1 root root    7 Mar 26 13:14 INSTALLER
  -rw-r--r-- 1 root root 4144 Mar 26 13:14 METADATA
  -rw-r--r-- 1 root root   92 Mar 26 13:14 WHEEL
  -rw-r--r-- 1 root root    4 Mar 26 13:14 top_level.txt

  # pip install --break-system-packages PyJWT==2.12.0
  Collecting PyJWT==2.12.0
    Downloading pyjwt-2.12.0-py3-none-any.whl.metadata (4.0 kB)
  Downloading pyjwt-2.12.0-py3-none-any.whl (29 kB)
  Installing collected packages: PyJWT
    Attempting uninstall: PyJWT
      Found existing installation: PyJWT 2.7.0
  ERROR: Cannot uninstall PyJWT 2.7.0, RECORD file not found. Hint: The package was installed by debian.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: python3-jwt 2.7.0-1ubuntu0.1
  Uname: Linux 6.12.54-linuxkit aarch64
  ApportVersion: 2.28.1-0ubuntu3.8
  Architecture: arm64
  CasperMD5CheckResult: unknown
  CloudBuildName: ubuntu-oci:minimized
  CloudSerial: 20260324
  Date: Tue Apr  7 14:03:27 2026
  PackageArchitecture: all
  ProcEnviron:
   LANG=C.UTF-8
   PATH=(custom, no user)
   TERM=xterm
  SourcePackage: pyjwt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/2147459/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list