Bug#921750: security-warning hook not found, fails open

2024-03-22 Thread Santiago Ruano Rincón 

On Fri, 08 Feb 2019 15:18:55 -0500 Antoine Beaupre  wrote:
> Package: dput-ng
> Version: 1.22
> Severity: important
> 
> Hi!
> 
> I tried switching to dput-ng again, and here's what happened:
> 
> anarcat@curie:dist$ dput security-master 
> libreoffice_4.3.3-2+deb8u12_amd64.changes
> Uploading libreoffice using ftp to security-master (host: 
> ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue)
> running allowed-distribution: check whether a local profile permits uploads 
> to the target distribution
> running protected-distribution: warn before uploading to distributions where 
> a special policy applies
> running checksum: verify checksums before uploading
> running suite-mismatch: check the target distribution for common errors
> running gpg: check GnuPG signatures before the upload
> Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such 
> file or directory: '/usr/share/dput/helper/security-warning': 
> '/usr/share/dput/helper/security-warning'
> Error: You've set a hook (pre_upload_command) to run 
> (`/usr/share/dput/helper/security-warning`), but it can't be found (and 
> doesn't appear to exist). Please verify the path and correct it.
> Uploading libreoffice_4.3.3-2+deb8u12.dsc
> Uploading libreoffice_4.3.3-2+deb8u12.debian.tar.xz
> Uploading libreoffice_4.3.3-2+deb8u12_amd64.deb
> [...]
> 
> ie. it didn't find the `security-warning` file it's supposed to show
> and prompt the user but worse, it then just went on uploading the
> package normally.
> 
> The warning should be shown, and failing that, the upload should fail
> if the hook is missing.
> 
> Thanks for the nice work! :)

I've also been hit by this. And the problem seems to be the old-style
/etc/dput.cf, that overrides the dput-ng profiles. I've purged dput,
hoping this would help the next time.

FWIW, dput-ng comes with a protected-distribution hook, that has the
same goal of security-warning.

Cheers,

 -- Santiago


signature.asc
Description: PGP signature

Bug#921750: security-warning hook not found, fails open

2019-02-08 Thread Antoine Beaupre 
Package: dput-ng
Version: 1.22
Severity: important

Hi!

I tried switching to dput-ng again, and here's what happened:

anarcat@curie:dist$ dput security-master 
libreoffice_4.3.3-2+deb8u12_amd64.changes
Uploading libreoffice using ftp to security-master (host: 
ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue)
running allowed-distribution: check whether a local profile permits uploads to 
the target distribution
running protected-distribution: warn before uploading to distributions where a 
special policy applies
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running gpg: check GnuPG signatures before the upload
Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such 
file or directory: '/usr/share/dput/helper/security-warning': 
'/usr/share/dput/helper/security-warning'
Error: You've set a hook (pre_upload_command) to run 
(`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't 
appear to exist). Please verify the path and correct it.
Uploading libreoffice_4.3.3-2+deb8u12.dsc
Uploading libreoffice_4.3.3-2+deb8u12.debian.tar.xz
Uploading libreoffice_4.3.3-2+deb8u12_amd64.deb
[...]

ie. it didn't find the `security-warning` file it's supposed to show
and prompt the user but worse, it then just went on uploading the
package normally.

The warning should be shown, and failing that, the upload should fail
if the hook is missing.

Thanks for the nice work! :)

A.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dput-ng depends on:
ii  python3   3.7.2-1
ii  python3-dput  1.22

dput-ng recommends no packages.

Versions of packages dput-ng suggests:
pn  dput-ng-doc  
pn  python3-twitter  

-- no debconf information