Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 10:37:44AM -0500, Paul Tagliamonte wrote: On Wed, Dec 26, 2012 at 10:36 AM, Moritz Mühlenhoff j...@inutil.org wrote: On Wed, Dec 26, 2012 at 10:35:46AM -0500, Paul Tagliamonte wrote: Seems OK here. Can you make sure something's not gone wrong with your install? How did you install it? Did you upgrade python-dput too? That's where the fix is :) Bummer, I only fetched dput-ng from incoming.debian.org... Will test with the next security upload :-) Sounds great :) It worked :-) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
Outstanding!! Sorry about that break, and do let us know if there are any other issues with your setup Cheers Paul On Dec 27, 2012 8:21 AM, Moritz Mühlenhoff j...@inutil.org wrote: On Wed, Dec 26, 2012 at 10:37:44AM -0500, Paul Tagliamonte wrote: On Wed, Dec 26, 2012 at 10:36 AM, Moritz Mühlenhoff j...@inutil.org wrote: On Wed, Dec 26, 2012 at 10:35:46AM -0500, Paul Tagliamonte wrote: Seems OK here. Can you make sure something's not gone wrong with your install? How did you install it? Did you upgrade python-dput too? That's where the fix is :) Bummer, I only fetched dput-ng from incoming.debian.org... Will test with the next security upload :-) Sounds great :) It worked :-) Cheers, Moritz
Bug#696659: Security uploads not working
Hi, On 26.12.2012 03:48, Paul Tagliamonte wrote: Arno, can you ACK this change? The patch itself is fine, but I believe a warning instead of an error would be more appropriate. You do logger.error, but you don't fail out which makes your error essentially a warning. Maybe it should be tagged as such. By the way Moritz: You as a security team member probably want to disable the protected distribution hook, prompting you for confirmation before every upload. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 01:24:42PM +0100, Arno Töll wrote: Hi, On 26.12.2012 03:48, Paul Tagliamonte wrote: Arno, can you ACK this change? The patch itself is fine, but I believe a warning instead of an error would be more appropriate. You do logger.error, but you don't fail out which makes your error essentially a warning. Maybe it should be tagged as such. Done :) By the way Moritz: You as a security team member probably want to disable the protected distribution hook, prompting you for confirmation before every upload. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D OK, this'll get folded into the next release. -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 01:24:42PM +0100, Arno Töll wrote: Hi, On 26.12.2012 03:48, Paul Tagliamonte wrote: Arno, can you ACK this change? The patch itself is fine, but I believe a warning instead of an error would be more appropriate. You do logger.error, but you don't fail out which makes your error essentially a warning. Maybe it should be tagged as such. By the way Moritz: You as a security team member probably want to disable the protected distribution hook, prompting you for confirmation before every upload. Thanks, I will try that with the next security upload tonight. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 03:27:26PM +0100, Moritz Mühlenhoff wrote: On Wed, Dec 26, 2012 at 01:24:42PM +0100, Arno Töll wrote: Hi, On 26.12.2012 03:48, Paul Tagliamonte wrote: Arno, can you ACK this change? The patch itself is fine, but I believe a warning instead of an error would be more appropriate. You do logger.error, but you don't fail out which makes your error essentially a warning. Maybe it should be tagged as such. By the way Moritz: You as a security team member probably want to disable the protected distribution hook, prompting you for confirmation before every upload. Thanks, I will try that with the next security upload tonight. I can easily workaround it, but just to let you know It still fails to me if /etc/dput.cf is still present: jmm@pisco:~/chroots/squeeze/home/jmm/free$ ls -lha /usr/bin/dput -rwxr-xr-x 1 root root 4,5K Dez 26 15:33 /usr/bin/dput jmm@pisco:~/chroots/squeeze/home/jmm/free$ dput security-master freetype_2.4.2-2.1+squeeze5_amd64.changes Uploading freetype using ftp to security-master (host: security-master.debian.org; directory: /pub/SecurityUploadQueue) running allowed-distribution: check whether a local profile permits uploads to the target distribution running protected-distribution: warn before uploading to distributions where a special policy applies Protected Checker: Are you sure to upload to stable-security? Did you coordinate with the Security Team before your upload? [yes, NO]: yes Uploading with explicit confirmation by the user running checksum: verify checksums before uploading running suite-mismatch: check the target distribution for common errors running check-debs: makes sure the upload contains a binary package running gpg: check GnuPG signatures before the upload gpg: Unterschrift vom Mi 26 Dez 2012 16:00:19 CET mittels DSA-Schl�ssel ID 4E2ECA5A gpg: Korrekte Unterschrift von Moritz Muehlenhoff j...@debian.org gpg: alias Moritz Muehlenhoff j...@inutil.org Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory Traceback (most recent call last): File /usr/bin/dput, line 87, in module upload_package(changes, args) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 275, in invoke_dput simulate=args.simulate) as obj: File /usr/lib/python2.7/contextlib.py, line 17, in __enter__ return self.gen.next() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 157, in uploader obj._pre_hook() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 64, in _pre_hook self._run_hook(pre_upload_command) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 72, in _run_hook sys.stdout.write(output) # XXX: Fixme TypeError: expected a character buffer object jmm@pisco:~/chroots/squeeze/home/jmm/free$ dpkg -l dput-ng Gew�nscht=Unbekannt/Installieren/R=Entfernen/P=Vollst�ndig L�schen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anh�ngig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name VersionArchitektur Beschreibung +++-==-==-==-= ii dput-ng1.3allnext generation Debian package upload tool Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 04:05:19PM +0100, Moritz Mühlenhoff wrote: On Wed, Dec 26, 2012 at 03:27:26PM +0100, Moritz Mühlenhoff wrote: On Wed, Dec 26, 2012 at 01:24:42PM +0100, Arno Töll wrote: Hi, On 26.12.2012 03:48, Paul Tagliamonte wrote: Arno, can you ACK this change? The patch itself is fine, but I believe a warning instead of an error would be more appropriate. You do logger.error, but you don't fail out which makes your error essentially a warning. Maybe it should be tagged as such. By the way Moritz: You as a security team member probably want to disable the protected distribution hook, prompting you for confirmation before every upload. Thanks, I will try that with the next security upload tonight. I can easily workaround it, but just to let you know It still fails to me if /etc/dput.cf is still present: o.O jmm@pisco:~/chroots/squeeze/home/jmm/free$ ls -lha /usr/bin/dput -rwxr-xr-x 1 root root 4,5K Dez 26 15:33 /usr/bin/dput jmm@pisco:~/chroots/squeeze/home/jmm/free$ dput security-master freetype_2.4.2-2.1+squeeze5_amd64.changes Uploading freetype using ftp to security-master (host: security-master.debian.org; directory: /pub/SecurityUploadQueue) running allowed-distribution: check whether a local profile permits uploads to the target distribution running protected-distribution: warn before uploading to distributions where a special policy applies Protected Checker: Are you sure to upload to stable-security? Did you coordinate with the Security Team before your upload? [yes, NO]: yes Uploading with explicit confirmation by the user running checksum: verify checksums before uploading running suite-mismatch: check the target distribution for common errors running check-debs: makes sure the upload contains a binary package running gpg: check GnuPG signatures before the upload gpg: Unterschrift vom Mi 26 Dez 2012 16:00:19 CET mittels DSA-Schl�ssel ID 4E2ECA5A gpg: Korrekte Unterschrift von Moritz Muehlenhoff j...@debian.org gpg: alias Moritz Muehlenhoff j...@inutil.org Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory Traceback (most recent call last): File /usr/bin/dput, line 87, in module upload_package(changes, args) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 275, in invoke_dput simulate=args.simulate) as obj: File /usr/lib/python2.7/contextlib.py, line 17, in __enter__ return self.gen.next() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 157, in uploader obj._pre_hook() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 64, in _pre_hook self._run_hook(pre_upload_command) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 72, in _run_hook sys.stdout.write(output) # XXX: Fixme TypeError: expected a character buffer object jmm@pisco:~/chroots/squeeze/home/jmm/free$ dpkg -l dput-ng Gew�nscht=Unbekannt/Installieren/R=Entfernen/P=Vollst�ndig L�schen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anh�ngig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name VersionArchitektur Beschreibung +++-==-==-==-= ii dput-ng1.3allnext generation Debian package upload tool Cheers, Moritz | [tag@leliel:~/dev/debian/git.d.o/fluxbox][10:30 AM]$ dput security-master fluxbox_1.3.2-4_amd64.changes -s | Not uploading for real - dry run | Uploading fluxbox using ftp to security-master (host: security-master.debian.org; directory: /pub/SecurityUploadQueue) | running suite-mismatch: check the target distribution for common errors | running checksum: verify checksums before uploading | running protected-distribution: warn before uploading to distributions where a special policy applies | running check-debs: makes sure the upload contains a binary package | running allowed-distribution: check whether a local profile permits uploads to the target distribution | Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory | Error: You've set a hook (pre_upload_command) to run (`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't appear to exist). Please verify the path and correct it. | Uploading fluxbox_1.3.2-4.dsc (simulation) | Uploading fluxbox_1.3.2.orig.tar.gz (simulation) | Uploading fluxbox_1.3.2-4.debian.tar.gz (simulation) | Uploading fluxbox_1.3.2-4_amd64.deb (simulation) | Uploading fluxbox_1.3.2-4_amd64.changes (simulation) Seems OK here. Can you make sure something's not gone wrong with your install? How did you install it? Did you
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 10:35:46AM -0500, Paul Tagliamonte wrote: Seems OK here. Can you make sure something's not gone wrong with your install? How did you install it? Did you upgrade python-dput too? That's where the fix is :) Bummer, I only fetched dput-ng from incoming.debian.org... Will test with the next security upload :-) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
On Wed, Dec 26, 2012 at 10:36 AM, Moritz Mühlenhoff j...@inutil.org wrote: On Wed, Dec 26, 2012 at 10:35:46AM -0500, Paul Tagliamonte wrote: Seems OK here. Can you make sure something's not gone wrong with your install? How did you install it? Did you upgrade python-dput too? That's where the fix is :) Bummer, I only fetched dput-ng from incoming.debian.org... Will test with the next security upload :-) Sounds great :) Cheers, Moritz -Paul -- :wq
Bug#696659: Security uploads not working
Package: dput-ng Version: 1.2 Severity: normal Hi, I tried to upload a security upload to security-master, but /usr/share/dput/helper/security-warning is missing: running allowed-distribution: check whether a local profile permits uploads to the target distribution running protected-distribution: warn before uploading to distributions where a special policy applies Protected Checker: Are you sure to upload to stable-security? Did you coordinate with the Security Team before your upload? [yes, NO]: yes Uploading with explicit confirmation by the user running checksum: verify checksums before uploading running suite-mismatch: check the target distribution for common errors running check-debs: makes sure the upload contains a binary package running gpg: check GnuPG signatures before the upload gpg: Unterschrift vom Di 25 Dez 2012 12:09:57 CET mittels DSA-Schl�ssel ID 4E2ECA5A gpg: Korrekte Unterschrift von Moritz Muehlenhoff j...@debian.org gpg: alias Moritz Muehlenhoff j...@inutil.org Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory Traceback (most recent call last): File /usr/bin/dput, line 87, in module upload_package(changes, args) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 275, in invoke_dput simulate=args.simulate) as obj: File /usr/lib/python2.7/contextlib.py, line 17, in __enter__ return self.gen.next() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 157, in uploader obj._pre_hook() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 64, in _pre_hook self._run_hook(pre_upload_command) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 72, in _run_hook sys.stdout.write(output) # XXX: Fixme TypeError: expected a character buffer object Cheers, Moritz -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dput-ng depends on: ii python 2.7.3-3 ii python-dput 1.2 Versions of packages dput-ng recommends: ii bash-completion 1:2.0-1 dput-ng suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
tags 696659 + moreinfo thanks On Tue, Dec 25, 2012 at 12:13:09PM +0100, Moritz Muehlenhoff wrote: Package: dput-ng Version: 1.2 Severity: normal Hi, I tried to upload a security upload to security-master, but /usr/share/dput/helper/security-warning is missing: running allowed-distribution: check whether a local profile permits uploads to the target distribution running protected-distribution: warn before uploading to distributions where a special policy applies Protected Checker: Are you sure to upload to stable-security? Did you coordinate with the Security Team before your upload? [yes, NO]: yes Uploading with explicit confirmation by the user running checksum: verify checksums before uploading running suite-mismatch: check the target distribution for common errors running check-debs: makes sure the upload contains a binary package running gpg: check GnuPG signatures before the upload gpg: Unterschrift vom Di 25 Dez 2012 12:09:57 CET mittels DSA-Schl?ssel ID 4E2ECA5A gpg: Korrekte Unterschrift von Moritz Muehlenhoff j...@debian.org gpg: alias Moritz Muehlenhoff j...@inutil.org This all looks great Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory We don't own /usr/share/dput -- this looks like it's coming from dput-old's /etc/dput.cf -- can you please check if you still have that target? Please keep in mind all old dput configs will override new dput configs -- we defer to the old configs in all cases :) If it's still saying to run that hook, dput-ng will try to run the hook. Perhaps remove that target? Thanks for flying dput-ng air, Merry Christmas, Paul Traceback (most recent call last): File /usr/bin/dput, line 87, in module upload_package(changes, args) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 275, in invoke_dput simulate=args.simulate) as obj: File /usr/lib/python2.7/contextlib.py, line 17, in __enter__ return self.gen.next() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 157, in uploader obj._pre_hook() File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 64, in _pre_hook self._run_hook(pre_upload_command) File /usr/lib/python2.7/dist-packages/dput/uploader.py, line 72, in _run_hook sys.stdout.write(output) # XXX: Fixme TypeError: expected a character buffer object Cheers, Moritz -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dput-ng depends on: ii python 2.7.3-3 ii python-dput 1.2 Versions of packages dput-ng recommends: ii bash-completion 1:2.0-1 dput-ng suggests no packages. -- no debconf information -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#696659: Security uploads not working
On Tue, Dec 25, 2012 at 08:47:20AM -0500, Paul Tagliamonte wrote: This all looks great Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory We don't own /usr/share/dput -- this looks like it's coming from dput-old's /etc/dput.cf -- can you please check if you still have that target? dput was still in status removed since dput was removed when dput-ng was installed. Please keep in mind all old dput configs will override new dput configs -- we defer to the old configs in all cases :) If it's still saying to run that hook, dput-ng will try to run the hook. Perhaps remove that target? I will remove /etc/dput.cf, then. I can't remember to have made any special modifications to the config, so the dput-ng default config should probably suit me. By dput-ng should probably handle missing script files more gracefully, I wasn't expecting to need to adapt my config since the package description says | dput-ng aims to be backwards compatible with dput in command-line flags, | configuration files, and expected behavior. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
retitle 696659 Don't abort upload on missing pre_upload_command or post_upload_command thanks On Tue, Dec 25, 2012 at 05:55:32PM +0100, Moritz Mühlenhoff wrote: On Tue, Dec 25, 2012 at 08:47:20AM -0500, Paul Tagliamonte wrote: This all looks great Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory We don't own /usr/share/dput -- this looks like it's coming from dput-old's /etc/dput.cf -- can you please check if you still have that target? dput was still in status removed since dput was removed when dput-ng was installed. Aye, they do conflict. Please keep in mind all old dput configs will override new dput configs -- we defer to the old configs in all cases :) If it's still saying to run that hook, dput-ng will try to run the hook. Perhaps remove that target? I will remove /etc/dput.cf, then. I can't remember to have made any special modifications to the config, so the dput-ng default config should probably suit me. Hopefully :) If there are additinal targets, I can make sure that it gets added, or help you add a new target. By dput-ng should probably handle missing script files more gracefully, I I quite agree -- a missing script should perhaps be non-fatal. wasn't expecting to need to adapt my config since the package description says | dput-ng aims to be backwards compatible with dput in command-line flags, | configuration files, and expected behavior. Aye. Technically (I hate to make this argument, because dput-ng broke, and above all, that's a problem), it was was just doing what you were telling it, just like dput, there was just a missing script ;) Cheers, Moritz I've retitled the bug to match :) Cheers, and sorry again, Paul -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#696659: Security uploads not working
Please keep in mind all old dput configs will override new dput configs -- we defer to the old configs in all cases :) If it's still saying to run that hook, dput-ng will try to run the hook. Perhaps remove that target? I will remove /etc/dput.cf, then. I can't remember to have made any special modifications to the config, so the dput-ng default config should probably suit me. Hopefully :) If there are additinal targets, I can make sure that it gets added, or help you add a new target. Thanks for the quick followup and on working towards a more actively maintained upload tool! I'll try another upload using dput-ng when the next security update is ready. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696659: Security uploads not working
tags 696659 + pending thanks Hey Moritz, I've pushed a fix in git. If you wouldn't mind reviewing the diff[1] and ensuring that it satisfies your concerns, that would be great. High level logic is, given a exec problem (dput.utils:95), and the file we're s'posed to run isn't on the filesystem, duck the error and complain to the user, but allow the upload. Arno, can you ACK this change? On Tue, Dec 25, 2012 at 06:08:10PM +0100, Moritz Mühlenhoff wrote: Please keep in mind all old dput configs will override new dput configs -- we defer to the old configs in all cases :) If it's still saying to run that hook, dput-ng will try to run the hook. Perhaps remove that target? I will remove /etc/dput.cf, then. I can't remember to have made any special modifications to the config, so the dput-ng default config should probably suit me. Hopefully :) If there are additinal targets, I can make sure that it gets added, or help you add a new target. Thanks for the quick followup and on working towards a more actively maintained upload tool! It's my pleasure, truely! I'll try another upload using dput-ng when the next security update is ready. Sounds fantastic. Cheers, Moritz Cheers, Paul [1]: http://anonscm.debian.org/gitweb/?p=collab-maint/dputng.git;a=commitdiff;h=a57cfd6d5eb7bb1e4166eafb72cb434f0614f7d0 -- .''`. Paul Tagliamonte paul...@debian.org : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature