#921750 - security-warning hook not found, fails open

Debian Bug report logs - #921750
security-warning hook not found, fails open

Reported by: Antoine Beaupre <anarcat@debian.org>

Date: Fri, 8 Feb 2019 20:21:01 UTC

Severity: important

Found in version dput-ng/1.22

Display info messages

Report forwarded to debian-bugs-dist@lists.debian.org, dput-ng Maintainers <dput-ng@packages.debian.org>:
Bug#921750; Package dput-ng. (Fri, 08 Feb 2019 20:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupre <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to dput-ng Maintainers <dput-ng@packages.debian.org>. (Fri, 08 Feb 2019 20:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: dput-ng Version: 1.22 Severity: important Hi! I tried switching to dput-ng again, and here's what happened: anarcat@curie:dist$ dput security-master libreoffice_4.3.3-2+deb8u12_amd64.changes Uploading libreoffice using ftp to security-master (host: ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue) running allowed-distribution: check whether a local profile permits uploads to the target distribution running protected-distribution: warn before uploading to distributions where a special policy applies running checksum: verify checksums before uploading running suite-mismatch: check the target distribution for common errors running gpg: check GnuPG signatures before the upload Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory: '/usr/share/dput/helper/security-warning': '/usr/share/dput/helper/security-warning' Error: You've set a hook (pre_upload_command) to run (`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't appear to exist). Please verify the path and correct it. Uploading libreoffice_4.3.3-2+deb8u12.dsc Uploading libreoffice_4.3.3-2+deb8u12.debian.tar.xz Uploading libreoffice_4.3.3-2+deb8u12_amd64.deb [...] ie. it didn't find the `security-warning` file it's supposed to show and prompt the user but worse, it then just went on uploading the package normally. The warning should be shown, and failing that, the upload should fail if the hook is missing. Thanks for the nice work! :) A. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dput-ng depends on: ii python3 3.7.2-1 ii python3-dput 1.22 dput-ng recommends no packages. Versions of packages dput-ng suggests: pn dput-ng-doc <none> pn python3-twitter <none> -- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, dput-ng Maintainers <dput-ng@packages.debian.org>:
Bug#921750; Package dput-ng. (Fri, 22 Mar 2024 17:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Santiago Ruano Rincón <santiagorr@riseup.net>:
Extra info received and forwarded to list. Copy sent to dput-ng Maintainers <dput-ng@packages.debian.org>. (Fri, 22 Mar 2024 17:27:03 GMT) (full text, mbox, link).

[Message part 1 (text/plain, inline)]

On Fri, 08 Feb 2019 15:18:55 -0500 Antoine Beaupre <anarcat@debian.org> wrote: > Package: dput-ng > Version: 1.22 > Severity: important > > Hi! > > I tried switching to dput-ng again, and here's what happened: > > anarcat@curie:dist$ dput security-master libreoffice_4.3.3-2+deb8u12_amd64.changes > Uploading libreoffice using ftp to security-master (host: ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue) > running allowed-distribution: check whether a local profile permits uploads to the target distribution > running protected-distribution: warn before uploading to distributions where a special policy applies > running checksum: verify checksums before uploading > running suite-mismatch: check the target distribution for common errors > running gpg: check GnuPG signatures before the upload > Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory: '/usr/share/dput/helper/security-warning': '/usr/share/dput/helper/security-warning' > Error: You've set a hook (pre_upload_command) to run (`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't appear to exist). Please verify the path and correct it. > Uploading libreoffice_4.3.3-2+deb8u12.dsc > Uploading libreoffice_4.3.3-2+deb8u12.debian.tar.xz > Uploading libreoffice_4.3.3-2+deb8u12_amd64.deb > [...] > > ie. it didn't find the `security-warning` file it's supposed to show > and prompt the user but worse, it then just went on uploading the > package normally. > > The warning should be shown, and failing that, the upload should fail > if the hook is missing. > > Thanks for the nice work! :) I've also been hit by this. And the problem seems to be the old-style /etc/dput.cf, that overrides the dput-ng profiles. I've purged dput, hoping this would help the next time. FWIW, dput-ng comes with a protected-distribution hook, that has the same goal of security-warning. Cheers, -- Santiago

[signature.asc (application/pgp-signature, inline)]

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Nov 22 00:29:53 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #921750 security-warning hook not found, fails open

Debian Bug report logs - #921750
security-warning hook not found, fails open