[dput-ng-maint] Bug#696659: Security uploads not working

Paul Tagliamonte paultag at debian.org
Wed Dec 26 15:35:46 UTC 2012 

On Wed, Dec 26, 2012 at 04:05:19PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Dec 26, 2012 at 03:27:26PM +0100, Moritz Mühlenhoff wrote:
> > On Wed, Dec 26, 2012 at 01:24:42PM +0100, Arno Töll wrote:
> > > Hi,
> > > 
> > > On 26.12.2012 03:48, Paul Tagliamonte wrote:
> > > > Arno, can you ACK this change?
> > > 
> > > The patch itself is fine, but I believe a warning instead of an error
> > > would be more appropriate. You do logger.error, but you don't fail out
> > > which makes your error essentially a warning. Maybe it should be tagged
> > > as such.
> > > 
> > > 
> > > By the way Moritz: You as a security team member probably want to
> > > disable the "protected distribution" hook, prompting you for
> > > confirmation before every upload.
> > 
> > Thanks, I will try that with the next security upload tonight.
> 
> I can easily workaround it, but just to let you know
> 
> It still fails to me if /etc/dput.cf is still present:

o.O 

> 
> jmm at pisco:~/chroots/squeeze/home/jmm/free$ ls -lha /usr/bin/dput
> -rwxr-xr-x 1 root root 4,5K Dez 26 15:33 /usr/bin/dput
> jmm at pisco:~/chroots/squeeze/home/jmm/free$ dput security-master freetype_2.4.2-2.1+squeeze5_amd64.changes
> Uploading freetype using ftp to security-master (host: security-master.debian.org; directory: /pub/SecurityUploadQueue)
> running allowed-distribution: check whether a local profile permits uploads to the target distribution
> running protected-distribution: warn before uploading to distributions where a special policy applies
> Protected Checker: Are you sure to upload to stable-security? Did you coordinate with the Security Team before your upload? [yes, NO]: yes
> Uploading with explicit confirmation by the user
> running checksum: verify checksums before uploading
> running suite-mismatch: check the target distribution for common errors
> running check-debs: makes sure the upload contains a binary package
> running gpg: check GnuPG signatures before the upload
> gpg: Unterschrift vom Mi 26 Dez 2012 16:00:19 CET mittels DSA-Schl�ssel ID 4E2ECA5A
> gpg: Korrekte Unterschrift von "Moritz Muehlenhoff <jmm at debian.org>"
> gpg:                     alias "Moritz Muehlenhoff <jmm at inutil.org>"
> 
> Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory
> Traceback (most recent call last):
>   File "/usr/bin/dput", line 87, in <module>
>     upload_package(changes, args)
>   File "/usr/lib/python2.7/dist-packages/dput/uploader.py", line 275, in invoke_dput
>     simulate=args.simulate) as obj:
>   File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
>     return self.gen.next()
>   File "/usr/lib/python2.7/dist-packages/dput/uploader.py", line 157, in uploader
>     obj._pre_hook()
>   File "/usr/lib/python2.7/dist-packages/dput/uploader.py", line 64, in _pre_hook
>     self._run_hook("pre_upload_command")
>   File "/usr/lib/python2.7/dist-packages/dput/uploader.py", line 72, in _run_hook
>     sys.stdout.write(output)  # XXX: Fixme
> TypeError: expected a character buffer object
> 
> jmm at pisco:~/chroots/squeeze/home/jmm/free$ dpkg -l dput-ng
> Gew�nscht=Unbekannt/Installieren/R=Entfernen/P=Vollst�ndig L�schen/Halten
> | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
>          Halb installiert/Trigger erWartet/Trigger anh�ngig
> |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
> ||/ Name                       Version            Architektur        Beschreibung
> +++-==========================-==================-==================-=========================================================
> ii  dput-ng                    1.3                all                next generation Debian package upload tool
> 
> 
> Cheers,
>         Moritz
> 
> 

| [tag at leliel:~/dev/debian/git.d.o/fluxbox][10:30 AM]$ dput security-master fluxbox_1.3.2-4_amd64.changes -s
| Not uploading for real - dry run
| Uploading fluxbox using ftp to security-master (host: security-master.debian.org; directory: /pub/SecurityUploadQueue)
| running suite-mismatch: check the target distribution for common errors
| running checksum: verify checksums before uploading
| running protected-distribution: warn before uploading to distributions where a special policy applies
| running check-debs: makes sure the upload contains a binary package
| running allowed-distribution: check whether a local profile permits uploads to the target distribution
| Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory
| Error: You've set a hook (pre_upload_command) to run (`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't appear to exist). Please verify the path and correct it.
| Uploading fluxbox_1.3.2-4.dsc (simulation)
| Uploading fluxbox_1.3.2.orig.tar.gz (simulation)
| Uploading fluxbox_1.3.2-4.debian.tar.gz (simulation)
| Uploading fluxbox_1.3.2-4_amd64.deb (simulation)
| Uploading fluxbox_1.3.2-4_amd64.changes (simulation)

Seems OK here. Can you make sure something's not gone wrong with your install?
How did you install it? Did you upgrade python-dput too? That's where the fix
is :)

Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte <paultag at debian.org>
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `-     http://people.debian.org/~paultag
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/dput-ng-maint/attachments/20121226/655bf9db/attachment.pgp>

More information about the dput-ng-maint mailing list