[dput-ng-maint] Bug#708575: Bug#708575: Please prevent uploads of security packages to ftp-master
Thijs Kinkhorst
thijs at debian.org
Fri May 17 07:00:47 UTC 2013
Hi Arno,
> On 16.05.2013 21:52, Moritz Muehlenhoff wrote:
> > Please prevent the upload to ftp-master for packages with the
> > distribution in the changes file pointing to
> we do? Or rather: We give a warning and ask whether the user really
> intended to upload to security-master.
That's not the issue. The issue is someone preparing an upload with target
stable-security but accidentally typing "dput package.changes", that is,
upload it to *ftp*master which will happily accept and process it.
I've just confirmed that dput (1.4) doesn't stop this.
This is important to prevent: these mistakes turn out to happen quite a
lot and lead firstly to work on the part of the RT, but perhaps even more
importantly, may leak still-embargoed updates to a public place.
old dput prevents this with an allowed-distributions = !.*-security line
in dput.cf for ftp-master.
> That said it could be we don't recognize all code name aliases pointing
> to stable-security. That's something we have on the radar though but
> it's not that easy to have a comprehensive since dak does not export
> anything consumable to us.
It would be important to support since we are recommending to use
codename-security instead of stable-security. Why not just use a wildcard
.*-security?
Cheers,
Thijs
More information about the dput-ng-maint
mailing list