#921750 security-warning hook not found, fails open

#921750#5
Date:
2019-02-08 20:18:55 UTC
From:
To:
Hi!

I tried switching to dput-ng again, and here's what happened:

anarcat@curie:dist$ dput security-master libreoffice_4.3.3-2+deb8u12_amd64.changes
Uploading libreoffice using ftp to security-master (host: ftp.security.upload.debian.org; directory: /pub/SecurityUploadQueue)
running allowed-distribution: check whether a local profile permits uploads to the target distribution
running protected-distribution: warn before uploading to distributions where a special policy applies
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running gpg: check GnuPG signatures before the upload
Could not execute /usr/share/dput/helper/security-warning: [Errno 2] No such file or directory: '/usr/share/dput/helper/security-warning': '/usr/share/dput/helper/security-warning'
Error: You've set a hook (pre_upload_command) to run (`/usr/share/dput/helper/security-warning`), but it can't be found (and doesn't appear to exist). Please verify the path and correct it.
Uploading libreoffice_4.3.3-2+deb8u12.dsc
Uploading libreoffice_4.3.3-2+deb8u12.debian.tar.xz
Uploading libreoffice_4.3.3-2+deb8u12_amd64.deb
[...]

ie. it didn't find the `security-warning` file it's supposed to show
and prompt the user but worse, it then just went on uploading the
package normally.

The warning should be shown, and failing that, the upload should fail
if the hook is missing.

Thanks for the nice work! :)

A.

#921750#10
Date:
2024-03-22 17:23:08 UTC
From:
To:
I've also been hit by this. And the problem seems to be the old-style
/etc/dput.cf, that overrides the dput-ng profiles. I've purged dput,
hoping this would help the next time.

FWIW, dput-ng comes with a protected-distribution hook, that has the
same goal of security-warning.

Cheers,