Your message dated Fri, 16 Mar 2018 19:21:16 +0000 with message-id <[email protected]> and subject line Bug#890119: fixed in youtube-dl 2018.03.14-1 has caused the Debian Bug report #890119, regarding youtube-dl contains a (possibly-insecure) self-update mechanism to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 890119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890119 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: youtube-dl Version: 2018.01.27-1 Severity: important Tags: security upstream jessie stretch buster sid Hi, youtube-dl ships a self-update mechanism, accessible through the `--update` option. This mechanism seems (correctly) defunct on Debian systems, as it is gated by a `isinstance(globals().get('__loader__'), zipimporter) or hasattr(sys, 'frozen')` check: > $ youtube-dl --update > It looks like you installed youtube-dl with a package manager, pip, setup.py > or a tarball. Please use that to update. However, it is not obvious how reliable this check is, and upstream's self-upgrade mechanism relies on a self-made (and quite possibly insecure) function for checking RSA signatures: https://github.com/rg3/youtube-dl/blob/a072a12e249525f002646a921f16e14f03231662/youtube_dl/update.py#L17-L28 I suggest entirely removing the defunct option and corresponding code. Best, nicoo -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages youtube-dl depends on: ii dpkg 1.19.0.5 ii python3 3.6.4-1 ii python3-pkg-resources 38.4.0-1 Versions of packages youtube-dl recommends: ii ca-certificates 20170717 ii curl 7.58.0-2 ii ffmpeg 7:3.4.1-1+b2 ii mpv 0.27.0-2+b3 pn phantomjs <none> pn rtmpdump <none> ii wget 1.19.4-1 youtube-dl suggests no packages. -- no debconf information
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: youtube-dl Source-Version: 2018.03.14-1 We believe that the bug you reported is fixed in the latest version of youtube-dl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rogério Brito <[email protected]> (supplier of updated youtube-dl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Format: 1.8 Date: Fri, 16 Mar 2018 15:55:33 -0300 Source: youtube-dl Binary: youtube-dl Architecture: source all Version: 2018.03.14-1 Distribution: unstable Urgency: medium Maintainer: Rogério Brito <[email protected]> Changed-By: Rogério Brito <[email protected]> Description: youtube-dl - downloader of videos from YouTube and other sites Closes: 693534 890119 891446 Changes: youtube-dl (2018.03.14-1) unstable; urgency=medium . [ Andreas Tille ] * cme fix dpkg-control * Moved packaging to salsa.debian.org . [ Nicolas Braud-Santoni ] * d/p/remove-autoupdate-mechanism.patch: Remove upstream's autoupdate mechanism (Closes: #693534, #890119) . [ Rogério Brito ] * New upstream version 2018.01.27 * New upstream version 2018.03.14 * debian/copyright: + Update my copyright years. * debian/{compat,control}: + Relutanctly update compat to 11. * debian/control: + Add Recommends: python3-pyxattr. Thanks to Mathieu Malaterre for the report. (Closes: #891446) + Update long description with list of supported sites/extractors. * debian/patches: + remove-autoupdate-mechanism.patch: Update patch with metadata at the top. + fix_libav_compat_outdated.patch: Refresh. + remove-autoupdate-mechanism.patch: Refresh. + remove-autoupdate-mechanism.patch: Remove fewer things to avoid future conflicts. + remove-autoupdate-mechanism.patch: Update metadata and rename to disable-autoupdate-mechanism.patch + Refresh all patches with gbp pq. Checksums-Sha1: 1769fae0b7a36c45e01841316371eea8611da287 2248 youtube-dl_2018.03.14-1.dsc d032cdb2bc2b32da2db48f87995ec3adbc524940 2930477 youtube-dl_2018.03.14.orig.tar.gz 0ed207f3137fe21a602d4d6b7061e0276bd8bc1e 879 youtube-dl_2018.03.14.orig.tar.gz.asc aff334bb418377309e2a1e4703c69c7b3cc8d572 29164 youtube-dl_2018.03.14-1.debian.tar.xz de33a2b1522a0fa75b07d3e22134f980a6047291 973840 youtube-dl_2018.03.14-1_all.deb 6db0a91156213c9d41a0ca1b0ea33d38c73458f2 6572 youtube-dl_2018.03.14-1_amd64.buildinfo Checksums-Sha256: c3e71557d66b52b178609514be69ba26f97d3a553e14de5b022e5cfa1857686d 2248 youtube-dl_2018.03.14-1.dsc 902699b163ec17a0e5ff40eae6db8bfb357427df920d954b734930fc4e3a1249 2930477 youtube-dl_2018.03.14.orig.tar.gz 887cbebe92607bd3d440cccbc6022a2247703ba2c95fa38bd63b45c064cf558f 879 youtube-dl_2018.03.14.orig.tar.gz.asc 8e49fc58435b54fc09fe846b897f34367efda579b2f00e5b641e0060f5e381ac 29164 youtube-dl_2018.03.14-1.debian.tar.xz c994eeb55639d095ee83e095dfc3fae616bdbfd9734a8cf852f71c126b9385e6 973840 youtube-dl_2018.03.14-1_all.deb e84cfa52ed05ae9d769c42525a794d7ce3a175e4e85e08e69f214f4e68afc824 6572 youtube-dl_2018.03.14-1_amd64.buildinfo Files: 03797e81f54b9abeb5d3615b1a39b3cf 2248 web optional youtube-dl_2018.03.14-1.dsc 0058e6124d8e738bd13660f9aba69c06 2930477 web optional youtube-dl_2018.03.14.orig.tar.gz 9c4069290ece114e5a2e92a33bde7bf0 879 web optional youtube-dl_2018.03.14.orig.tar.gz.asc 1309f0dfa3c697f92d917f0a65385113 29164 web optional youtube-dl_2018.03.14-1.debian.tar.xz 356fc8c44fa8a4fb1e6afd3b5f362aaf 973840 web optional youtube-dl_2018.03.14-1_all.deb 69ae7643e47c4c0d6276e98d849f2f53 6572 web optional youtube-dl_2018.03.14-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCQAdFiEEj5ML0ZNMPiFAolh5B0e9Obz8qqoFAlqsE+oACgkQB0e9Obz8 qqpysA//X5WE/f9VFguyyMnZpUvq5kkEK++dH45gM44Rs9BKaumQrLRx7K1Bvtv1 tBMHux82XmEXPeADsyBZme54COftu+3arCUbKAyG4JZveXcL5Yf4IpK8H24W7HRT OOn34OJdrhNCCA+DmSTsl7AM9bPyRTwtk7rA8DSvtlTqgLu48f/bVG7H34yyCc19 eAX0Z/Rb+o+AHL5fjfJDnnGt0U0FgbhXOzQlP5KVAVzRnt3j4bRKSSpjw/Ma/q0/ f5EA1fPqNJ88BGWkLEAgZduyJEnoNSgdZbJMX8ZZknEbXde72PPuciCcFehWqb4J cQB/O11X4wiCO/wCdfIfC+jOdDgXFTgYti/qAyCfMDZGY0YALC2v+CnkMNgNEuPD leb6hmCJ2T2u1/uoNtT7zJ4ZMxYTWc7X0ZMf34ZiiOH8gL0CmfhZmUwKG8A8zJzx w3GRZgdseJ2eBXDkVPFXDpvtVOq8213NI/FdcAEyODK7sfU0k5gWrGDXFBISvN8k AZlzEbjOvgSvIHCxNMjfAwVtEj5ueUKm6jXh59o3LWsGdAQCb5bknbVoiEz/9r9M lUxdLcEMSzU5Lw/Yru58wnyrrOXscoonqCDG9HbEor38XJV4V4XzutityNtfSpfR cyvqv2Oepoo5vV+ydH+5Crucx4OMEhUTG23L9ZNH3oo7Ru9HP6E= =WmGk -----END PGP SIGNATURE-----
--- End Message ---
