Bug#1072816: sploitscan: Configuration files installed in Python modules directory
Hi Nilson, I did not see your answer earlier since I was not subscribed to this bug (I am now). I am sorry for that. >> I also noticed that local changes in report_template.html are not >> preserved on package upgrades as required by Debian Policy 10.7.3. > To avoid mistaken corrections, could you clarify this point with a > practical example? Luckily Debian tooling comes to your help. dpkg will take care of it for all files installed below /etc. Thus if you change sploitscan packaging to install all configuration files under /etc/sploitscan, dpkg will do the rest and make sure local changes are preserved on package upgrades. You can find more information on this topic (including more complicated situations) on [0]. >> . Looking at the sploitscan code [1], I suppose that the link >> /usr/lib/python3/dist-packages/sploitscan/config.json -> >> /etc/sploitscan/config.json >> is not necessary (although I have not tested this). > > Will this answer your question? > https://github.com/xaitax/SploitScan/issues/23 This confirms what I saw in the code. If you have further questions, do not hesitate to ask. Best regards, Peter [0] https://www.debian.org/doc/debian-policy/ap-pkg-conffiles.html
Processed: Re: Bug#1072816: sploitscan: Configuration files installed in Python modules directory
Processing control commands: > reopen -1 Bug #1072816 {Done: Josenilson Ferreira da Silva } [sploitscan] sploitscan: Configuration files installed in Python modules directory 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No longer marked as fixed in versions sploitscan/0.9.1-3. -- 1072816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1072816: sploitscan: Configuration files installed in Python modules directory
Control: reopen -1 On 2024-06-08 12:44:25, Peter Wienemann wrote: sploitscan installs configuration files in the system Python modules directory: /usr/lib/python3/dist-packages/sploitscan/templates/report_template.html /usr/lib/python3/dist-packages/sploitscan/config.json As per Debian Policy 10.7.2 configuration files must reside in /etc (or in case of multiple configuration files it is suggested to put them in a subdirectory named after the package). Dear Maintainer, in my opinion version 0.9.1-3 does not provide a proper fix for the above issue. Now the situation looks like this: /usr/lib/python3/dist-packages/sploitscan/templates/report_template.html -> ../../../../../share/doc/sploitscan/templates/report_template.html /usr/lib/python3/dist-packages/sploitscan/config.json -> /etc/sploitscan/config.json From my point of view moving the report template (report_template.html) to the documentation directory (/usr/share/doc/sploitscan) is inappropriate. Putting example configuration files under /usr/share/doc/sploitscan is fine but putting a file that controls the behavior of the program under /usr/share/doc/sploitscan violates Debian Policy. I think this file is a configuration file in the sense of Debian Policy 10.7.1 rather than documentation and therefore must go into /etc or a subdirectory thereof. It seems that upstream has even arranged to put this file into this location [0]. I also noticed that local changes in report_template.html are not preserved on package upgrades as required by Debian Policy 10.7.3. In addition I found two minor issues: 1. Looking at the sploitscan code [1], I suppose that the link /usr/lib/python3/dist-packages/sploitscan/config.json -> /etc/sploitscan/config.json is not necessary (although I have not tested this). 2. The changelog entry closing this bug -- debian/sploitscan.install: Files moved to usr/share (Closes: #1072816) -- and the corresponding commit message [2] do not properly describe the actual change being performed. The change includes moving only a single file to usr/share, it moves another file to etc/sploitscan and in addition it removes the installation of yet another file. Best regards, Peter [0] https://salsa.debian.org/pkg-security-team/sploitscan/-/blob/605deb3647c2c43315e0cd6e83f447bd7fab35c2/sploitscan/sploitscan.py#L620 [1] https://salsa.debian.org/pkg-security-team/sploitscan/-/blob/605deb3647c2c43315e0cd6e83f447bd7fab35c2/sploitscan/sploitscan.py#L412 [2] https://salsa.debian.org/pkg-security-team/sploitscan/-/commit/ce316a01edd1bb6449424d3ad0227a59e07a7528
Bug#1072816: sploitscan: Configuration files installed in Python modules directory
Package: sploitscan Version: 0.9.1-1 Severity: serious Hi, sploitscan installs configuration files in the system Python modules directory: /usr/lib/python3/dist-packages/sploitscan/templates/report_template.html /usr/lib/python3/dist-packages/sploitscan/config.json As per Debian Policy 10.7.2 configuration files must reside in /etc (or in case of multiple configuration files it is suggested to put them in a subdirectory named after the package). Best regards, Peter