Control: reopen -1
On 2024-06-08 12:44:25, Peter Wienemann wrote:
sploitscan installs configuration files in the system Python modules
directory:
/usr/lib/python3/dist-packages/sploitscan/templates/report_template.html
/usr/lib/python3/dist-packages/sploitscan/config.json
As per Debian Policy 10.7.2 configuration files must reside in /etc (or
in case of multiple configuration files it is suggested to put them in
a subdirectory named after the package).
Dear Maintainer,
in my opinion version 0.9.1-3 does not provide a proper fix for the
above issue. Now the situation looks like this:
/usr/lib/python3/dist-packages/sploitscan/templates/report_template.html
-> ../../../../../share/doc/sploitscan/templates/report_template.html
/usr/lib/python3/dist-packages/sploitscan/config.json ->
/etc/sploitscan/config.json
From my point of view moving the report template (report_template.html)
to the documentation directory (/usr/share/doc/sploitscan) is
inappropriate. Putting example configuration files under
/usr/share/doc/sploitscan is fine but putting a file that controls the
behavior of the program under /usr/share/doc/sploitscan violates Debian
Policy. I think this file is a configuration file in the sense of Debian
Policy 10.7.1 rather than documentation and therefore must go into /etc
or a subdirectory thereof. It seems that upstream has even arranged to
put this file into this location [0].
I also noticed that local changes in report_template.html are not
preserved on package upgrades as required by Debian Policy 10.7.3.
In addition I found two minor issues:
1. Looking at the sploitscan code [1], I suppose that the link
/usr/lib/python3/dist-packages/sploitscan/config.json ->
/etc/sploitscan/config.json
is not necessary (although I have not tested this).
2. The changelog entry closing this bug
----------------------------------------------------------------------
debian/sploitscan.install: Files moved to usr/share (Closes: #1072816)
----------------------------------------------------------------------
and the corresponding commit message [2] do not properly describe the
actual change being performed. The change includes moving only a single
file to usr/share, it moves another file to etc/sploitscan and in
addition it removes the installation of yet another file.
Best regards,
Peter
[0]
https://salsa.debian.org/pkg-security-team/sploitscan/-/blob/605deb3647c2c43315e0cd6e83f447bd7fab35c2/sploitscan/sploitscan.py#L620
[1]
https://salsa.debian.org/pkg-security-team/sploitscan/-/blob/605deb3647c2c43315e0cd6e83f447bd7fab35c2/sploitscan/sploitscan.py#L412
[2]
https://salsa.debian.org/pkg-security-team/sploitscan/-/commit/ce316a01edd1bb6449424d3ad0227a59e07a7528
