Canonical Juju

source-contains-unsafe-symlink src/github.com/prometheus/procfs/fixtures/26231/exe

Bug #1618215 reported by Curtis Hovey on 2016-08-29

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Won't Fix	High	Unassigned
	juju-release-tools	Fix Released	High	Curtis Hovey

Bug Description

A run of
lintian -I --pedantic
across the juju-core source package reveals
E: juju-core source: source-contains-unsafe-symlink src/github.com/prometheus/procfs/fixtures/26231/exe

This issue is in an upstream Go package. Either upstream needs fixing, or juju needs to patch, or possibly the juju-release-tools/make-release-tarfile script purges the unsafe link.

Tags:

Related branches

lp:~sinzui/juju-release-tools/bad-prometheus

Merged into lp:juju-release-tools at revision 334

Martin Packman (community): Approve on 2016-08-30

Revision history for this message

Curtis Hovey (sinzui) wrote on 2016-08-29:

I added juju-release-tools because
lintian -I --pedantic
should have been run on the package the error raised.

Alexis Bruemmer (alexis-bruemmer) on 2016-08-29

Changed in juju:
status:	Triaged → Invalid

Revision history for this message

Curtis Hovey (sinzui) wrote on 2016-08-30:

Alexis This issue a blocker to being in Ubuntu The engineers needs to decide how to correct the symlink. As they put the dangrous package into Juju, they need to decide how to remove it. If you advise for the release scripts to indiscriminately delete, they can. This is downstream summary of the issue

The source contains an unsafe symlink. If followed, the link will escape the source root. Note that all absolute symlinks are unconditionally considered "unsafe" in this case (unlike in binary packages).

Severity: serious, Certainty: possible

Check: cruft, Type: source

Changed in juju:
status:	Invalid → Triaged

Revision history for this message

Curtis Hovey (sinzui) wrote on 2016-08-30:

<mgz> sinzui: yeah, seems to be, I see it referenced from the tests only - lets remove the whole fixtures dir?

Curtis Hovey (sinzui) on 2016-08-30

Changed in juju-release-tools:
assignee:	nobody → Curtis Hovey (sinzui)
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Curtis Hovey (sinzui) wrote on 2016-08-30:

I reported https://github.com/prometheus/procfs/issues/29

Changed in juju-release-tools:
status:	In Progress → Fix Committed

Anastasia (anastasia-macmood) on 2016-09-01

Changed in juju:
milestone:	2.0-beta17 → 2.0-beta18

Curtis Hovey (sinzui) on 2016-09-09

Changed in juju:
milestone:	2.0-beta18 → 2.0-beta19

Anastasia (anastasia-macmood) on 2016-09-11

Changed in juju:
milestone:	2.0-beta19 → 2.0-rc1

Revision history for this message

Richard Harding (rharding) wrote on 2016-09-20:

Per sinzui:

upstream has decided to ignore our request. I think we can close this as Wont Fix. We will never ship their tests

Changed in juju:
status:	Triaged → Won't Fix

Curtis Hovey (sinzui) on 2016-09-20

Changed in juju:
milestone:	2.0-rc1 → none

Curtis Hovey (sinzui) on 2016-10-12

Changed in juju-release-tools:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-prometheus-procfs #29
[closed] Edit

Bug watches keep track of this bug in other bug trackers.