4 Do whatever is needed to get a security upload released
6 @contact: Debian FTP Master <ftpmaster@debian.org>
7 @copyright: 2010 Joerg Jaspert <joerg@debian.org>
8 @license: GNU General Public License version 2 or later
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 2 of the License, or
14 # (at your option) any later version.
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
21 # You should have received a copy of the GNU General Public License
22 # along with this program; if not, write to the Free Software
23 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 ################################################################################
28 ################################################################################
36 from daklib import queue
37 from daklib import daklog
38 from daklib import utils
39 from daklib.dbconn import *
40 from daklib.regexes import re_taint_free
41 from daklib.config import Config
49 print """Usage: dak security-install [OPTIONS] changesfiles
50 Do whatever there is to do for a security release
52 -h, --help show this help and exit
53 -n, --no-action don't commit changes
54 -s, --sudo dont bother, used internally
61 if not re_taint_free.match(command):
62 utils.fubar("Invalid character in \"%s\"." % (command))
64 if Options["No-Action"]:
65 print "[%s]" % (command)
67 (result, output) = commands.getstatusoutput(command)
69 utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result)
71 ##################### ! ! ! N O T E ! ! ! #####################
73 # These functions will be reinvoked by semi-priveleged users, be careful not
74 # to invoke external programs that will escalate privileges, etc.
76 ##################### ! ! ! N O T E ! ! ! #####################
78 def sudo(arg, fn, exit):
80 os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H",
81 "/usr/local/bin/dak", "new-security-install", "-"+arg)
87 def do_Approve(): sudo("A", _do_Approve, True)
89 # 1. use process-policy to go through the COMMENTS dir
90 spawn("dak process-policy embargoed")
91 spawn("dak process-policy unembargoed")
93 print "Locking unchecked"
94 lockfile='/srv/security-master.debian.org/lock/unchecked.lock'
95 spawn("lockfile -r42 {0}".format(lockfile))
98 # 1. Install accepted packages
99 print "Installing accepted packages into security archive"
100 for queue in ("embargoed",):
101 spawn("dak process-policy {0}".format(queue))
103 # 3. Run all the steps that are needed to publish the changed archive
105 spawn("dak dominate")
106 # print "Generating filelist for apt-ftparchive"
107 # spawn("dak generate-filelist")
108 print "Updating Packages and Sources files... This may take a while, be patient"
109 spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh")
110 # spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
111 spawn("dak generate-packages-sources2 -a security")
112 print "Updating Release files..."
113 spawn("dak generate-releases -a security")
114 print "Triggering security mirrors... (this may take a while)"
115 spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh")
116 spawn("sudo -u archvsync -H /home/archvsync/signal_security")
117 print "Triggering metadata export for packages.d.o and other consumers"
118 spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh")
121 print "Lock released."
123 ########################################################################
124 ########################################################################
127 global Options, Logger, Queue, changes
130 Arguments = [('h', "Help", "Security::Options::Help"),
131 ('n', "No-Action", "Security::Options::No-Action"),
132 ('c', 'Changesfile', "Security::Options::Changesfile"),
133 ('s', "Sudo", "Security::Options::Sudo"),
134 ('A', "Approve", "Security::Options::Approve")
137 for i in ["Help", "No-Action", "Changesfile", "Sudo", "Approve"]:
138 if not cnf.has_key("Security::Options::%s" % (i)):
139 cnf["Security::Options::%s" % (i)] = ""
141 changes_files = apt_pkg.parse_commandline(cnf.Cnf, Arguments, sys.argv)
143 Options = cnf.subtree("Security::Options")
148 for a in changes_files:
149 if not a.endswith(".changes"):
150 utils.fubar("not a .changes file: %s" % (a))
152 changes = changesfiles.keys()
154 username = utils.getusername()
155 if username != "dak":
156 print "Non-dak user: %s" % username
157 Options["Sudo"] = "y"
159 if Options["No-Action"]:
162 if not Options["Sudo"] and not Options["No-Action"]:
163 Logger = daklog.Logger("security-install")
165 session = DBConn().session()
167 # If we call ourselve to approve, we do just that and exit
168 if Options["Approve"]:
172 if len(changes) == 0:
173 utils.fubar("Need changes files as arguments")
175 # Yes, we could do this inside do_Approve too. But this way we see who exactly
176 # called it (ownership of the file)
179 for change in changes:
180 dbchange=get_dbchange(os.path.basename(change), session)
181 # strip epoch from version
182 version=dbchange.version
183 version=version[(version.find(':')+1):]
184 acceptfilename="%s/COMMENTS/ACCEPT.%s_%s" % (os.path.dirname(os.path.abspath(changes[0])), dbchange.source, version)
185 acceptfiles[acceptfilename]=1
187 print "Would create %s now and then go on to accept this package, if you allow me to." % (acceptfiles.keys())
188 if Options["No-Action"]:
191 raw_input("Press Enter to continue")
193 for acceptfilename in acceptfiles.keys():
194 accept_file = file(acceptfilename, "w")
195 accept_file.write("OK\n")
201 if __name__ == '__main__':