3 # Wrapper for Debian Security team
4 # Copyright (C) 2006 Anthony Towns <ajt@debian.org>
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
21 ################################################################################
23 import daklib.queue, daklib.logging, daklib.utils, daklib.database
24 import apt_pkg, os, sys, pwd, time, re, commands
26 re_taint_free = re.compile(r"^['/;\-\+\.\s\w]+$");
38 global Cnf, Upload, Options, Logger
40 Cnf = daklib.utils.get_conf()
41 Cnf["Dinstall::Options::No-Mail"] = "y"
42 Arguments = [('h', "help", "Security-Install::Options::Help"),
43 ('a', "automatic", "Security-Install::Options::Automatic"),
44 ('n', "no-action", "Security-Install::Options::No-Action"),
45 ('s', "sudo", "Security-Install::Options::Sudo"),
46 (' ', "no-upload", "Security-Install::Options::No-Upload"),
47 (' ', "drop-advisory", "Security-Install::Options::Drop-Advisory"),
48 ('A', "approve", "Security-Install::Options::Approve"),
49 ('R', "reject", "Security-Install::Options::Reject"),
50 ('D', "disembargo", "Security-Install::Options::Disembargo") ]
55 arguments = apt_pkg.ParseCommandLine(Cnf, Arguments, sys.argv)
57 Options = Cnf.SubTree("Security-Install::Options")
60 whoamifull = pwd.getpwuid(whoami)
61 username = whoamifull[0]
63 print "Non-dak user: %s" % username
70 if len(arguments) == 0:
71 daklib.utils.fubar("Process what?")
73 Upload = daklib.queue.Upload(Cnf)
74 if not Options["Sudo"] and not Options["No-Action"]:
75 Logger = Upload.Logger = daklib.logging.Logger(Cnf, "new-security-install")
84 def load_args(arguments):
85 global advisory, changes
88 if not arguments[0].endswith(".changes"):
89 adv_ids [arguments[0]] = 1
90 arguments = arguments[1:]
97 daklib.utils.fubar("can only deal with files in the current directory")
98 if not a.endswith(".changes"):
99 daklib.utils.fubar("not a .changes file: %s" % (a))
101 Upload.pkg.changes_file = a
103 if "adv id" in Upload.pkg.changes:
105 adv_ids[Upload.pkg.changes["adv id"]] = 1
107 null_adv_changes.append(a)
109 adv_ids = adv_ids.keys()
111 daklib.utils.fubar("multiple advisories selected: %s" % (", ".join(adv_ids)))
115 advisory = adv_ids[0]
117 changes = changesfiles.keys()
118 return null_adv_changes
120 def load_adv_changes():
121 global srcverarches, changes
123 for c in os.listdir("."):
124 if not c.endswith(".changes"): continue
126 Upload.pkg.changes_file = c
128 if "adv id" not in Upload.pkg.changes:
130 if Upload.pkg.changes["adv id"] != advisory:
133 if c not in changes: changes.append(c)
134 srcver = "%s %s" % (Upload.pkg.changes["source"],
135 Upload.pkg.changes["version"])
136 srcverarches.setdefault(srcver, {})
137 for arch in Upload.pkg.changes["architecture"].keys():
138 srcverarches[srcver][arch] = 1
142 print "Advisory: %s" % (advisory)
148 svs = srcverarches.keys()
151 as = srcverarches[sv].keys()
153 print " %s (%s)" % (sv, ", ".join(as))
155 def prompt(opts, default):
161 p += ", [%s]%s" % (o[0], o[1:])
167 if Options["Automatic"]:
171 a = daklib.utils.our_raw_input(p) + default
176 def add_changes(extras):
180 Upload.pkg.changes_file = c
182 srcver = "%s %s" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
183 srcverarches.setdefault(srcver, {})
184 for arch in Upload.pkg.changes["architecture"].keys():
185 srcverarches[srcver][arch] = 1
186 Upload.pkg.changes["adv id"] = advisory
187 Upload.dump_vars(os.getcwd())
190 if Options["Automatic"]: return True
192 answer = daklib.utils.our_raw_input(prompt + " ").lower()
195 print "Invalid answer; please try again."
198 if Options["No-Upload"]:
199 print "Not uploading as requested"
202 print "Would upload to ftp-master" # XXX
204 def generate_advisory(template):
205 global changes, advisory
208 updated_pkgs = {}; # updated_pkgs[distro][arch][file] = {path,md5,size}
211 arg = daklib.utils.validate_changes_file_arg(arg)
212 Upload.pkg.changes_file = arg
216 src = Upload.pkg.changes["source"]
217 src_ver = "%s (%s)" % (src, Upload.pkg.changes["version"])
218 if src_ver not in adv_packages:
219 adv_packages.append(src_ver)
221 suites = Upload.pkg.changes["distribution"].keys()
223 if not updated_pkgs.has_key(suite):
224 updated_pkgs[suite] = {}
226 files = Upload.pkg.files
227 for file in files.keys():
228 arch = files[file]["architecture"]
229 md5 = files[file]["md5sum"]
230 size = files[file]["size"]
231 poolname = Cnf["Dir::PoolRoot"] + \
232 daklib.utils.poolify(src, files[file]["component"])
233 if arch == "source" and file.endswith(".dsc"):
234 dscpoolname = poolname
236 if not updated_pkgs[suite].has_key(arch):
237 updated_pkgs[suite][arch] = {}
238 updated_pkgs[suite][arch][file] = {
239 "md5": md5, "size": size, "poolname": poolname }
241 dsc_files = Upload.pkg.dsc_files
242 for file in dsc_files.keys():
244 if not dsc_files[file].has_key("files id"):
247 # otherwise, it's already in the pool and needs to be
249 md5 = dsc_files[file]["md5sum"]
250 size = dsc_files[file]["size"]
252 if not updated_pkgs[suite].has_key(arch):
253 updated_pkgs[suite][arch] = {}
254 updated_pkgs[suite][arch][file] = {
255 "md5": md5, "size": size, "poolname": dscpoolname }
257 if os.environ.has_key("SUDO_UID"):
258 whoami = long(os.environ["SUDO_UID"])
261 whoamifull = pwd.getpwuid(whoami)
262 username = whoamifull[4].split(",")[0]
265 "__ADVISORY__": advisory,
266 "__WHOAMI__": username,
267 "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())),
268 "__PACKAGE__": ", ".join(adv_packages),
269 "__DAK_ADDRESS__": Cnf["Dinstall::MyEmailAddress"]
272 if Cnf.has_key("Dinstall::Bcc"):
273 Subst["__BCC__"] = "Bcc: %s" % (Cnf["Dinstall::Bcc"])
276 archive = Cnf["Archive::%s::PrimaryMirror" % (daklib.utils.where_am_i())]
277 for suite in updated_pkgs.keys():
278 ver = Cnf["Suite::%s::Version" % suite]
279 if ver != "": ver += " "
280 suite_header = "%s %s(%s)" % (Cnf["Dinstall::MyDistribution"],
282 adv += "%s\n%s\n\n" % (suite_header, "-"*len(suite_header))
284 arches = Cnf.ValueList("Suite::%s::Architectures" % suite)
285 if "source" in arches:
286 arches.remove("source")
291 adv += "%s updates are available for %s.\n\n" % (
292 suite.capitalize(), daklib.utils.join_with_commas_and(arches))
294 for a in ["source", "all"] + arches:
295 if not updated_pkgs[suite].has_key(a):
299 adv += "Source archives:\n\n"
301 adv += "Architecture independent packages:\n\n"
303 adv += "%s architecture (%s)\n\n" % (a,
304 Cnf["Architectures::%s" % a])
306 for file in updated_pkgs[suite][a].keys():
307 adv += " http://%s/%s%s\n" % (
308 archive, updated_pkgs[suite][a][file]["poolname"], file)
309 adv += " Size/MD5 checksum: %8s %s\n" % (
310 updated_pkgs[suite][a][file]["size"],
311 updated_pkgs[suite][a][file]["md5"])
315 Subst["__ADVISORY_TEXT__"] = adv
317 adv = daklib.utils.TemplateSubst(Subst, template)
322 if not re_taint_free.match(command):
323 daklib.utils.fubar("Invalid character in \"%s\"." % (command))
325 if Options["No-Action"]:
326 print "[%s]" % (command)
328 (result, output) = commands.getstatusoutput(command)
330 daklib.utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result)
333 ##################### ! ! ! N O T E ! ! ! #####################
335 # These functions will be reinvoked by semi-priveleged users, be careful not
336 # to invoke external programs that will escalate privileges, etc.
338 ##################### ! ! ! N O T E ! ! ! #####################
340 def sudo(arg, fn, exit):
343 daklib.utils.fubar("Must set advisory name")
344 os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H",
345 "/usr/local/bin/dak new-security-install", "-"+arg, "--", advisory)
351 def do_Approve(): sudo("A", _do_Approve, True)
353 # 1. dump advisory in drafts
354 draft = "/org/security.debian.org/advisories/drafts/%s" % (advisory)
355 print "Advisory in %s" % (draft)
356 if not Options["No-Action"]:
357 adv_file = "./advisory.%s" % (advisory)
358 if not os.path.exists(adv_file):
359 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
360 adv_fd = os.open(draft, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0664)
361 os.write(adv_fd, generate_advisory(adv_file))
365 # 2. run dak process-accepted on changes
366 print "Accepting packages..."
367 spawn("dak process-accepted -pa %s" % (" ".join(changes)))
369 # 3. run dak make-suite-file-list / apt-ftparchve / dak generate-releases
370 print "Updating file lists for apt-ftparchive..."
371 spawn("dak make-suite-file-list")
372 print "Updating Packages and Sources files..."
373 spawn("apt-ftparchive generate %s" % (daklib.utils.which_apt_conf_file()))
374 print "Updating Release files..."
375 spawn("dak generate-releases")
376 print "Triggering security mirrors..."
377 spawn("sudo -u archvsync /home/archvsync/signal_security")
379 # 4. chdir to done - do upload
380 if not Options["No-Action"]:
381 os.chdir(Cnf["Dir::Queue::Done"])
384 def do_Disembargo(): sudo("D", _do_Disembargo, True)
385 def _do_Disembargo():
386 if os.getcwd() != Cnf["Dir::Queue::Embargoed"].rstrip("/"):
387 daklib.utils.fubar("Can only disembargo from %s" % Cnf["Dir::Queue::Embargoed"])
389 dest = Cnf["Dir::Queue::Unembargoed"]
390 emb_q = daklib.database.get_or_set_queue_id("embargoed")
391 une_q = daklib.database.get_or_set_queue_id("unembargoed")
394 print "Disembargoing %s" % (c)
397 Upload.pkg.changes_file = c
400 if "source" in Upload.pkg.changes["architecture"].keys():
401 print "Adding %s %s to disembargo table" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
402 Upload.projectB.query("INSERT INTO disembargo (package, version) VALUES ('%s', '%s')" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"]))
405 for suite in Upload.pkg.changes["distribution"].keys():
406 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
408 dest_dir = Cnf["Dir::QueueBuild"]
409 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
410 dest_dir = os.path.join(dest_dir, suite)
411 for file in Upload.pkg.files.keys():
412 files[os.path.join(dest_dir, file)] = 1
415 Upload.projectB.query("BEGIN WORK")
417 Upload.projectB.query("UPDATE queue_build SET queue = %s WHERE filename = '%s' AND queue = %s" % (une_q, f, emb_q))
418 Upload.projectB.query("COMMIT WORK")
420 for file in Upload.pkg.files.keys():
421 daklib.utils.copy(file, os.path.join(dest, file))
425 daklib.utils.copy(c, os.path.join(dest, c))
428 daklib.utils.copy(k, os.path.join(dest, k))
431 def do_Reject(): sudo("R", _do_Reject, True)
435 print "Rejecting %s..." % (c)
437 Upload.pkg.changes_file = c
440 for suite in Upload.pkg.changes["distribution"].keys():
441 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
443 dest_dir = Cnf["Dir::QueueBuild"]
444 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
445 dest_dir = os.path.join(dest_dir, suite)
446 for file in Upload.pkg.files.keys():
447 files[os.path.join(dest_dir, file)] = 1
451 aborted = Upload.do_reject()
453 os.unlink(c[:-8]+".katie")
455 Upload.projectB.query(
456 "DELETE FROM queue_build WHERE filename = '%s'" % (f))
459 print "Updating buildd information..."
460 spawn("/org/security.debian.org/katie/cron.buildd-security")
462 adv_file = "./advisory.%s" % (advisory)
463 if os.path.exists(adv_file):
466 def do_DropAdvisory():
469 Upload.pkg.changes_file = c
471 del Upload.pkg.changes["adv id"]
472 Upload.dump_vars(os.getcwd())
476 adv_file = "./advisory.%s" % (advisory)
477 if not os.path.exists(adv_file):
478 daklib.utils.copy(Cnf["Dir::Templates"]+"/security-install.advisory", adv_file)
479 editor = os.environ.get("EDITOR", "vi")
480 result = os.system("%s %s" % (editor, adv_file))
482 daklib.utils.fubar("%s invocation failed for %s." % (editor, adv_file))
485 adv_file = "./advisory.%s" % (advisory)
486 if not os.path.exists(adv_file):
487 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
488 print "====\n%s\n====" % (generate_advisory(adv_file))
497 extras = load_args(args)
504 if srcverarches == {}:
505 if not yes_no("Create new advisory %s?" % (advisory)):
506 print "Not doing anything, then"
512 if yes_no("Add %s to %s?" % (c, advisory)):
518 daklib.utils.fubar("Must specify an advisory id")
521 daklib.utils.fubar("No changes specified")
523 if Options["Approve"]:
526 elif Options["Reject"]:
529 elif Options["Disembargo"]:
532 elif Options["Drop-Advisory"]:
538 opts = ["Approve", "Edit advisory"]
539 if os.path.exists("./advisory.%s" % advisory):
543 if os.getcwd() == Cnf["Dir::Queue::Embargoed"].rstrip("/"):
544 opts.append("Disembargo")
545 opts += ["Show advisory", "Reject", "Quit"]
548 what = prompt(opts, default)
552 elif what == "Approve":
554 elif what == "Edit advisory":
556 elif what == "Show advisory":
558 elif what == "Disembargo":
560 elif what == "Reject":
563 daklib.utils.fubar("Impossible answer '%s', wtf?" % (what))
565 ################################################################################
567 if __name__ == '__main__':
570 ################################################################################