3 # Wrapper for Debian Security team
4 # Copyright (C) 2006 Anthony Towns <ajt@debian.org>
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
21 ################################################################################
23 import daklib.queue, daklib.logging, daklib.utils, daklib.database
24 import apt_pkg, os, sys, pwd, time, re, commands
26 re_taint_free = re.compile(r"^['/;\-\+\.~\s\w]+$");
38 global Cnf, Upload, Options, Logger
40 Cnf = daklib.utils.get_conf()
41 Cnf["Dinstall::Options::No-Mail"] = "y"
42 Arguments = [('h', "help", "Security-Install::Options::Help"),
43 ('a', "automatic", "Security-Install::Options::Automatic"),
44 ('n', "no-action", "Security-Install::Options::No-Action"),
45 ('s', "sudo", "Security-Install::Options::Sudo"),
46 (' ', "no-upload", "Security-Install::Options::No-Upload"),
47 ('u', "fg-upload", "Security-Install::Options::Foreground-Upload"),
48 (' ', "drop-advisory", "Security-Install::Options::Drop-Advisory"),
49 ('A', "approve", "Security-Install::Options::Approve"),
50 ('R', "reject", "Security-Install::Options::Reject"),
51 ('D', "disembargo", "Security-Install::Options::Disembargo") ]
56 arguments = apt_pkg.ParseCommandLine(Cnf, Arguments, sys.argv)
58 Options = Cnf.SubTree("Security-Install::Options")
61 whoamifull = pwd.getpwuid(whoami)
62 username = whoamifull[0]
64 print "Non-dak user: %s" % username
71 if len(arguments) == 0:
72 daklib.utils.fubar("Process what?")
74 Upload = daklib.queue.Upload(Cnf)
75 if Options["No-Action"]:
77 if not Options["Sudo"] and not Options["No-Action"]:
78 Logger = Upload.Logger = daklib.logging.Logger(Cnf, "new-security-install")
87 def load_args(arguments):
88 global advisory, changes
91 if not arguments[0].endswith(".changes"):
92 adv_ids [arguments[0]] = 1
93 arguments = arguments[1:]
100 daklib.utils.fubar("can only deal with files in the current directory")
101 if not a.endswith(".changes"):
102 daklib.utils.fubar("not a .changes file: %s" % (a))
104 Upload.pkg.changes_file = a
106 if "adv id" in Upload.pkg.changes:
108 adv_ids[Upload.pkg.changes["adv id"]] = 1
110 null_adv_changes.append(a)
112 adv_ids = adv_ids.keys()
114 daklib.utils.fubar("multiple advisories selected: %s" % (", ".join(adv_ids)))
118 advisory = adv_ids[0]
120 changes = changesfiles.keys()
121 return null_adv_changes
123 def load_adv_changes():
124 global srcverarches, changes
126 for c in os.listdir("."):
127 if not c.endswith(".changes"): continue
129 Upload.pkg.changes_file = c
131 if "adv id" not in Upload.pkg.changes:
133 if Upload.pkg.changes["adv id"] != advisory:
136 if c not in changes: changes.append(c)
137 srcver = "%s %s" % (Upload.pkg.changes["source"],
138 Upload.pkg.changes["version"])
139 srcverarches.setdefault(srcver, {})
140 for arch in Upload.pkg.changes["architecture"].keys():
141 srcverarches[srcver][arch] = 1
145 print "Advisory: %s" % (advisory)
151 svs = srcverarches.keys()
154 as = srcverarches[sv].keys()
156 print " %s (%s)" % (sv, ", ".join(as))
158 def prompt(opts, default):
164 p += ", [%s]%s" % (o[0], o[1:])
170 if Options["Automatic"]:
174 a = daklib.utils.our_raw_input(p) + default
179 def add_changes(extras):
183 Upload.pkg.changes_file = c
185 srcver = "%s %s" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
186 srcverarches.setdefault(srcver, {})
187 for arch in Upload.pkg.changes["architecture"].keys():
188 srcverarches[srcver][arch] = 1
189 Upload.pkg.changes["adv id"] = advisory
190 Upload.dump_vars(os.getcwd())
193 if Options["Automatic"]: return True
195 answer = daklib.utils.our_raw_input(prompt + " ").lower()
198 print "Invalid answer; please try again."
201 if Options["No-Upload"]:
202 print "Not uploading as requested"
203 elif Options["Foreground-Upload"]:
204 actually_upload(changes)
208 actually_upload(changes)
210 print "Uploading in the background"
212 def actually_upload(changes_files):
215 component_mapping = {}
216 for component in Cnf.SubTree("Security-Install::ComponentMappings").List():
217 component_mapping[component] = Cnf["Security-Install::ComponentMappings::%s" % (component)]
218 uploads = {}; # uploads[uri] = file_list
219 changesfiles = {}; # changesfiles[uri] = file_list
220 package_list = {} # package_list[source_name][version]
221 changes_files.sort(daklib.utils.changes_compare)
222 for changes_file in changes_files:
223 changes_file = daklib.utils.validate_changes_file_arg(changes_file)
229 # Parse the .dak file for the .changes file
230 Upload.pkg.changes_file = changes_file
232 files = Upload.pkg.files
233 changes = Upload.pkg.changes
235 # We have the changes, now return if its amd64, to not upload them to ftp-master
236 if changes["distribution"].has_key("oldstable-security") and changes["architecture"].has_key("amd64"):
237 print "Not uploading amd64 oldstable-security changes to ftp-master\n"
239 # Build the file list for this .changes file
240 for file in files.keys():
241 poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"],
242 daklib.utils.poolify(changes["source"], files[file]["component"]),
244 file_list.append(poolname)
245 orig_component = files[file].get("original component", files[file]["component"])
246 components[orig_component] = ""
247 # Determine the upload uri for this .changes file
248 for component in components.keys():
249 upload_uri = component_mapping.get(component)
251 upload_uris[upload_uri] = ""
252 num_upload_uris = len(upload_uris.keys())
253 if num_upload_uris == 0:
254 daklib.utils.fubar("%s: No valid upload URI found from components (%s)."
255 % (changes_file, ", ".join(components.keys())))
256 elif num_upload_uris > 1:
257 daklib.utils.fubar("%s: more than one upload URI (%s) from components (%s)."
258 % (changes_file, ", ".join(upload_uris.keys()),
259 ", ".join(components.keys())))
260 upload_uri = upload_uris.keys()[0]
261 # Update the file list for the upload uri
262 if not uploads.has_key(upload_uri):
263 uploads[upload_uri] = []
264 uploads[upload_uri].extend(file_list)
265 # Update the changes list for the upload uri
266 if not changesfiles.has_key(upload_uri):
267 changesfiles[upload_uri] = []
268 changesfiles[upload_uri].append(changes_file)
269 # Remember the suites and source name/version
270 for suite in changes["distribution"].keys():
272 # Remember the source name and version
273 if changes["architecture"].has_key("source") and \
274 changes["distribution"].has_key("testing"):
275 if not package_list.has_key(dsc["source"]):
276 package_list[dsc["source"]] = {}
277 package_list[dsc["source"]][dsc["version"]] = ""
279 for uri in uploads.keys():
280 uploads[uri].extend(changesfiles[uri])
281 (host, path) = uri.split(":")
282 file_list = " ".join(uploads[uri])
283 print "Uploading files to %s..." % (host)
284 spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
286 if not Options["No-Action"]:
287 filename = "%s/testing-processed" % (Cnf["Dir::Log"])
288 file = daklib.utils.open_file(filename, 'a')
289 for source in package_list.keys():
290 for version in package_list[source].keys():
291 file.write(" ".join([source, version])+'\n')
294 def generate_advisory(template):
295 global changes, advisory
298 updated_pkgs = {}; # updated_pkgs[distro][arch][file] = {path,md5,size}
301 arg = daklib.utils.validate_changes_file_arg(arg)
302 Upload.pkg.changes_file = arg
306 src = Upload.pkg.changes["source"]
307 src_ver = "%s (%s)" % (src, Upload.pkg.changes["version"])
308 if src_ver not in adv_packages:
309 adv_packages.append(src_ver)
311 suites = Upload.pkg.changes["distribution"].keys()
313 if not updated_pkgs.has_key(suite):
314 updated_pkgs[suite] = {}
316 files = Upload.pkg.files
317 for file in files.keys():
318 arch = files[file]["architecture"]
319 md5 = files[file]["md5sum"]
320 size = files[file]["size"]
321 poolname = Cnf["Dir::PoolRoot"] + \
322 daklib.utils.poolify(src, files[file]["component"])
323 if arch == "source" and file.endswith(".dsc"):
324 dscpoolname = poolname
326 if not updated_pkgs[suite].has_key(arch):
327 updated_pkgs[suite][arch] = {}
328 updated_pkgs[suite][arch][file] = {
329 "md5": md5, "size": size, "poolname": poolname }
331 dsc_files = Upload.pkg.dsc_files
332 for file in dsc_files.keys():
334 if not dsc_files[file].has_key("files id"):
337 # otherwise, it's already in the pool and needs to be
339 md5 = dsc_files[file]["md5sum"]
340 size = dsc_files[file]["size"]
342 if not updated_pkgs[suite].has_key(arch):
343 updated_pkgs[suite][arch] = {}
344 updated_pkgs[suite][arch][file] = {
345 "md5": md5, "size": size, "poolname": dscpoolname }
347 if os.environ.has_key("SUDO_UID"):
348 whoami = long(os.environ["SUDO_UID"])
351 whoamifull = pwd.getpwuid(whoami)
352 username = whoamifull[4].split(",")[0]
355 "__ADVISORY__": advisory,
356 "__WHOAMI__": username,
357 "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())),
358 "__PACKAGE__": ", ".join(adv_packages),
359 "__DAK_ADDRESS__": Cnf["Dinstall::MyEmailAddress"]
362 if Cnf.has_key("Dinstall::Bcc"):
363 Subst["__BCC__"] = "Bcc: %s" % (Cnf["Dinstall::Bcc"])
366 archive = Cnf["Archive::%s::PrimaryMirror" % (daklib.utils.where_am_i())]
367 for suite in updated_pkgs.keys():
368 ver = Cnf["Suite::%s::Version" % suite]
369 if ver != "": ver += " "
370 suite_header = "%s %s(%s)" % (Cnf["Dinstall::MyDistribution"],
372 adv += "%s\n%s\n\n" % (suite_header, "-"*len(suite_header))
374 arches = Cnf.ValueList("Suite::%s::Architectures" % suite)
375 if "source" in arches:
376 arches.remove("source")
381 adv += "%s updates are available for %s.\n\n" % (
382 suite.capitalize(), daklib.utils.join_with_commas_and(arches))
384 for a in ["source", "all"] + arches:
385 if not updated_pkgs[suite].has_key(a):
389 adv += "Source archives:\n\n"
391 adv += "Architecture independent packages:\n\n"
393 adv += "%s architecture (%s)\n\n" % (a,
394 Cnf["Architectures::%s" % a])
396 for file in updated_pkgs[suite][a].keys():
397 adv += " http://%s/%s%s\n" % (
398 archive, updated_pkgs[suite][a][file]["poolname"], file)
399 adv += " Size/MD5 checksum: %8s %s\n" % (
400 updated_pkgs[suite][a][file]["size"],
401 updated_pkgs[suite][a][file]["md5"])
405 Subst["__ADVISORY_TEXT__"] = adv
407 adv = daklib.utils.TemplateSubst(Subst, template)
411 if not re_taint_free.match(command):
412 daklib.utils.fubar("Invalid character in \"%s\"." % (command))
414 if Options["No-Action"]:
415 print "[%s]" % (command)
417 (result, output) = commands.getstatusoutput(command)
419 daklib.utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result)
422 ##################### ! ! ! N O T E ! ! ! #####################
424 # These functions will be reinvoked by semi-priveleged users, be careful not
425 # to invoke external programs that will escalate privileges, etc.
427 ##################### ! ! ! N O T E ! ! ! #####################
429 def sudo(arg, fn, exit):
432 daklib.utils.fubar("Must set advisory name")
433 os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H",
434 "/usr/local/bin/dak", "new-security-install", "-"+arg, "--", advisory)
440 def do_Approve(): sudo("A", _do_Approve, True)
442 # 1. dump advisory in drafts
443 draft = "/org/security.debian.org/advisories/drafts/%s" % (advisory)
444 print "Advisory in %s" % (draft)
445 if not Options["No-Action"]:
446 adv_file = "./advisory.%s" % (advisory)
447 if not os.path.exists(adv_file):
448 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
449 adv_fd = os.open(draft, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0664)
450 os.write(adv_fd, generate_advisory(adv_file))
454 # 2. run dak process-accepted on changes
455 print "Accepting packages..."
456 spawn("dak process-accepted -pa %s" % (" ".join(changes)))
458 # 3. run dak make-suite-file-list / apt-ftparchve / dak generate-releases
459 print "Updating file lists for apt-ftparchive..."
460 spawn("dak make-suite-file-list")
461 print "Updating Packages and Sources files..."
462 spawn("apt-ftparchive generate %s" % (daklib.utils.which_apt_conf_file()))
463 print "Updating Release files..."
464 spawn("dak generate-releases")
465 print "Triggering security mirrors..."
466 spawn("sudo -u archvsync /home/archvsync/signal_security")
468 # 4. chdir to done - do upload
469 if not Options["No-Action"]:
470 os.chdir(Cnf["Dir::Queue::Done"])
473 def do_Disembargo(): sudo("D", _do_Disembargo, True)
474 def _do_Disembargo():
475 if os.getcwd() != Cnf["Dir::Queue::Embargoed"].rstrip("/"):
476 daklib.utils.fubar("Can only disembargo from %s" % Cnf["Dir::Queue::Embargoed"])
478 dest = Cnf["Dir::Queue::Unembargoed"]
479 emb_q = daklib.database.get_or_set_queue_id("embargoed")
480 une_q = daklib.database.get_or_set_queue_id("unembargoed")
483 print "Disembargoing %s" % (c)
486 Upload.pkg.changes_file = c
489 if "source" in Upload.pkg.changes["architecture"].keys():
490 print "Adding %s %s to disembargo table" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
491 Upload.projectB.query("INSERT INTO disembargo (package, version) VALUES ('%s', '%s')" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"]))
494 for suite in Upload.pkg.changes["distribution"].keys():
495 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
497 dest_dir = Cnf["Dir::QueueBuild"]
498 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
499 dest_dir = os.path.join(dest_dir, suite)
500 for file in Upload.pkg.files.keys():
501 files[os.path.join(dest_dir, file)] = 1
504 Upload.projectB.query("BEGIN WORK")
506 Upload.projectB.query("UPDATE queue_build SET queue = %s WHERE filename = '%s' AND queue = %s" % (une_q, f, emb_q))
507 Upload.projectB.query("COMMIT WORK")
509 for file in Upload.pkg.files.keys():
510 daklib.utils.copy(file, os.path.join(dest, file))
514 daklib.utils.copy(c, os.path.join(dest, c))
517 daklib.utils.copy(k, os.path.join(dest, k))
520 def do_Reject(): sudo("R", _do_Reject, True)
524 print "Rejecting %s..." % (c)
526 Upload.pkg.changes_file = c
529 for suite in Upload.pkg.changes["distribution"].keys():
530 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
532 dest_dir = Cnf["Dir::QueueBuild"]
533 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
534 dest_dir = os.path.join(dest_dir, suite)
535 for file in Upload.pkg.files.keys():
536 files[os.path.join(dest_dir, file)] = 1
540 aborted = Upload.do_reject()
542 os.unlink(c[:-8]+".dak")
544 Upload.projectB.query(
545 "DELETE FROM queue_build WHERE filename = '%s'" % (f))
548 print "Updating buildd information..."
549 spawn("/org/security.debian.org/dak/config/debian-security/cron.buildd")
551 adv_file = "./advisory.%s" % (advisory)
552 if os.path.exists(adv_file):
555 def do_DropAdvisory():
558 Upload.pkg.changes_file = c
560 del Upload.pkg.changes["adv id"]
561 Upload.dump_vars(os.getcwd())
565 adv_file = "./advisory.%s" % (advisory)
566 if not os.path.exists(adv_file):
567 daklib.utils.copy(Cnf["Dir::Templates"]+"/security-install.advisory", adv_file)
568 editor = os.environ.get("EDITOR", "vi")
569 result = os.system("%s %s" % (editor, adv_file))
571 daklib.utils.fubar("%s invocation failed for %s." % (editor, adv_file))
574 adv_file = "./advisory.%s" % (advisory)
575 if not os.path.exists(adv_file):
576 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
577 print "====\n%s\n====" % (generate_advisory(adv_file))
586 extras = load_args(args)
593 if srcverarches == {}:
594 if not yes_no("Create new advisory %s?" % (advisory)):
595 print "Not doing anything, then"
601 if yes_no("Add %s to %s?" % (c, advisory)):
607 daklib.utils.fubar("Must specify an advisory id")
610 daklib.utils.fubar("No changes specified")
612 if Options["Approve"]:
615 elif Options["Reject"]:
618 elif Options["Disembargo"]:
621 elif Options["Drop-Advisory"]:
627 opts = ["Approve", "Edit advisory"]
628 if os.path.exists("./advisory.%s" % advisory):
632 if os.getcwd() == Cnf["Dir::Queue::Embargoed"].rstrip("/"):
633 opts.append("Disembargo")
634 opts += ["Show advisory", "Reject", "Quit"]
637 what = prompt(opts, default)
641 elif what == "Approve":
643 elif what == "Edit advisory":
645 elif what == "Show advisory":
647 elif what == "Disembargo":
649 elif what == "Reject":
652 daklib.utils.fubar("Impossible answer '%s', wtf?" % (what))
654 ################################################################################
656 if __name__ == '__main__':
659 ################################################################################