X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=config%2Fdebian-security%2Fcron.unchecked;h=c7baa6e6ad0aa92d90e87e7fc46b44d9ee215c95;hb=9f25fd36ea9cef49c01c40e90f7a783dfc73c8e8;hp=d519b20962d5660b4cce79834e9b1fc3ef88f739;hpb=cc8c39a7a9d895a5662c73f225318d74995bec92;p=dak.git diff --git a/config/debian-security/cron.unchecked b/config/debian-security/cron.unchecked index d519b209..c7baa6e6 100755 --- a/config/debian-security/cron.unchecked +++ b/config/debian-security/cron.unchecked @@ -1,6 +1,7 @@ #! /bin/bash set -e +set -o pipefail set -u export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars @@ -15,23 +16,36 @@ reportdis=$queuedir/REPORT.disembargo timestamp=$(date "+%Y-%m-%d %H:%M") doanything=false dopolicy=false +LOCKFILE="$lockdir/unchecked.lock" # So first we should go and see if any process-policy action is done -dak process-policy embargo | mail -a "X-Debian: DAK" -e -s "Automatically accepted from embargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftonaster@ftp-master.debian.org -dak process-policy disembargo | mail -a "X-Debian: DAK" -e -s "Automatically accepted from unembargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftonaster@ftp-master.debian.org +dak process-policy embargoed | mail -a "X-Debian: DAK" -e -s "Automatically accepted from embargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftpmaster@ftp-master.debian.org +dak process-policy unembargoed | mail -a "X-Debian: DAK" -e -s "Automatically accepted from unembargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftpmaster@ftp-master.debian.org # Now, if this really did anything, we can then sync it over. Files # in newstage mean they are (late) accepts of security stuff, need # to sync to ftp-master -cd $newstage -changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs) -if [ -n "$changes" ]; then - dopolicy=true - echo "$timestamp": ${changes:-"Nothing to do in newstage"} >> $report - rsync -a -q $newstage/. /srv/queued/ftpmaster/. - dak process-upload -a -d "$newstage" >> $report +cleanup() { + rm -f "$LOCKFILE" +} + +if ! lockfile -r8 "$LOCKFILE"; then + echo "aborting cron.unchecked because $LOCKFILE has already been locked" + exit 0 fi +trap cleanup EXIT + +for queue in embargoed; do + cd ${queuedir}/${queue}/COMMENTS + comments=$(find . -maxdepth 1 -mindepth 1 -type f '(' -name "ACCEPT.*.changes" -o -name "REJECT.*.changes" ')' | sed -e "s,./,," | xargs) + if [ -n "$comments" ]; then + dopolicy=true + echo "$timestamp": ${comments:-"Nothing to do for ${queue}"} >> $report + dak process-policy ${queue} >> ${report} + find /srv/security-master.debian.org/queue/accepted -type f -exec mv -t /srv/queued/ftpmaster '{}' + + fi +done cd $unchecked changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs) @@ -50,21 +64,57 @@ if [ -n "$changes" ]; then dak process-upload -a -d "$disembargo" >> $reportdis fi -if ! $doanything; then - echo "$timestamp": Nothing to do >> $report - exit 0 +if [ "${doanything}" = "false" ] && [ "${dopolicy}" = "false" ]; then + echo "$timestamp": Nothing to do >> $report + exit 0 fi +# manage build queues +dak manage-build-queues -a +dak generate-packages-sources2 -a build-queues +dak generate-releases -a build-queues >/dev/null + +# export build queues in old format +# XXX: This should be removed later. +for suite in stable testing; do + overridecodename=$(dak admin suite show ${suite} | awk '$1 == "OverrideCodename:" { print $2 }') + rm -rf ${incoming}/${suite}.new + dak export-suite -s buildd-${suite} -d ${incoming}/${suite}.new + + cd ${incoming}/${suite}.new + apt-ftparchive packages . ${overridedir}/override.${overridecodename}.all3 >Packages + gzip -9c --rsyncable Packages.gz + apt-ftparchive sources . ${overridedir}/override.${overridecodename}.all3.src >Sources + gzip -9c --rsyncable Sources.gz + rm -f Release + + cd ${incoming} + apt-ftparchive -qq -o APT::FTPArchive::Release::Origin="Debian" -o APT::FTPArchive::Release::Label="Debian" -o APT::FTPArchive::Release::Description="buildd $suite incoming" -o APT::FTPArchive::Release::Architectures="$archs" release ${suite}.new >${suite}.Release + + gpg --secret-keyring /srv/security-master.debian.org/s3kr1t/dot-gnupg/secring.gpg /srv/security-master.debian.org/s3kr1t/dot-gnupg/pubring.gpg --no-options --batch --no-tty --armour --default-key 473041FA --detach-sign -o ${suite}.Release.gpg ${suite}.Release + + mv ${suite}.Release ${suite}.new/Release + mv ${suite}.Release.gpg ${suite}.new/Release.gpg + + mv ${suite} ${suite}.old + mv ${suite}.new ${suite} + rm -rf ${suite}.old +done + if [ "x${dopolicy}x" = "xtruex" ]; then # We had something approved from a policy queue, push out new archive dak dominate - dak generate-filelist + #dak generate-filelist cd $configdir $configdir/map.sh - apt-ftparchive generate apt.conf - dak generate-releases + #apt-ftparchive generate apt.conf + dak generate-packages-sources2 -a security + dak generate-releases -a security /srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh sudo -u archvsync -H /home/archvsync/signal_security fi +cleanup +trap - EXIT + $configdir/cron.buildd