X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=dak%2Fprocess_unchecked.py;h=498eb49f0dd6a21da49cd2d76bb0e052c3efbf26;hb=3bb635cd8b8d524e808d537f469031125dba86fc;hp=32eda9ecd562e6c4abe4f2780d9cf7bf7d6dde68;hpb=06ce98c8111a8b09e5603dbbd34324a216412d69;p=dak.git diff --git a/dak/process_unchecked.py b/dak/process_unchecked.py index 32eda9ec..498eb49f 100755 --- a/dak/process_unchecked.py +++ b/dak/process_unchecked.py @@ -30,16 +30,21 @@ import commands, errno, fcntl, os, re, shutil, stat, sys, time, tempfile, traceback import apt_inst, apt_pkg -import dak.lib.database, dak.lib.queue, dak.lib.logging, dak.lib.utils +import daklib.database +import daklib.logging +import daklib.queue +import daklib.utils from types import * ################################################################################ -re_valid_version = re.compile(r"^([0-9]+:)?[0-9A-Za-z\.\-\+:]+$") +re_valid_version = re.compile(r"^([0-9]+:)?[0-9A-Za-z\.\-\+:~]+$") re_valid_pkg_name = re.compile(r"^[\dA-Za-z][\dA-Za-z\+\-\.]+$") re_changelog_versions = re.compile(r"^\w[-+0-9a-z.]+ \([^\(\) \t]+\)") re_strip_revision = re.compile(r"-([^-]+)$") +re_strip_srcver = re.compile(r"\s+\(\S+\)$") +re_spacestrip = re.compile('(\s)') ################################################################################ @@ -68,7 +73,7 @@ def init(): apt_pkg.init() Cnf = apt_pkg.newConfiguration() - apt_pkg.ReadConfigFileISC(Cnf,dak.lib.utils.which_conf_file()) + apt_pkg.ReadConfigFileISC(Cnf,daklib.utils.which_conf_file()) Arguments = [('a',"automatic","Dinstall::Options::Automatic"), ('h',"help","Dinstall::Options::Help"), @@ -86,7 +91,7 @@ def init(): if Options["Help"]: usage() - Upload = dak.lib.queue.Queue(Cnf) + Upload = daklib.queue.Upload(Cnf) changes = Upload.pkg.changes dsc = Upload.pkg.dsc @@ -162,7 +167,7 @@ def clean_holding(): for file in in_holding.keys(): if os.path.exists(file): if file.find('/') != -1: - dak.lib.utils.fubar("WTF? clean_holding() got a file ('%s') with / in it!" % (file)) + daklib.utils.fubar("WTF? clean_holding() got a file ('%s') with / in it!" % (file)) else: os.unlink(file) in_holding = {} @@ -175,20 +180,20 @@ def check_changes(): # Parse the .changes field into a dictionary try: - changes.update(dak.lib.utils.parse_changes(filename)) - except dak.lib.utils.cant_open_exc: + changes.update(daklib.utils.parse_changes(filename)) + except daklib.utils.cant_open_exc: reject("%s: can't read file." % (filename)) return 0 - except dak.lib.utils.changes_parse_error_exc, line: + except daklib.utils.changes_parse_error_exc, line: reject("%s: parse error, can't grok: %s." % (filename, line)) return 0 # Parse the Files field from the .changes into another dictionary try: - files.update(dak.lib.utils.build_file_list(changes)) - except dak.lib.utils.changes_parse_error_exc, line: + files.update(daklib.utils.build_file_list(changes)) + except daklib.utils.changes_parse_error_exc, line: reject("%s: parse error, can't grok: %s." % (filename, line)) - except dak.lib.utils.nk_format_exc, format: + except daklib.utils.nk_format_exc, format: reject("%s: unknown format '%s'." % (filename, format)) return 0 @@ -199,6 +204,14 @@ def check_changes(): reject("%s: Missing mandatory field `%s'." % (filename, i)) return 0 # Avoid errors during later tests + # Strip a source version in brackets from the source field + if re_strip_srcver.search(changes["source"]): + changes["source"] = re_strip_srcver.sub('', changes["source"]) + + # Ensure the source field is a valid package name. + if not re_valid_pkg_name.match(changes["source"]): + reject("%s: invalid source name '%s'." % (filename, changes["source"])) + # Split multi-value fields into a lower-level dictionary for i in ("architecture", "distribution", "binary", "closes"): o = changes.get(i, "") @@ -212,8 +225,8 @@ def check_changes(): try: (changes["maintainer822"], changes["maintainer2047"], changes["maintainername"], changes["maintaineremail"]) = \ - dak.lib.utils.fix_maintainer (changes["maintainer"]) - except dak.lib.utils.ParseMaintError, msg: + daklib.utils.fix_maintainer (changes["maintainer"]) + except daklib.utils.ParseMaintError, msg: reject("%s: Maintainer field ('%s') failed to parse: %s" \ % (filename, changes["maintainer"], msg)) @@ -221,8 +234,8 @@ def check_changes(): try: (changes["changedby822"], changes["changedby2047"], changes["changedbyname"], changes["changedbyemail"]) = \ - dak.lib.utils.fix_maintainer (changes.get("changed-by", "")) - except dak.lib.utils.ParseMaintError, msg: + daklib.utils.fix_maintainer (changes.get("changed-by", "")) + except daklib.utils.ParseMaintError, msg: (changes["changedby822"], changes["changedby2047"], changes["changedbyname"], changes["changedbyemail"]) = \ ("", "", "", "") @@ -232,18 +245,18 @@ def check_changes(): # Ensure all the values in Closes: are numbers if changes.has_key("closes"): for i in changes["closes"].keys(): - if dak.lib.queue.re_isanum.match (i) == None: + if daklib.queue.re_isanum.match (i) == None: reject("%s: `%s' from Closes field isn't a number." % (filename, i)) # chopversion = no epoch; chopversion2 = no epoch and no revision (e.g. for .orig.tar.gz comparison) - changes["chopversion"] = dak.lib.utils.re_no_epoch.sub('', changes["version"]) - changes["chopversion2"] = dak.lib.utils.re_no_revision.sub('', changes["chopversion"]) + changes["chopversion"] = daklib.utils.re_no_epoch.sub('', changes["version"]) + changes["chopversion2"] = daklib.utils.re_no_revision.sub('', changes["chopversion"]) # Check there isn't already a changes file of the same name in one # of the queue directories. base_filename = os.path.basename(filename) - for dir in [ "Accepted", "Byhand", "Done", "New" ]: + for dir in [ "Accepted", "Byhand", "Done", "New", "ProposedUpdates", "OldProposedUpdates" ]: if os.path.exists(Cnf["Dir::Queue::%s" % (dir) ]+'/'+base_filename): reject("%s: a file with this name already exists in the %s directory." % (base_filename, dir)) @@ -317,14 +330,12 @@ def check_deb_ar(filename, control): o control.tar.gz o data.tar.gz or data.tar.bz2 -in that order, and nothing else. If the third member is a -data.tar.bz2, an additional check is performed for the required -Pre-Depends on dpkg (>= 1.10.24).""" +in that order, and nothing else.""" cmd = "ar t %s" % (filename) (result, output) = commands.getstatusoutput(cmd) if result != 0: reject("%s: 'ar t' invocation failed." % (filename)) - reject(dak.lib.utils.prefix_multi_line_string(output, " [ar output:] "), "") + reject(daklib.utils.prefix_multi_line_string(output, " [ar output:] "), "") chunks = output.split('\n') if len(chunks) != 3: reject("%s: found %d chunks, expected 3." % (filename, len(chunks))) @@ -332,22 +343,7 @@ Pre-Depends on dpkg (>= 1.10.24).""" reject("%s: first chunk is '%s', expected 'debian-binary'." % (filename, chunks[0])) if chunks[1] != "control.tar.gz": reject("%s: second chunk is '%s', expected 'control.tar.gz'." % (filename, chunks[1])) - if chunks[2] == "data.tar.bz2": - # Packages using bzip2 compression must have a Pre-Depends on dpkg >= 1.10.24. - found_needed_predep = 0 - for parsed_dep in apt_pkg.ParseDepends(control.Find("Pre-Depends", "")): - for atom in parsed_dep: - (dep, version, constraint) = atom - if dep != "dpkg" or (constraint != ">=" and constraint != ">>") or \ - len(parsed_dep) > 1: # or'ed deps don't count - continue - if (constraint == ">=" and apt_pkg.VersionCompare(version, "1.10.24") < 0) or \ - (constraint == ">>" and apt_pkg.VersionCompare(version, "1.10.23") < 0): - continue - found_needed_predep = 1 - if not found_needed_predep: - reject("%s: uses bzip2 compression, but doesn't Pre-Depend on dpkg (>= 1.10.24)" % (filename)) - elif chunks[2] != "data.tar.gz": + if chunks[2] not in [ "data.tar.bz2", "data.tar.gz" ]: reject("%s: third chunk is '%s', expected 'data.tar.gz' or 'data.tar.bz2'." % (filename, chunks[2])) ################################################################################ @@ -355,7 +351,7 @@ Pre-Depends on dpkg (>= 1.10.24).""" def check_files(): global reprocess - archive = dak.lib.utils.where_am_i() + archive = daklib.utils.where_am_i() file_keys = files.keys() # if reprocess is 2 we've already done this and we're checking @@ -392,10 +388,11 @@ def check_files(): for file in file_keys: # Ensure the file does not already exist in one of the accepted directories - for dir in [ "Accepted", "Byhand", "New" ]: + for dir in [ "Accepted", "Byhand", "New", "ProposedUpdates", "OldProposedUpdates", "Embargoed", "Unembargoed" ]: + if not Cnf.has_key("Dir::Queue::%s" % (dir)): continue if os.path.exists(Cnf["Dir::Queue::%s" % (dir) ]+'/'+file): reject("%s file already exists in the %s directory." % (file, dir)) - if not dak.lib.utils.re_taint_free.match(file): + if not daklib.utils.re_taint_free.match(file): reject("!!WARNING!! tainted filename: '%s'." % (file)) # Check the file is readable if os.access(file,os.R_OK) == 0: @@ -409,16 +406,16 @@ def check_files(): files[file]["type"] = "unreadable" continue # If it's byhand skip remaining checks - if files[file]["section"] == "byhand" or files[file]["section"] == "raw-installer": + if files[file]["section"] == "byhand" or files[file]["section"][:4] == "raw-": files[file]["byhand"] = 1 files[file]["type"] = "byhand" # Checks for a binary package... - elif dak.lib.utils.re_isadeb.match(file): + elif daklib.utils.re_isadeb.match(file): has_binaries = 1 files[file]["type"] = "deb" # Extract package control information - deb_file = dak.lib.utils.open_file(file) + deb_file = daklib.utils.open_file(file) try: control = apt_pkg.ParseSection(apt_inst.debExtractControl(deb_file)) except: @@ -465,6 +462,16 @@ def check_files(): if depends == '': reject("%s: Depends field is empty." % (file)) + # Sanity-check the Provides field + provides = re_spacestrip.sub('', control.Find("Provides")) + if provides == '': + reject("%s: Provides field is empty." % (file)) + prov_list = provides.split(",") + for prov in prov_list: + if not re_valid_pkg_name.match(prov): + reject("%s: Invalid Provides field content %s." % (file, prov)) + + # Check the section & priority match those given in the .changes (non-fatal) if control.Find("Section") and files[file]["section"] != "" and files[file]["section"] != control.Find("Section"): reject("%s control file lists section as `%s', but changes file has `%s'." % (file, control.Find("Section", ""), files[file]["section"]), "Warning: ") @@ -486,7 +493,7 @@ def check_files(): source = files[file]["source"] source_version = "" if source.find("(") != -1: - m = dak.lib.utils.re_extract_src_version.match(source) + m = daklib.utils.re_extract_src_version.match(source) source = m.group(1) source_version = m.group(2) if not source_version: @@ -495,12 +502,12 @@ def check_files(): files[file]["source version"] = source_version # Ensure the filename matches the contents of the .deb - m = dak.lib.utils.re_isadeb.match(file) + m = daklib.utils.re_isadeb.match(file) # package name file_package = m.group(1) if files[file]["package"] != file_package: reject("%s: package part of filename (%s) does not match package name in the %s (%s)." % (file, file_package, files[file]["dbtype"], files[file]["package"])) - epochless_version = dak.lib.utils.re_no_epoch.sub('', control.Find("Version")) + epochless_version = daklib.utils.re_no_epoch.sub('', control.Find("Version")) # version file_version = m.group(2) if epochless_version != file_version: @@ -520,14 +527,21 @@ def check_files(): # Check in the SQL database if not Upload.source_exists(source_package, source_version, changes["distribution"].keys()): # Check in one of the other directories - source_epochless_version = dak.lib.utils.re_no_epoch.sub('', source_version) + source_epochless_version = daklib.utils.re_no_epoch.sub('', source_version) dsc_filename = "%s_%s.dsc" % (source_package, source_epochless_version) if os.path.exists(Cnf["Dir::Queue::Byhand"] + '/' + dsc_filename): files[file]["byhand"] = 1 elif os.path.exists(Cnf["Dir::Queue::New"] + '/' + dsc_filename): files[file]["new"] = 1 - elif not os.path.exists(Cnf["Dir::Queue::Accepted"] + '/' + dsc_filename): - reject("no source found for %s %s (%s)." % (source_package, source_version, file)) + else: + dsc_file_exists = 0 + for myq in ["Accepted", "Embargoed", "Unembargoed", "ProposedUpdates", "OldProposedUpdates"]: + if Cnf.has_key("Dir::Queue::%s" % (myq)): + if os.path.exists(Cnf["Dir::Queue::"+myq] + '/' + dsc_filename): + dsc_file_exists = 1 + break + if not dsc_file_exists: + reject("no source found for %s %s (%s)." % (source_package, source_version, file)) # Check the version and for file overwrites reject(Upload.check_binary_against_db(file),"") @@ -535,7 +549,7 @@ def check_files(): # Checks for a source package... else: - m = dak.lib.utils.re_issource.match(file) + m = daklib.utils.re_issource.match(file) if m: has_source = 1 files[file]["package"] = m.group(1) @@ -560,7 +574,7 @@ def check_files(): # Check the signature of a .dsc file if files[file]["type"] == "dsc": - dsc["fingerprint"] = dak.lib.utils.check_signature(file, reject) + dsc["fingerprint"] = daklib.utils.check_signature(file, reject) files[file]["architecture"] = "source" @@ -591,7 +605,7 @@ def check_files(): # Validate the component component = files[file]["component"] - component_id = dak.lib.database.get_component_id(component) + component_id = daklib.database.get_component_id(component) if component_id == -1: reject("file '%s' has unknown component '%s'." % (file, component)) continue @@ -606,14 +620,14 @@ def check_files(): # Determine the location location = Cnf["Dir::Pool"] - location_id = dak.lib.database.get_location_id (location, component, archive) + location_id = daklib.database.get_location_id (location, component, archive) if location_id == -1: reject("[INTERNAL ERROR] couldn't determine location (Component: %s, Archive: %s)" % (component, archive)) files[file]["location id"] = location_id # Check the md5sum & size against existing files (if any) - files[file]["pool name"] = dak.lib.utils.poolify (changes["source"], files[file]["component"]) - files_id = dak.lib.database.get_files_id(files[file]["pool name"] + file, files[file]["size"], files[file]["md5sum"], files[file]["location id"]) + files[file]["pool name"] = daklib.utils.poolify (changes["source"], files[file]["component"]) + files_id = daklib.database.get_files_id(files[file]["pool name"] + file, files[file]["size"], files[file]["md5sum"], files[file]["location id"]) if files_id == -1: reject("INTERNAL ERROR, get_files_id() returned multiple matches for %s." % (file)) elif files_id == -2: @@ -668,22 +682,22 @@ def check_dsc(): # Parse the .dsc file try: - dsc.update(dak.lib.utils.parse_changes(dsc_filename, signing_rules=1)) - except dak.lib.utils.cant_open_exc: + dsc.update(daklib.utils.parse_changes(dsc_filename, signing_rules=1)) + except daklib.utils.cant_open_exc: # if not -n copy_to_holding() will have done this for us... if Options["No-Action"]: reject("%s: can't read file." % (dsc_filename)) - except dak.lib.utils.changes_parse_error_exc, line: + except daklib.utils.changes_parse_error_exc, line: reject("%s: parse error, can't grok: %s." % (dsc_filename, line)) - except dak.lib.utils.invalid_dsc_format_exc, line: + except daklib.utils.invalid_dsc_format_exc, line: reject("%s: syntax error on line %s." % (dsc_filename, line)) # Build up the file list of files mentioned by the .dsc try: - dsc_files.update(dak.lib.utils.build_file_list(dsc, is_a_dsc=1)) - except dak.lib.utils.no_files_exc: + dsc_files.update(daklib.utils.build_file_list(dsc, is_a_dsc=1)) + except daklib.utils.no_files_exc: reject("%s: no Files: field." % (dsc_filename)) return 0 - except dak.lib.utils.changes_parse_error_exc, line: + except daklib.utils.changes_parse_error_exc, line: reject("%s: parse error, can't grok: %s." % (dsc_filename, line)) return 0 @@ -706,8 +720,8 @@ def check_dsc(): # Validate the Maintainer field try: - dak.lib.utils.fix_maintainer (dsc["maintainer"]) - except dak.lib.utils.ParseMaintError, msg: + daklib.utils.fix_maintainer (dsc["maintainer"]) + except daklib.utils.ParseMaintError, msg: reject("%s: Maintainer field ('%s') failed to parse: %s" \ % (dsc_filename, dsc["maintainer"], msg)) @@ -727,7 +741,7 @@ def check_dsc(): pass # Ensure the version number in the .dsc matches the version number in the .changes - epochless_dsc_version = dak.lib.utils.re_no_epoch.sub('', dsc["version"]) + epochless_dsc_version = daklib.utils.re_no_epoch.sub('', dsc["version"]) changes_version = files[dsc_filename]["version"] if epochless_dsc_version != files[dsc_filename]["version"]: reject("version ('%s') in .dsc does not match version ('%s') in .changes." % (epochless_dsc_version, changes_version)) @@ -735,9 +749,10 @@ def check_dsc(): # Ensure there is a .tar.gz in the .dsc file has_tar = 0 for f in dsc_files.keys(): - m = dak.lib.utils.re_issource.match(f) + m = daklib.utils.re_issource.match(f) if not m: reject("%s: %s in Files field not recognised as source." % (dsc_filename, f)) + continue type = m.group(3) if type == "orig.tar.gz" or type == "tar.gz": has_tar = 1 @@ -782,7 +797,7 @@ def get_changelog_versions(source_dir): # Create a symlink mirror of the source files in our temporary directory for f in files.keys(): - m = dak.lib.utils.re_issource.match(f) + m = daklib.utils.re_issource.match(f) if m: src = os.path.join(source_dir, f) # If a file is missing for whatever reason, give up. @@ -805,14 +820,14 @@ def get_changelog_versions(source_dir): (result, output) = commands.getstatusoutput(cmd) if (result != 0): reject("'dpkg-source -x' failed for %s [return code: %s]." % (dsc_filename, result)) - reject(dak.lib.utils.prefix_multi_line_string(output, " [dpkg-source output:] "), "") + reject(daklib.utils.prefix_multi_line_string(output, " [dpkg-source output:] "), "") return if not Cnf.Find("Dir::Queue::BTSVersionTrack"): return # Get the upstream version - upstr_version = dak.lib.utils.re_no_epoch.sub('', dsc["version"]) + upstr_version = daklib.utils.re_no_epoch.sub('', dsc["version"]) if re_strip_revision.search(upstr_version): upstr_version = re_strip_revision.sub('', upstr_version) @@ -824,7 +839,7 @@ def get_changelog_versions(source_dir): # Parse the changelog dsc["bts changelog"] = "" - changelog_file = dak.lib.utils.open_file(changelog_filename) + changelog_file = daklib.utils.open_file(changelog_filename) for line in changelog_file.readlines(): m = re_changelog_versions.match(line) if m: @@ -867,7 +882,7 @@ def check_source(): shutil.rmtree(tmpdir) except OSError, e: if errno.errorcode[e.errno] != 'EACCES': - dak.lib.utils.fubar("%s: couldn't remove tmp dir for source tree." % (dsc["source"])) + daklib.utils.fubar("%s: couldn't remove tmp dir for source tree." % (dsc["source"])) reject("%s: source tree could not be cleanly removed." % (dsc["source"])) # We probably have u-r or u-w directories so chmod everything @@ -875,10 +890,10 @@ def check_source(): cmd = "chmod -R u+rwx %s" % (tmpdir) result = os.system(cmd) if result != 0: - dak.lib.utils.fubar("'%s' failed with result %s." % (cmd, result)) + daklib.utils.fubar("'%s' failed with result %s." % (cmd, result)) shutil.rmtree(tmpdir) except: - dak.lib.utils.fubar("%s: couldn't remove tmp dir for source tree." % (dsc["source"])) + daklib.utils.fubar("%s: couldn't remove tmp dir for source tree." % (dsc["source"])) ################################################################################ @@ -895,40 +910,77 @@ def check_urgency (): ################################################################################ -def check_md5sums (): - for file in files.keys(): +def check_hashes (): + # Make sure we recognise the format of the Files: field + format = changes.get("format", "0.0").split(".",1) + if len(format) == 2: + format = int(format[0]), int(format[1]) + else: + format = int(float(format[0])), 0 + + check_hash(".changes", files, "md5sum", apt_pkg.md5sum) + check_hash(".dsc", dsc_files, "md5sum", apt_pkg.md5sum) + + if format >= (1,8): + hashes = [("sha1", apt_pkg.sha1sum), + ("sha256", apt_pkg.sha256sum)] + else: + hashes = [] + + for x in changes: + if x.startswith("checksum-"): + h = x.split("-",1)[1] + if h not in dict(hashes): + reject("Unsupported checksum field in .changes" % (h)) + + for x in dsc: + if x.startswith("checksum-"): + h = x.split("-",1)[1] + if h not in dict(hashes): + reject("Unsupported checksum field in .dsc" % (h)) + + for h,f in hashes: try: - file_handle = dak.lib.utils.open_file(file) - except dak.lib.utils.cant_open_exc: - continue + fs = daklib.utils.build_file_list(changes, 0, "checksums-%s" % h, h) + check_hash(".changes %s" % (h), fs, h, f, files) + except daklib.utils.no_files_exc: + reject("No Checksums-%s: field in .changes file" % (h)) - # Check md5sum - if apt_pkg.md5sum(file_handle) != files[file]["md5sum"]: - reject("%s: md5sum check failed." % (file)) - file_handle.close() - # Check size - actual_size = os.stat(file)[stat.ST_SIZE] - size = int(files[file]["size"]) - if size != actual_size: - reject("%s: actual file size (%s) does not match size (%s) in .changes" - % (file, actual_size, size)) + if "source" not in changes["architecture"]: continue + + try: + fs = daklib.utils.build_file_list(dsc, 1, "checksums-%s" % h, h) + check_hash(".dsc %s" % (h), fs, h, f, dsc_files) + except daklib.utils.no_files_exc: + reject("No Checksums-%s: field in .changes file" % (h)) + +################################################################################ + +def check_hash (where, files, key, testfn, basedict = None): + if basedict: + for file in basedict.keys(): + if file not in files: + reject("%s: no %s checksum" % (file, key)) + + for file in files.keys(): + if basedict and file not in basedict: + reject("%s: extraneous entry in %s checksums" % (file, key)) - for file in dsc_files.keys(): try: - file_handle = dak.lib.utils.open_file(file) - except dak.lib.utils.cant_open_exc: + file_handle = daklib.utils.open_file(file) + except daklib.utils.cant_open_exc: continue - # Check md5sum - if apt_pkg.md5sum(file_handle) != dsc_files[file]["md5sum"]: - reject("%s: md5sum check failed." % (file)) + # Check hash + if testfn(file_handle) != files[file][key]: + reject("%s: %s check failed." % (file, key)) file_handle.close() # Check size actual_size = os.stat(file)[stat.ST_SIZE] - size = int(dsc_files[file]["size"]) + size = int(files[file]["size"]) if size != actual_size: - reject("%s: actual file size (%s) does not match size (%s) in .dsc" - % (file, actual_size, size)) + reject("%s: actual file size (%s) does not match size (%s) in %s" + % (file, actual_size, size, where)) ################################################################################ @@ -961,14 +1013,14 @@ def check_timestamps(): if files[filename]["type"] == "deb": tar.reset() try: - deb_file = dak.lib.utils.open_file(filename) + deb_file = daklib.utils.open_file(filename) apt_inst.debExtract(deb_file,tar.callback,"control.tar.gz") deb_file.seek(0) try: apt_inst.debExtract(deb_file,tar.callback,"data.tar.gz") except SystemError, e: # If we can't find a data.tar.gz, look for data.tar.bz2 instead. - if not re.match(r"Cannot f[ui]nd chunk data.tar.gz$", str(e)): + if not re.search(r"Cannot f[ui]nd chunk data.tar.gz$", str(e)): raise deb_file.seek(0) apt_inst.debExtract(deb_file,tar.callback,"data.tar.bz2") @@ -994,6 +1046,128 @@ def check_timestamps(): except: reject("%s: deb contents timestamp check failed [%s: %s]" % (filename, sys.exc_type, sys.exc_value)) +################################################################################ + +def lookup_uid_from_fingerprint(fpr): + q = Upload.projectB.query("SELECT u.uid, u.name FROM fingerprint f, uid u WHERE f.uid = u.id AND f.fingerprint = '%s'" % (fpr)) + qs = q.getresult() + if len(qs) == 0: + return (None, None) + else: + return qs[0] + +def check_signed_by_key(): + """Ensure the .changes is signed by an authorized uploader.""" + + (uid, uid_name) = lookup_uid_from_fingerprint(changes["fingerprint"]) + if uid_name == None: + uid_name = "" + + # match claimed name with actual name: + if uid == None: + uid, uid_email = changes["fingerprint"], uid + may_nmu, may_sponsor = 1, 1 + # XXX by default new dds don't have a fingerprint/uid in the db atm, + # and can't get one in there if we don't allow nmu/sponsorship + elif uid[:3] == "dm:": + uid_email = uid[3:] + may_nmu, may_sponsor = 0, 0 + else: + uid_email = "%s@debian.org" % (uid) + may_nmu, may_sponsor = 1, 1 + + if uid_email in [changes["maintaineremail"], changes["changedbyemail"]]: + sponsored = 0 + elif uid_name in [changes["maintainername"], changes["changedbyname"]]: + sponsored = 0 + if uid_name == "": sponsored = 1 + else: + sponsored = 1 + if ("source" in changes["architecture"] and + daklib.utils.is_email_alias(uid_email)): + sponsor_addresses = daklib.utils.gpg_get_key_addresses(changes["fingerprint"]) + if (changes["maintaineremail"] not in sponsor_addresses and + changes["changedbyemail"] not in sponsor_addresses): + changes["sponsoremail"] = uid_email + + if sponsored and not may_sponsor: + reject("%s is not authorised to sponsor uploads" % (uid)) + + if not sponsored and not may_nmu: + source_ids = [] + check_suites = changes["distribution"].keys() + if "unstable" not in check_suites: check_suites.append("unstable") + for suite in check_suites: + suite_id = daklib.database.get_suite_id(suite) + q = Upload.projectB.query("SELECT s.id FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND sa.suite = %d" % (changes["source"], suite_id)) + for si in q.getresult(): + if si[0] not in source_ids: source_ids.append(si[0]) + + print "source_ids: %s" % (",".join([str(x) for x in source_ids])) + + is_nmu = 1 + for si in source_ids: + is_nmu = 1 + q = Upload.projectB.query("SELECT m.name FROM maintainer m WHERE m.id IN (SELECT maintainer FROM src_uploaders WHERE src_uploaders.source = %s)" % (si)) + for m in q.getresult(): + (rfc822, rfc2047, name, email) = daklib.utils.fix_maintainer(m[0]) + if email == uid_email or name == uid_name: + is_nmu=0 + break + if is_nmu: + reject("%s may not upload/NMU source package %s" % (uid, changes["source"])) + + for b in changes["binary"].keys(): + for suite in changes["distribution"].keys(): + suite_id = daklib.database.get_suite_id(suite) + q = Upload.projectB.query("SELECT DISTINCT s.source FROM source s JOIN binaries b ON (s.id = b.source) JOIN bin_associations ba On (b.id = ba.bin) WHERE b.package = '%s' AND ba.suite = %s" % (b, suite_id)) + for s in q.getresult(): + if s[0] != changes["source"]: + reject("%s may not hijack %s from source package %s in suite %s" % (uid, b, s, suite)) + + for file in files.keys(): + if files[file].has_key("byhand"): + reject("%s may not upload BYHAND file %s" % (uid, file)) + if files[file].has_key("new"): + reject("%s may not upload NEW file %s" % (uid, file)) + + # The remaining checks only apply to binary-only uploads right now + if changes["architecture"].has_key("source"): + return + + if not Cnf.Exists("Binary-Upload-Restrictions"): + return + + restrictions = Cnf.SubTree("Binary-Upload-Restrictions") + + # If the restrictions only apply to certain components make sure + # that the upload is actual targeted there. + if restrictions.Exists("Components"): + restricted_components = restrictions.SubTree("Components").ValueList() + is_restricted = False + for file in files: + if files[file]["component"] in restricted_components: + is_restricted = True + break + if not is_restricted: + return + + # Assuming binary only upload restrictions are in place we then + # iterate over suite and architecture checking the key is in the + # allowed list. If no allowed list exists for a given suite or + # architecture it's assumed to be open to anyone. + for suite in changes["distribution"].keys(): + if not restrictions.Exists(suite): + continue + for arch in changes["architecture"].keys(): + if not restrictions.SubTree(suite).Exists(arch): + continue + allowed_keys = restrictions.SubTree("%s::%s" % (suite, arch)).ValueList() + if changes["fingerprint"] not in allowed_keys: + base_filename = os.path.basename(pkg.changes_file) + reject("%s: not signed by authorised uploader for %s/%s" + % (base_filename, suite, arch)) + ################################################################################ ################################################################################ @@ -1032,13 +1206,19 @@ def action (): # q-unapproved hax0ring queue_info = { "New": { "is": is_new, "process": acknowledge_new }, + "Autobyhand" : { "is" : is_autobyhand, "process": do_autobyhand }, "Byhand" : { "is": is_byhand, "process": do_byhand }, + "OldStableUpdate" : { "is": is_oldstableupdate, + "process": do_oldstableupdate }, + "StableUpdate" : { "is": is_stableupdate, "process": do_stableupdate }, "Unembargo" : { "is": is_unembargo, "process": queue_unembargo }, "Embargo" : { "is": is_embargo, "process": queue_embargo }, } - queues = [ "New", "Byhand" ] + queues = [ "New", "Autobyhand", "Byhand" ] if Cnf.FindB("Dinstall::SecurityQueueHandling"): queues += [ "Unembargo", "Embargo" ] + else: + queues += [ "OldStableUpdate", "StableUpdate" ] (prompt, answer) = ("", "XXX") if Options["No-Action"] or Options["Automatic"]: @@ -1080,8 +1260,8 @@ def action (): answer = 'A' while prompt.find(answer) == -1: - answer = dak.lib.utils.our_raw_input(prompt) - m = dak.lib.queue.re_default_answer.match(prompt) + answer = daklib.utils.our_raw_input(prompt) + m = daklib.queue.re_default_answer.match(prompt) if answer == "": answer = m.group(1) answer = answer[:1].upper() @@ -1093,7 +1273,7 @@ def action (): accept(summary, short_summary) remove_from_unchecked() elif answer == queuekey: - queue_info[queue]["process"](summary) + queue_info[queue]["process"](summary, short_summary) remove_from_unchecked() elif answer == 'Q': sys.exit(0) @@ -1113,10 +1293,10 @@ def accept (summary, short_summary): ################################################################################ def move_to_dir (dest, perms=0660, changesperms=0664): - dak.lib.utils.move (pkg.changes_file, dest, perms=changesperms) + daklib.utils.move (pkg.changes_file, dest, perms=changesperms) file_keys = files.keys() for file in file_keys: - dak.lib.utils.move (file, dest, perms=perms) + daklib.utils.move (file, dest, perms=perms) ################################################################################ @@ -1128,7 +1308,12 @@ def is_unembargo (): if ql: return 1 - if pkg.directory == Cnf["Dir::Queue::Disembargo"].rstrip("/"): + oldcwd = os.getcwd() + os.chdir(Cnf["Dir::Queue::Disembargo"]) + disdir = os.getcwd() + os.chdir(oldcwd) + + if pkg.directory == disdir: if changes["architecture"].has_key("source"): if Options["No-Action"]: return 1 @@ -1139,7 +1324,7 @@ def is_unembargo (): return 0 -def queue_unembargo (summary): +def queue_unembargo (summary, short_summary): print "Moving to UNEMBARGOED holding area." Logger.log(["Moving to unembargoed", pkg.changes_file]) @@ -1154,9 +1339,10 @@ def queue_unembargo (summary): ################################################################################ def is_embargo (): - return 0 + # if embargoed queues are enabled always embargo + return 1 -def queue_embargo (summary): +def queue_embargo (summary, short_summary): print "Moving to EMBARGOED holding area." Logger.log(["Moving to embargoed", pkg.changes_file]) @@ -1170,13 +1356,138 @@ def queue_embargo (summary): ################################################################################ +def is_stableupdate (): + if not changes["distribution"].has_key("proposed-updates"): + return 0 + + if not changes["architecture"].has_key("source"): + pusuite = daklib.database.get_suite_id("proposed-updates") + q = Upload.projectB.query( + "SELECT S.source FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND s.version = '%s' AND sa.suite = %d" % + (changes["source"], changes["version"], pusuite)) + ql = q.getresult() + if ql: + # source is already in proposed-updates so no need to hold + return 0 + + return 1 + +def do_stableupdate (summary, short_summary): + print "Moving to PROPOSED-UPDATES holding area." + Logger.log(["Moving to proposed-updates", pkg.changes_file]); + + Upload.dump_vars(Cnf["Dir::Queue::ProposedUpdates"]); + move_to_dir(Cnf["Dir::Queue::ProposedUpdates"]) + + # Check for override disparities + Upload.Subst["__SUMMARY__"] = summary; + Upload.check_override(); + +################################################################################ + +def is_oldstableupdate (): + if not changes["distribution"].has_key("oldstable-proposed-updates"): + return 0 + + if not changes["architecture"].has_key("source"): + pusuite = daklib.database.get_suite_id("oldstable-proposed-updates") + q = Upload.projectB.query( + "SELECT S.source FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND s.version = '%s' AND sa.suite = %d" % + (changes["source"], changes["version"], pusuite)) + ql = q.getresult() + if ql: + # source is already in oldstable-proposed-updates so no need to hold + return 0 + + return 1 + +def do_oldstableupdate (summary, short_summary): + print "Moving to OLDSTABLE-PROPOSED-UPDATES holding area." + Logger.log(["Moving to oldstable-proposed-updates", pkg.changes_file]); + + Upload.dump_vars(Cnf["Dir::Queue::OldProposedUpdates"]); + move_to_dir(Cnf["Dir::Queue::OldProposedUpdates"]) + + # Check for override disparities + Upload.Subst["__SUMMARY__"] = summary; + Upload.check_override(); + +################################################################################ + +def is_autobyhand (): + all_auto = 1 + any_auto = 0 + for file in files.keys(): + if files[file].has_key("byhand"): + any_auto = 1 + + # filename is of form "PKG_VER_ARCH.EXT" where PKG, VER and ARCH + # don't contain underscores, and ARCH doesn't contain dots. + # further VER matches the .changes Version:, and ARCH should be in + # the .changes Architecture: list. + if file.count("_") < 2: + all_auto = 0 + continue + + (pkg, ver, archext) = file.split("_", 2) + if archext.count(".") < 1 or changes["version"] != ver: + all_auto = 0 + continue + + ABH = Cnf.SubTree("AutomaticByHandPackages") + if not ABH.has_key(pkg) or \ + ABH["%s::Source" % (pkg)] != changes["source"]: + print "not match %s %s" % (pkg, changes["source"]) + all_auto = 0 + continue + + (arch, ext) = archext.split(".", 1) + if arch not in changes["architecture"]: + all_auto = 0 + continue + + files[file]["byhand-arch"] = arch + files[file]["byhand-script"] = ABH["%s::Script" % (pkg)] + + return any_auto and all_auto + +def do_autobyhand (summary, short_summary): + print "Attempting AUTOBYHAND." + byhandleft = 0 + for file in files.keys(): + byhandfile = file + if not files[file].has_key("byhand"): + continue + if not files[file].has_key("byhand-script"): + byhandleft = 1 + continue + + os.system("ls -l %s" % byhandfile) + result = os.system("%s %s %s %s %s" % ( + files[file]["byhand-script"], byhandfile, + changes["version"], files[file]["byhand-arch"], + os.path.abspath(pkg.changes_file))) + if result == 0: + os.unlink(byhandfile) + del files[file] + else: + print "Error processing %s, left as byhand." % (file) + byhandleft = 1 + + if byhandleft: + do_byhand(summary, short_summary) + else: + accept(summary, short_summary) + +################################################################################ + def is_byhand (): for file in files.keys(): if files[file].has_key("byhand"): return 1 return 0 -def do_byhand (summary): +def do_byhand (summary, short_summary): print "Moving to BYHAND holding area." Logger.log(["Moving to byhand", pkg.changes_file]) @@ -1195,7 +1506,7 @@ def is_new (): return 1 return 0 -def acknowledge_new (summary): +def acknowledge_new (summary, short_summary): Subst = Upload.Subst print "Moving to NEW holding area." @@ -1207,8 +1518,8 @@ def acknowledge_new (summary): if not Options["No-Mail"]: print "Sending new ack." Subst["__SUMMARY__"] = summary - new_ack_message = dak.lib.utils.TemplateSubst(Subst,Cnf["Dir::Templates"]+"/process-unchecked.new") - dak.lib.utils.send_mail(new_ack_message) + new_ack_message = daklib.utils.TemplateSubst(Subst,Cnf["Dir::Templates"]+"/process-unchecked.new") + daklib.utils.send_mail(new_ack_message) ################################################################################ @@ -1249,7 +1560,7 @@ def process_it (changes_file): # Relativize the filename so we use the copy in holding # rather than the original... pkg.changes_file = os.path.basename(pkg.changes_file) - changes["fingerprint"] = dak.lib.utils.check_signature(pkg.changes_file, reject) + changes["fingerprint"] = daklib.utils.check_signature(pkg.changes_file, reject) if changes["fingerprint"]: valid_changes_p = check_changes() else: @@ -1261,9 +1572,10 @@ def process_it (changes_file): valid_dsc_p = check_dsc() if valid_dsc_p: check_source() - check_md5sums() + check_hashes() check_urgency() check_timestamps() + check_signed_by_key() Upload.update_subst(reject_message) action() except SystemExit: @@ -1290,16 +1602,16 @@ def main(): # Ensure all the arguments we were given are .changes files for file in changes_files: if not file.endswith(".changes"): - dak.lib.utils.warn("Ignoring '%s' because it's not a .changes file." % (file)) + daklib.utils.warn("Ignoring '%s' because it's not a .changes file." % (file)) changes_files.remove(file) if changes_files == []: - dak.lib.utils.fubar("Need at least one .changes file as an argument.") + daklib.utils.fubar("Need at least one .changes file as an argument.") # Check that we aren't going to clash with the daily cron job if not Options["No-Action"] and os.path.exists("%s/daily.lock" % (Cnf["Dir::Lock"])) and not Options["No-Lock"]: - dak.lib.utils.fubar("Archive maintenance in progress. Try again later.") + daklib.utils.fubar("Archive maintenance in progress. Try again later.") # Obtain lock if not in no-action mode and initialize the log @@ -1309,13 +1621,13 @@ def main(): fcntl.lockf(lock_fd, fcntl.LOCK_EX | fcntl.LOCK_NB) except IOError, e: if errno.errorcode[e.errno] == 'EACCES' or errno.errorcode[e.errno] == 'EAGAIN': - dak.lib.utils.fubar("Couldn't obtain lock; assuming another 'dak process-unchecked' is already running.") + daklib.utils.fubar("Couldn't obtain lock; assuming another 'dak process-unchecked' is already running.") else: raise - Logger = Upload.Logger = dak.lib.logging.Logger(Cnf, "process-unchecked") + Logger = Upload.Logger = daklib.logging.Logger(Cnf, "process-unchecked") # debian-{devel-,}-changes@lists.debian.org toggles writes access based on this header - bcc = "X-DAK: dak process-unchecked\nX-Katie: this header is obsolete" + bcc = "X-DAK: dak process-unchecked\nX-Katie: $Revision: 1.65 $" if Cnf.has_key("Dinstall::Bcc"): Upload.Subst["__BCC__"] = bcc + "\nBcc: %s" % (Cnf["Dinstall::Bcc"]) else: @@ -1323,7 +1635,7 @@ def main(): # Sort the .changes files so that we process sourceful ones first - changes_files.sort(dak.lib.utils.changes_compare) + changes_files.sort(daklib.utils.changes_compare) # Process the changes files for changes_file in changes_files: @@ -1340,7 +1652,7 @@ def main(): sets = "set" if accept_count > 1: sets = "sets" - print "Accepted %d package %s, %s." % (accept_count, sets, dak.lib.utils.size_type(int(accept_bytes))) + print "Accepted %d package %s, %s." % (accept_count, sets, daklib.utils.size_type(int(accept_bytes))) Logger.log(["total",accept_count,accept_bytes]) if not Options["No-Action"]: