X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=dak%2Fprocess_unchecked.py;h=fd0afc4e0f3d2aa2cec57679157d9364f158a37c;hb=203e76d0f6eddac1ad270d68df5e96357d0d0011;hp=779f6765c0418e711502d2d8b1e76a9f3c689ba3;hpb=95f05e8aac2673dadfef6aed999551d60cb6d322;p=dak.git diff --git a/dak/process_unchecked.py b/dak/process_unchecked.py index 779f6765..fd0afc4e 100755 --- a/dak/process_unchecked.py +++ b/dak/process_unchecked.py @@ -450,7 +450,8 @@ def check_files(): # Ensure the architecture of the .deb is one we know about. default_suite = Cnf.get("Dinstall::DefaultSuite", "Unstable") architecture = control.Find("Architecture") - if architecture not in Cnf.ValueList("Suite::%s::Architectures" % (default_suite)): + upload_suite = changes["distribution"].keys()[0] + if architecture not in Cnf.ValueList("Suite::%s::Architectures" % (default_suite)) and architecture not in Cnf.ValueList("Suite::%s::Architectures" % (upload_suite)): reject("Unknown architecture '%s'." % (architecture)) # Ensure the architecture of the .deb is one of the ones @@ -996,7 +997,7 @@ def check_timestamps(): ################################################################################ def lookup_uid_from_fingerprint(fpr): - q = Upload.projectB.query("SELECT u.uid, u.name FROM fingerprint f, uid u WHERE f.uid = u.id AND f.fingerprint = '%s'" % (fpr)) + q = Upload.projectB.query("SELECT u.uid, u.name, k.debian_maintainer FROM fingerprint f JOIN keyrings k ON (f.keyring=k.id), uid u WHERE f.uid = u.id AND f.fingerprint = '%s'" % (fpr)) qs = q.getresult() if len(qs) == 0: return (None, None) @@ -1006,7 +1007,7 @@ def lookup_uid_from_fingerprint(fpr): def check_signed_by_key(): """Ensure the .changes is signed by an authorized uploader.""" - (uid, uid_name) = lookup_uid_from_fingerprint(changes["fingerprint"]) + (uid, uid_name, is_dm) = lookup_uid_from_fingerprint(changes["fingerprint"]) if uid_name == None: uid_name = "" @@ -1016,8 +1017,8 @@ def check_signed_by_key(): may_nmu, may_sponsor = 1, 1 # XXX by default new dds don't have a fingerprint/uid in the db atm, # and can't get one in there if we don't allow nmu/sponsorship - elif uid[:3] == "dm:": - uid_email = uid[3:] + elif is_dm is "t": + uid_email = uid may_nmu, may_sponsor = 0, 0 else: uid_email = "%s@debian.org" % (uid) @@ -1042,27 +1043,28 @@ def check_signed_by_key(): if not sponsored and not may_nmu: source_ids = [] - check_suites = changes["distribution"].keys() - if "unstable" not in check_suites: check_suites.append("unstable") - for suite in check_suites: - suite_id = database.get_suite_id(suite) - q = Upload.projectB.query("SELECT s.id FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND sa.suite = %d" % (changes["source"], suite_id)) - for si in q.getresult(): - if si[0] not in source_ids: source_ids.append(si[0]) - - print "source_ids: %s" % (",".join([str(x) for x in source_ids])) - - is_nmu = 1 - for si in source_ids: - is_nmu = 1 - q = Upload.projectB.query("SELECT m.name FROM maintainer m WHERE m.id IN (SELECT maintainer FROM src_uploaders WHERE src_uploaders.source = %s)" % (si)) + q = Upload.projectB.query("SELECT s.id, s.version FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND s.dm_upload_allowed = 'yes'" % (changes["source"])) + + highest_sid, highest_version = None, None + + should_reject = True + for si in q.getresult(): + if highest_version == None or apt_pkg.VersionCompare(si[1], highest_version) == 1: + highest_sid = si[0] + highest_version = si[1] + + if highest_sid == None: + reject("Source package %s does not have 'DM-Upload-Allowed: yes' in its most recent version" % changes["source"]) + else: + q = Upload.projectB.query("SELECT m.name FROM maintainer m WHERE m.id IN (SELECT su.maintainer FROM src_uploaders su JOIN source s ON (s.id = su.source) WHERE su.source = %s)" % (highest_sid)) for m in q.getresult(): (rfc822, rfc2047, name, email) = utils.fix_maintainer(m[0]) if email == uid_email or name == uid_name: - is_nmu=0 + should_reject=True break - if is_nmu: - reject("%s may not upload/NMU source package %s" % (uid, changes["source"])) + + if should_reject == True: + reject("%s is not in Maintainer or Uploaders of source package %s" % (uid, changes["source"])) for b in changes["binary"].keys(): for suite in changes["distribution"].keys(): @@ -1078,42 +1080,6 @@ def check_signed_by_key(): if files[f].has_key("new"): reject("%s may not upload NEW file %s" % (uid, f)) - # The remaining checks only apply to binary-only uploads right now - if changes["architecture"].has_key("source"): - return - - if not Cnf.Exists("Binary-Upload-Restrictions"): - return - - restrictions = Cnf.SubTree("Binary-Upload-Restrictions") - - # If the restrictions only apply to certain components make sure - # that the upload is actual targeted there. - if restrictions.Exists("Components"): - restricted_components = restrictions.SubTree("Components").ValueList() - is_restricted = False - for f in files: - if files[f]["component"] in restricted_components: - is_restricted = True - break - if not is_restricted: - return - - # Assuming binary only upload restrictions are in place we then - # iterate over suite and architecture checking the key is in the - # allowed list. If no allowed list exists for a given suite or - # architecture it's assumed to be open to anyone. - for suite in changes["distribution"].keys(): - if not restrictions.Exists(suite): - continue - for arch in changes["architecture"].keys(): - if not restrictions.SubTree(suite).Exists(arch): - continue - allowed_keys = restrictions.SubTree("%s::%s" % (suite, arch)).ValueList() - if changes["fingerprint"] not in allowed_keys: - base_filename = os.path.basename(pkg.changes_file) - reject("%s: not signed by authorised uploader for %s/%s" - % (base_filename, suite, arch)) ################################################################################ ################################################################################ @@ -1283,6 +1249,14 @@ def queue_unembargo (summary, short_summary): Upload.Subst["__SUMMARY__"] = summary Upload.check_override() + # Send accept mail, announce to lists, close bugs and check for + # override disparities + if not Cnf["Dinstall::Options::No-Mail"]: + Upload.Subst["__SUITE__"] = "" + mail_message = utils.TemplateSubst(Upload.Subst,Cnf["Dir::Templates"]+"/process-unchecked.accepted") + utils.send_mail(mail_message) + Upload.announce(short_summary, 1) + ################################################################################ def is_embargo (): @@ -1301,6 +1275,14 @@ def queue_embargo (summary, short_summary): Upload.Subst["__SUMMARY__"] = summary Upload.check_override() + # Send accept mail, announce to lists, close bugs and check for + # override disparities + if not Cnf["Dinstall::Options::No-Mail"]: + Upload.Subst["__SUITE__"] = "" + mail_message = utils.TemplateSubst(Upload.Subst,Cnf["Dir::Templates"]+"/process-unchecked.accepted") + utils.send_mail(mail_message) + Upload.announce(short_summary, 1) + ################################################################################ def is_stableupdate (): @@ -1324,7 +1306,7 @@ def do_stableupdate (summary, short_summary): Logger.log(["Moving to proposed-updates", pkg.changes_file]); Upload.dump_vars(Cnf["Dir::Queue::ProposedUpdates"]); - move_to_dir(Cnf["Dir::Queue::ProposedUpdates"]) + move_to_dir(Cnf["Dir::Queue::ProposedUpdates"], perms=0664) # Check for override disparities Upload.Subst["__SUMMARY__"] = summary; @@ -1353,7 +1335,7 @@ def do_oldstableupdate (summary, short_summary): Logger.log(["Moving to oldstable-proposed-updates", pkg.changes_file]); Upload.dump_vars(Cnf["Dir::Queue::OldProposedUpdates"]); - move_to_dir(Cnf["Dir::Queue::OldProposedUpdates"]) + move_to_dir(Cnf["Dir::Queue::OldProposedUpdates"], perms=0664) # Check for override disparities Upload.Subst["__SUMMARY__"] = summary;