X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Farchive.py;h=577601c4b354a326d93f320f44f88a3b016ece47;hb=12e10a29eed2843efda0dfa13483a81877216cec;hp=5c98eeca826cfec49355fc7a43e5fdf40454c94b;hpb=707a89a3b86961755a99cb9e1a0a5f23690f9529;p=dak.git

diff --git a/daklib/archive.py b/daklib/archive.py
index 5c98eeca..577601c4 100644
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -623,11 +623,12 @@ class ArchiveUpload(object):
         cnf = Config()
         session = self.transaction.session
 
-        self.directory = tempfile.mkdtemp(dir=cnf.get('Dir::TempPath'))
+        self.directory = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
+                                            mode=0o2750, group=cnf.unprivgroup)
         with FilesystemTransaction() as fs:
             src = os.path.join(self.original_directory, self.original_changes.filename)
             dst = os.path.join(self.directory, self.original_changes.filename)
-            fs.copy(src, dst)
+            fs.copy(src, dst, mode=0o640)
 
             self.changes = upload.Changes(self.directory, self.original_changes.filename, self.keyrings)
 
@@ -636,7 +637,7 @@ class ArchiveUpload(object):
                 dst = os.path.join(self.directory, f.filename)
                 if not os.path.exists(src):
                     continue
-                fs.copy(src, dst)
+                fs.copy(src, dst, mode=0o640)
 
             source = self.changes.source
             if source is not None:
@@ -860,6 +861,7 @@ class ArchiveUpload(object):
                     checks.SignatureCheck,
                     checks.ChangesCheck,
                     checks.HashesCheck,
+                    checks.ExternalHashesCheck,
                     checks.SourceCheck,
                     checks.BinaryCheck,
                     checks.BinaryTimestampCheck,