X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Fchecks.py;h=8111ef7555e1198729a7f7cf1fbda4b009245f78;hb=a3bb8f4b75f1812f14f4df676b16fb3fc0e38be9;hp=81bd629e481e171991d1ddf0da8d3b4dce282c12;hpb=707a89a3b86961755a99cb9e1a0a5f23690f9529;p=dak.git

diff --git a/daklib/checks.py b/daklib/checks.py
index 81bd629e..8111ef75 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -354,6 +354,10 @@ class ACLCheck(Check):
     """Check the uploader is allowed to upload the packages in .changes"""
 
     def _does_hijack(self, session, upload, suite):
+        # Try to catch hijacks.
+        # This doesn't work correctly. Uploads to experimental can still
+        # "hijack" binaries from unstable. Also one can hijack packages
+        # via buildds (but people who try this should not be DMs).
         for binary_name in upload.changes.binary_names:
             binaries = session.query(DBBinary).join(DBBinary.source) \
                 .filter(DBBinary.suites.contains(suite)) \
@@ -389,9 +393,9 @@ class ACLCheck(Check):
                 uploaded_arches = set(upload.changes.architectures)
                 uploaded_arches.discard('source')
                 allowed_arches = set(a.arch_string for a in acl.architectures)
-                for a in uploaded_arches:
-                    if a not in allowed_arches:
-                        return False, "uploads for architecture {0} are not allowed".format(a)
+                forbidden_arches = uploaded_arches - allowed_arches
+                if len(forbidden_arches) != 0:
+                    return False, "uploads for architecture(s) {0} are not allowed".format(", ".join(forbidden_arches))
         if not acl.allow_hijack:
             for suite in upload.final_suites:
                 does_hijack, hijacked_binary, hijacked_from = self._does_hijack(session, upload, suite)
@@ -401,6 +405,7 @@ class ACLCheck(Check):
         acl_per_source = session.query(ACLPerSource).filter_by(acl=acl, fingerprint=upload.fingerprint, source=source_name).first()
         if acl.allow_per_source:
             # XXX: Drop DMUA part here and switch to new implementation.
+            # XXX: Send warning mail once users can set the new DMUA flag
             dmua_status, dmua_reason = self._check_dmua(upload)
             if not dmua_status:
                 return False, dmua_reason
@@ -590,7 +595,7 @@ class LintianCheck(Check):
         except yaml.YAMLError as msg:
             raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
 
-        fd, temp_filename = utils.temp_filename()
+        fd, temp_filename = utils.temp_filename(mode=0o644)
         temptagfile = os.fdopen(fd, 'w')
         for tags in lintiantags.itervalues():
             for tag in tags:
@@ -599,8 +604,10 @@ class LintianCheck(Check):
 
         changespath = os.path.join(upload.directory, changes.filename)
         try:
-            # FIXME: no shell
-            cmd = "lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
+            if cnf.unprivgroup:
+                cmd = "sudo -H -u {0} -- /usr/bin/lintian --show-overrides --tags-from-file {1} {2}".format(cnf.unprivgroup, temp_filename, changespath)
+            else:
+                cmd = "/usr/bin/lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
             result, output = commands.getstatusoutput(cmd)
         finally:
             os.unlink(temp_filename)