X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=jennifer;h=0e8f0393a650a890797e0c10d6a26221c750af8d;hb=f53cb37a4513b4f40bba71cbc5eadefb18e5886f;hp=f23d62a5997cd1ebee598ddad28ca1fc1fcbb359;hpb=c846e77a848d60dd115f00faa0d9a854161d99eb;p=dak.git diff --git a/jennifer b/jennifer index f23d62a5..0e8f0393 100755 --- a/jennifer +++ b/jennifer @@ -1,8 +1,8 @@ #!/usr/bin/env python # Checks Debian packages from Incoming -# Copyright (C) 2000, 2001, 2002 James Troup -# $Id: jennifer,v 1.27 2002-10-16 02:47:32 troup Exp $ +# Copyright (C) 2000, 2001, 2002, 2003 James Troup +# $Id: jennifer,v 1.37 2003-09-22 01:28:08 troup Exp $ # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -29,7 +29,7 @@ ################################################################################ -import FCNTL, errno, fcntl, gzip, os, re, select, shutil, stat, sys, time, traceback; +import errno, fcntl, gzip, os, re, shutil, stat, sys, time, traceback; import apt_inst, apt_pkg; import db_access, katie, logging, utils; @@ -45,7 +45,7 @@ re_valid_pkg_name = re.compile(r"^[\dA-Za-z][\dA-Za-z\+\-\.]+$"); ################################################################################ # Globals -jennifer_version = "$Revision: 1.27 $"; +jennifer_version = "$Revision: 1.37 $"; Cnf = None; Options = None; @@ -87,6 +87,12 @@ def init(): changes_files = apt_pkg.ParseCommandLine(Cnf,Arguments,sys.argv); Options = Cnf.SubTree("Dinstall::Options") + if Options["Help"]: + usage(); + elif Options["Version"]: + print "jennifer %s" % (jennifer_version); + sys.exit(0); + Katie = katie.Katie(Cnf); changes = Katie.pkg.changes; @@ -97,7 +103,7 @@ def init(): return changes_files; -######################################################################################### +################################################################################ def usage (exit_code=0): print """Usage: dinstall [OPTION]... [CHANGES]... @@ -109,188 +115,13 @@ def usage (exit_code=0): -V, --version display the version number and exit""" sys.exit(exit_code) -######################################################################################### - -# Our very own version of commands.getouputstatus(), hacked to support -# gpgv's status fd. -def get_status_output(cmd, status_read, status_write): - cmd = ['/bin/sh', '-c', cmd]; - p2cread, p2cwrite = os.pipe(); - c2pread, c2pwrite = os.pipe(); - errout, errin = os.pipe(); - pid = os.fork(); - if pid == 0: - # Child - os.close(0); - os.close(1); - os.dup(p2cread); - os.dup(c2pwrite); - os.close(2); - os.dup(errin); - for i in range(3, 256): - if i != status_write: - try: - os.close(i); - except: - pass; - try: - os.execvp(cmd[0], cmd); - finally: - os._exit(1); - - # parent - os.close(p2cread) - os.dup2(c2pread, c2pwrite); - os.dup2(errout, errin); - - output = status = ""; - while 1: - i, o, e = select.select([c2pwrite, errin, status_read], [], []); - more_data = []; - for fd in i: - r = os.read(fd, 8196); - if len(r) > 0: - more_data.append(fd); - if fd == c2pwrite or fd == errin: - output += r; - elif fd == status_read: - status += r; - else: - utils.fubar("Unexpected file descriptor [%s] returned from select\n" % (fd)); - if not more_data: - pid, exit_status = os.waitpid(pid, 0) - try: - os.close(status_write); - os.close(status_read); - os.close(c2pread); - os.close(c2pwrite); - os.close(p2cwrite); - os.close(errin); - os.close(errout); - except: - pass; - break; - - return output, status, exit_status; - -######################################################################################### - -def Dict(**dict): return dict +################################################################################ def reject (str, prefix="Rejected: "): global reject_message; if str: reject_message += prefix + str + "\n"; -######################################################################################### - -def check_signature (filename): - if not utils.re_taint_free.match(os.path.basename(filename)): - reject("!!WARNING!! tainted filename: '%s'." % (filename)); - return 0; - - status_read, status_write = os.pipe(); - cmd = "gpgv --status-fd %s --keyring %s --keyring %s %s" \ - % (status_write, Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], filename); - (output, status, exit_status) = get_status_output(cmd, status_read, status_write); - - # Process the status-fd output - keywords = {}; - bad = internal_error = ""; - for line in status.split('\n'): - line = line.strip(); - if line == "": - continue; - split = line.split(); - if len(split) < 2: - internal_error += "gpgv status line is malformed (< 2 atoms) ['%s'].\n" % (line); - continue; - (gnupg, keyword) = split[:2]; - if gnupg != "[GNUPG:]": - internal_error += "gpgv status line is malformed (incorrect prefix '%s').\n" % (gnupg); - continue; - args = split[2:]; - if keywords.has_key(keyword) and keyword != "NODATA": - internal_error += "found duplicate status token ('%s').\n" % (keyword); - continue; - else: - keywords[keyword] = args; - - # If we failed to parse the status-fd output, let's just whine and bail now - if internal_error: - reject("internal error while performing signature check on %s." % (filename)); - reject(internal_error, ""); - reject("Please report the above errors to the Archive maintainers by replying to this mail.", ""); - return None; - - # Now check for obviously bad things in the processed output - if keywords.has_key("SIGEXPIRED"): - reject("key used to sign %s has expired." % (filename)); - bad = 1; - if keywords.has_key("KEYREVOKED"): - reject("key used to sign %s has been revoked." % (filename)); - bad = 1; - if keywords.has_key("BADSIG"): - reject("bad signature on %s." % (filename)); - bad = 1; - if keywords.has_key("ERRSIG") and not keywords.has_key("NO_PUBKEY"): - reject("failed to check signature on %s." % (filename)); - bad = 1; - if keywords.has_key("NO_PUBKEY"): - reject("key used to sign %s not found in keyring." % (filename)); - bad = 1; - if keywords.has_key("BADARMOR"): - reject("ascii armour of signature was corrupt in %s." % (filename)); - bad = 1; - if keywords.has_key("NODATA"): - reject("no signature found in %s." % (filename)); - bad = 1; - - if bad: - return None; - - # Next check gpgv exited with a zero return code - if exit_status: - reject("gpgv failed while checking %s." % (filename)); - if status.strip(): - reject(utils.prefix_multi_line_string(status, " [GPG status-fd output:] "), ""); - else: - reject(utils.prefix_multi_line_string(output, " [GPG output:] "), ""); - return None; - - # Sanity check the good stuff we expect - if not keywords.has_key("VALIDSIG"): - reject("signature on %s does not appear to be valid [No VALIDSIG]." % (filename)); - bad = 1; - else: - args = keywords["VALIDSIG"]; - if len(args) < 1: - reject("internal error while checking signature on %s." % (filename)); - bad = 1; - else: - fingerprint = args[0]; - if not keywords.has_key("GOODSIG"): - reject("signature on %s does not appear to be valid [No GOODSIG]." % (filename)); - bad = 1; - if not keywords.has_key("SIG_ID"): - reject("signature on %s does not appear to be valid [No SIG_ID]." % (filename)); - bad = 1; - - # Finally ensure there's not something we don't recognise - known_keywords = Dict(VALIDSIG="",SIG_ID="",GOODSIG="",BADSIG="",ERRSIG="", - SIGEXPIRED="",KEYREVOKED="",NO_PUBKEY="",BADARMOR="", - NODATA=""); - - for keyword in keywords.keys(): - if not known_keywords.has_key(keyword): - reject("found unknown status token '%s' from gpgv with args '%r' in %s." % (keyword, keywords[keyword], filename)); - bad = 1; - - if bad: - return None; - else: - return fingerprint; - ################################################################################ def copy_to_holding(filename): @@ -337,7 +168,7 @@ def clean_holding(): os.chdir(Cnf["Dir::Queue::Holding"]); for file in in_holding.keys(): if os.path.exists(file): - if file.find(file, '/') != -1: + if file.find('/') != -1: utils.fubar("WTF? clean_holding() got a file ('%s') with / in it!" % (file)); else: os.unlink(file); @@ -410,7 +241,7 @@ def check_changes(): base_filename = os.path.basename(filename); for dir in [ "Accepted", "Byhand", "Done", "New" ]: if os.path.exists(Cnf["Dir::Queue::%s" % (dir) ]+'/'+base_filename): - reject("a changes file with the same name already exists in the %s directory." % (dir)); + reject("%s: a file with this name already exists in the %s directory." % (base_filename, dir)); return 1; @@ -543,6 +374,11 @@ def check_files(): if not changes["architecture"].has_key(architecture): reject("%s: control file lists arch as `%s', which isn't in changes file." % (file, architecture)); + # Sanity-check the Depends field + depends = control.Find("Depends"); + if depends == '': + reject("%s: Depends field is empty." % (file)); + # Check the section & priority match those given in the .changes (non-fatal) if control.Find("Section") != None and files[file]["section"] != "" and files[file]["section"] != control.Find("Section"): reject("%s control file lists section as `%s', but changes file has `%s'." % (file, control.Find("Section", ""), files[file]["section"]), "Warning: "); @@ -596,7 +432,7 @@ def check_files(): reject("source version (%s) for %s doesn't match changes version %s." % (source_version, file, changes["version"])); else: # Check in the SQL database - if not Katie.source_exists(source_package, source_version): + if not Katie.source_exists(source_package, source_version, changes["distribution"].keys()): # Check in one of the other directories source_epochless_version = utils.re_no_epoch.sub('', source_version); dsc_filename = "%s_%s.dsc" % (source_package, source_epochless_version); @@ -635,7 +471,7 @@ def check_files(): # Check the signature of a .dsc file if files[file]["type"] == "dsc": - dsc["fingerprint"] = check_signature(file); + dsc["fingerprint"] = utils.check_signature(file, reject); files[file]["architecture"] = "source"; @@ -760,13 +596,15 @@ def check_dsc (): if dsc.has_key("version") and not re_valid_version.match(dsc["version"]): reject("%s: invalid version number '%s'." % (file, dsc["version"])); - # The dpkg maintainer from hell strikes again! Bumping the - # version number of the .dsc breaks extraction by stable's - # dpkg-source. + # Bumping the version number of the .dsc breaks extraction by stable's + # dpkg-source. So let's not do that... if dsc["format"] != "1.0": - reject("""[dpkg-sucks] source package was produced by a broken version - of dpkg-dev 1.9.1{3,4}; please rebuild with >= 1.9.15 version - installed."""); + reject("%s: incompatible 'Format' version produced by a broken version of dpkg-dev 1.9.1{3,4}." % (file)); + + # Build-Depends: ARRAY() is not good ... + if (dsc.get("build-depends","").find("ARRAY") == 0 or + dsc.get("build-depends-indep","").find("ARRAY") == 0): + reject("%s: invalid Build-Depends field produced by a broken version of dpkg-dev (1.10.11)" % (file)); # Ensure the version number in the .dsc matches the version number in the .changes epochless_dsc_version = utils.re_no_epoch.sub('', dsc.get("version")); @@ -806,19 +644,16 @@ def check_dsc (): ################################################################################ -# Some cunning stunt broke dpkg-source in dpkg 1.8{,.1}; detect the +# dpkg-source broke .diff.gz generation in dpkg 1.8.x; detect the # resulting bad source packages and reject them. -# Even more amusingly the fix in 1.8.1.1 didn't actually fix the -# problem just changed the symptoms. - def check_diff (): for filename in files.keys(): if files[filename]["type"] == "diff.gz": file = gzip.GzipFile(filename, 'r'); for line in file.readlines(): if re_bad_diff.search(line): - reject("[dpkg-sucks] source package was produced by a broken version of dpkg-dev 1.8.x; please rebuild with >= 1.8.3 version installed."); + reject("%s: invalid .diff.gz produced by a broken version of dpkg-dev 1.8.x." % (filename)); break; ################################################################################ @@ -926,7 +761,7 @@ def check_timestamps(): % (filename, num_ancient_files, ancient_file, time.ctime(ancient_date))); except: - reject("%s: timestamp check failed; caught %s" % (filename, sys.exc_type)); + reject("%s: deb contents timestamp check failed [%s: %s]" % (filename, sys.exc_type, sys.exc_value)); ################################################################################ ################################################################################ @@ -1076,7 +911,7 @@ def acknowledge_new (summary): print "Sending new ack."; Subst["__SUMMARY__"] = summary; new_ack_message = utils.TemplateSubst(Subst,Cnf["Dir::Templates"]+"/jennifer.new"); - utils.send_mail(new_ack_message,""); + utils.send_mail(new_ack_message); # Finally remove the originals. os.chdir (pkg.directory); @@ -1120,7 +955,7 @@ def process_it (changes_file): # Relativize the filename so we use the copy in holding # rather than the original... pkg.changes_file = os.path.basename(pkg.changes_file); - changes["fingerprint"] = check_signature(pkg.changes_file); + changes["fingerprint"] = utils.check_signature(pkg.changes_file, reject); changes_valid = check_changes(); if changes_valid: while reprocess: @@ -1150,13 +985,6 @@ def main(): changes_files = init(); - if Options["Help"]: - usage(); - - if Options["Version"]: - print "jennifer %s" % (jennifer_version); - sys.exit(0); - # -n/--dry-run invalidates some other options which would involve things happening if Options["No-Action"]: Options["Automatic"] = ""; @@ -1179,7 +1007,13 @@ def main(): if not Options["No-Action"]: lock_fd = os.open(Cnf["Dinstall::LockFile"], os.O_RDWR | os.O_CREAT); - fcntl.lockf(lock_fd, FCNTL.F_TLOCK); + try: + fcntl.lockf(lock_fd, fcntl.LOCK_EX | fcntl.LOCK_NB); + except IOError, e: + if errno.errorcode[e.errno] == 'EACCES' or errno.errorcode[e.errno] == 'EAGAIN': + utils.fubar("Couldn't obtain lock; assuming another jennifer is already running."); + else: + raise; Logger = Katie.Logger = logging.Logger(Cnf, "jennifer"); # debian-{devel-,}-changes@lists.debian.org toggles writes access based on this header