+2005-11-26 Anthony Towns <aj@erisian.com.au>
+
+ * Merge of changes from klecker, by various people
+
+ * amber: special casing for not passing on amd64 and oldstable updates
+ * amber: security mirror triggering
+ * templates/amber.advisory: updated advisory structure
+ * apt.conf.buildd-security: update for sarge's release
+ * apt.conf-security: update for sarge's release
+ * cron.buildd-security: generalise suite support, update for sarge's release
+ * cron.daily-security: update for sarge's release, add udeb support
+ * vars-security: update for sarge's release
+ * katie.conf-security: update for sarge's release, add amd64 support,
+ update signing key
+
+ * docs/README.names, docs/README.quotes: include the additions
+
2005-11-25 Anthony Towns <aj@erisian.com.au>
* Changed accepted_autobuild to queue_build everywhere.
# Wrapper for Debian Security team
# Copyright (C) 2002, 2003, 2004 James Troup <james@nocrew.org>
-# $Id: amber,v 1.10 2004-11-27 19:23:40 troup Exp $
+# $Id: amber,v 1.11 2005-11-26 07:52:06 ajt Exp $
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
for component in Cnf.SubTree("Amber::ComponentMappings").List():
component_mapping[component] = Cnf["Amber::ComponentMappings::%s" % (component)];
uploads = {}; # uploads[uri] = file_list;
+ changesfiles = {}; # changesfiles[uri] = file_list;
package_list = {} # package_list[source_name][version];
changes_files.sort(utils.changes_compare);
for changes_file in changes_files:
files = Katie.pkg.files;
changes = Katie.pkg.changes;
dsc = Katie.pkg.dsc;
+ # We have the changes, now return if its amd64, to not upload them to ftp-master
+ if changes["architecture"].has_key("amd64"):
+ print "Not uploading amd64 part to ftp-master\n";
+ continue
+ if changes["distribution"].has_key("oldstable-security"):
+ print "Not uploading oldstable-security changes to ftp-master\n";
+ continue
# Build the file list for this .changes file
for file in files.keys():
poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"],
file_list.append(poolname);
orig_component = files[file].get("original component", files[file]["component"]);
components[orig_component] = "";
- file_list.append(changes_file);
# Determine the upload uri for this .changes file
for component in components.keys():
upload_uri = component_mapping.get(component);
if not uploads.has_key(upload_uri):
uploads[upload_uri] = [];
uploads[upload_uri].extend(file_list);
+ # Update the changes list for the upload uri
+ if not changes.has_key(upload_uri):
+ changesfiles[upload_uri] = [];
+ changesfiles[upload_uri].append(changes_file);
# Remember the suites and source name/version
for suite in changes["distribution"].keys():
suites[suite] = "";
package_list[dsc["source"]] = {};
package_list[dsc["source"]][dsc["version"]] = "";
- if len(suites.keys()) == 1 and suites.has_key("oldstable"):
- print "Advisory only for 'oldstable'; not uploading elsewhere.";
- return;
-
if not Options["No-Action"]:
answer = yes_no("Upload to files to main archive (Y/n)?");
if answer != "y":
return;
for uri in uploads.keys():
+ uploads[uri].extend(changesfiles[uri]);
(host, path) = uri.split(":");
file_list = " ".join(uploads[uri]);
print "Uploading files to %s..." % (host);
print "Generating template advisory...";
make_advisory(advisory_number, changes_files);
+ # Trigger security mirrors
+ spawn("sudo -u archvsync /home/archvsync/signal_security");
+
do_upload(changes_files);
################################################################################
FileMode 0664;
}
-tree "dists/stable/updates"
+tree "dists/oldstable/updates"
{
- FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list";
- SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list";
+ FileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_binary-$(ARCH).list";
+ SourceFileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_source.list";
Sections "main contrib non-free";
Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
BinOverride "override.woody.$(SECTION)";
Contents " ";
};
+tree "dists/stable/updates"
+{
+ FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list";
+ SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list";
+ Sections "main contrib non-free";
+ Architectures "alpha amd64 arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
+ BinOverride "override.sarge.$(SECTION)";
+ ExtraOverride "override.sarge.extra.$(SECTION)";
+ SrcOverride "override.sarge.$(SECTION).src";
+ Contents " ";
+};
+
tree "dists/testing/updates"
{
FileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_binary-$(ARCH).list";
SourceFileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_source.list";
Sections "main contrib non-free";
Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
- BinOverride "override.sarge.$(SECTION)";
- ExtraOverride "override.sarge.extra.$(SECTION)";
- SrcOverride "override.sarge.$(SECTION).src";
+ BinOverride "override.etch.$(SECTION)";
+ ExtraOverride "override.etch.extra.$(SECTION)";
+ SrcOverride "override.etch.$(SECTION).src";
Contents " ";
};
FileMode 0664;
}
-bindirectory "potato"
+bindirectory "etch"
{
- Packages "potato/Packages";
- Sources "potato/Sources";
+ Packages "etch/Packages";
+ Sources "etch/Sources";
Contents " ";
- BinOverride "override.potato.all3";
- BinCacheDB "packages-accepted-potato.db";
+ BinOverride "override.etch.all3";
+ BinCacheDB "packages-accepted-etch.db";
PathPrefix "";
Packages::Extensions ".deb .udeb";
};
-#! /bin/sh
+#! /bin/bash
#
# Executed after jennifer (merge there??)
-ARCHS_stable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
-ARCHS_testing="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
-#DISTS="stable testing"
-DISTS="stable"
+ARCHS_oldstable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
+ARCHS_stable="$ARCHS_oldstable"
+ARCHS_testing="$ARCHS_stable"
+DISTS="oldstable stable testing"
+SSH_SOCKET=~/.ssh/buildd.debian.org.socket
set -e
export SCRIPTVARS=/org/security.debian.org/katie/vars-security
if [ ! -e $ftpdir/Archive_Maintenance_In_Progress ]; then
cd $masterdir
+ for d in $DISTS; do
+ eval SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz`
+ eval PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz`
+ done
apt-ftparchive -qq generate apt.conf.buildd-security
+ dists=
for d in $DISTS; do
- case "$d" in
- stable)
- ARCHS="$ARCHS_stable"
- ;;
- testing)
- ARCHS="$ARCHS_testing"
- ;;
- *)
- echo "unknown value in dists: $d"
- exit 1
- ;;
- esac
- cd /org/security.debian.org/buildd/$d
- for a in $ARCHS; do
- quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd wanna-build -d $d-security -b $a/build-db --merge-partial-quinn
- ssh buildd@buildd wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages
- done
+ eval NEW_SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz`
+ eval NEW_PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz`
+ old=SOURCES_$d
+ new=NEW_$old
+ if [ ${!new} -gt ${!old} ]; then
+ if [ -z "$dists" ]; then
+ dists="$d"
+ else
+ dists="$dists $d"
+ fi
+ continue
+ fi
+ old=PACKAGES_$d
+ new=NEW_$old
+ if [ ${!new} -gt ${!old} ]; then
+ if [ -z "$dists" ]; then
+ dists="$d"
+ else
+ dists="$dists $d"
+ fi
+ continue
+ fi
done
+ if [ ! -z "$dists" ]; then
+ # setup ssh master process
+ ssh buildd@buildd -S $SSH_SOCKET -MN 2> /dev/null &
+ SSH_PID=$!
+ while [ ! -S $SSH_SOCKET ]; do
+ sleep 1
+ done
+ trap 'kill -TERM $SSH_PID' 0
+ for d in $dists; do
+ archs=ARCHS_$d
+ ARCHS=${!archs}
+ cd /org/security.debian.org/buildd/$d
+ for a in $ARCHS; do
+ quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -b $a/build-db --merge-partial-quinn
+ ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages
+ done
+ done
+ fi
fi
+
+ssh buildd@bester.farm.ftbfs.de -i ~/.ssh/id_bester sleep 1
for suite in $suites; do
case $suite in
- stable) override_suite=woody;;
- testing) override_suite=sarge;;
+ oldstable) override_suite=woody;;
+ stable) override_suite=sarge;;
+ testing) override_suite=etch;;
*) echo "Unknown suite type ($suite)"; exit 1;;
esac
for component in $components; do
case $override_type in
deb) type="" ;;
dsc) type=".src" ;;
- udeb) type="skip" ;;
+ udeb) type=".debian-installer" ;;
esac
- if [ ! "$type" = "skip" ]; then
- $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
- case $suite in
- stable)
- $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type
- $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
- ;;
- testing)
- $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
- ;;
- *) echo "Unknown suite type ($suite)"; exit 1;;
- esac
+ # XXX RUN AFUCKINGAWAY
+ if [ "$override_type" = "udeb" ]; then
+ if [ ! "$component" = "main" ]; then
+ continue;
+ fi
+ if [ "$suite" = "unstable" ]; then
+ $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
+ fi
+ else
+ $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
fi
+ case $suite in
+ oldstable)
+ if [ ! "$override_type" = "udeb" ]; then
+ $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type
+ fi
+ $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+ ;;
+ stable)
+ $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+ ;;
+ testing)
+ $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+ ;;
+ *) echo "Unknown suite type ($suite)"; exit 1;;
+ esac
done
done
done
# Generate .all3 overides for the buildd support
-for dist in potato woody sarge; do
+for dist in woody sarge etch; do
rm -f override.$dist.all3
components="main contrib non-free";
if [ -f override.$dist.main.debian-installer ]; then
Laetitia (Casta)
Lana (Parrilla)
Liv (Tyler)
+Marcia (Cross)
Mariska (Hargitay)
Michelle (Hunziker)
Mira (Sorvino)
<elmo> File "/org/ftp.debian.org/katie/kelly", line 608, in main
<elmo> sys.stderr.write("Installed %d package %s, %s.\n" % (install_count, sets, utils.size_type(int(install_bytes))));
<elmo> OverflowError: float too large to convert
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+"The Hurd's design is so secure that it makes firewalls immoral IMHO." -- Jeroen Dekkers
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+<helix> I bought some foam soap for kids the other day and only
+ realized it had an elmo picture on it when I got home
+<helix> now I can't use it because I feel perverted
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
- SigningKeyIds "1DB114E0";
+ SigningKeyIds "4F368D5D";
SendmailCommand "/usr/sbin/sendmail -odq -oi -t";
MyEmailAddress "Debian Installer <installer@ftp-master.debian.org>";
MyAdminAddress "ftpmaster@debian.org";
BXANotify "false";
QueueBuildSuites
{
+ oldstable;
stable;
testing;
};
// Priority determines which suite is used for the Maintainers file
// as generated by charisma (highest wins).
- Stable
+ Oldstable
{
Components
{
CopyKatie "/org/security.debian.org/queue/done/";
};
+ Stable
+ {
+ Components
+ {
+ updates/main;
+ updates/contrib;
+ updates/non-free;
+ };
+ Architectures
+ {
+ source;
+ all;
+ alpha;
+ amd64;
+ arm;
+ hppa;
+ i386;
+ ia64;
+ m68k;
+ mips;
+ mipsel;
+ powerpc;
+ s390;
+ sparc;
+ };
+ Announce "katie@security.debian.org";
+ Version "3.1";
+ Origin "Debian";
+ Label "Debian-Security";
+ Description "Debian 3.1 Security Updates";
+ CodeName "sarge";
+ OverrideCodeName "sarge";
+ CopyKatie "/org/security.debian.org/queue/done/";
+ };
+
Testing
{
Components
{
source;
all;
+ amd64;
alpha;
arm;
hppa;
Origin "Debian";
Label "Debian-Security";
Description "Debian x.y Security Updates";
- CodeName "sarge";
- OverrideCodeName "sarge";
+ CodeName "etch";
+ OverrideCodeName "etch";
CopyKatie "/org/security.debian.org/queue/done/";
};
SuiteMappings
{
+ "silent-map oldstable-security oldstable";
"silent-map stable-security stable";
// JT - FIXME, hackorama
- "silent-map testing-security stable";
- //"silent-map testing-security testing";
+ // "silent-map testing-security stable";
+ "silent-map testing-security testing";
};
Dir
powerpc "PowerPC";
s390 "IBM S/390";
sparc "Sun SPARC/UltraSPARC";
+ amd64 "AMD x86_64 (AMD64)";
};
Archive "security";
Suites
{
+ Oldstable;
Stable;
Testing;
};
Package : __PACKAGE__
Vulnerability : XXX
-Problem type : XXX
+Problem type : local/remote XXX
Debian-specific: XXX
CVE Id(s) : XXX
+CERT advisory : XXX
+BugTraq ID : XXX
+Debian Bug : XXX
...
Upgrade instructions
--------------------
- To perform automated upgrades using apt:
+wget url
+ will fetch the file for you
+dpkg -i file.deb
+ will install the referenced file.
- deb http://security.debian.org/ woody/updates main
- added to /etc/apt/sources.list will give you access to woody updates.
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
- deb http://security.debian.org/ potato/updates main
- added to /etc/apt/sources.list will give you access to potato updates.
-
- apt-get update
- will update apt's package database of packages and versions
-
- apt-get upgrade
+apt-get update
+ will update the internal database
+apt-get upgrade
will install corrected packages
- Alternatively, to obtain and install packages by hand:
-
- wget URL
- will fetch the file for you.
- dpkg -i FILENAME.deb
- will install the fetched file.
-
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
__ADVISORY_TEXT__
--------------------------------------------------------------------------------
-Mailing list: http://lists.debian.org/debian-security-announce/
-Package info: 'apt-cache show <pkg>' and http://packages.debian.org/<pkg>
+ These files will probably be moved into the stable distribution on
+ its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce@lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
uploaddir=/pub/UploadQueue/
components="main non-free contrib"
-suites="stable testing"
+suites="oldstable stable testing"
override_types="deb dsc udeb"
PATH=$masterdir:$PATH
projects / dak.git / commitdiff