From: James Troup Date: Tue, 14 May 2002 15:24:45 +0000 (+0000) Subject: initial import X-Git-Url: https://git.decadent.org.uk/gitweb/?a=commitdiff_plain;h=5b1244957793ec103b80d2c5516e1744324806ea;p=dak.git initial import --- diff --git a/amber b/amber new file mode 100755 index 00000000..d2f5d56e --- /dev/null +++ b/amber @@ -0,0 +1,283 @@ +#!/usr/bin/env python + +# Wrapper for Debian Security team +# Copyright (C) 2002 James Troup +# $Id: amber,v 1.1 2002-05-14 15:24:45 troup Exp $ + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# USA + +################################################################################ + +# neuro: ? +# aj: PPG: the movie! july 3! +# _PHWOAR_!!!!! +# (you think you can distract me, and you're right) +# urls?! +# promo videos?! +# where, where!? + +################################################################################ + +import commands, pwd, os, string, sys, time; +import apt_pkg; +import katie, utils; + +################################################################################ + +Cnf = None; +Katie = None; + +################################################################################ + +def usage (exit_code=0): + print """Usage: amber ADV_NUMBER CHANGES_FILE[...] +Install CHANGES_FILE(s) as security advisory ADV_NUMBER + + -h, --help show this help and exit + +""" + sys.exit(exit_code) + +################################################################################ + +def get_file_list(arguments): + file_list = ""; + for arg in arguments: + arg = utils.validate_changes_file_arg(arg); + Katie.pkg.changes_file = arg; + Katie.init_vars(); + Katie.update_vars(); + files = Katie.pkg.files; + changes = Katie.pkg.changes; + for file in files.keys(): + poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"], + utils.poolify(changes["source"], files[file]["component"]), + file); + file_list = "%s %s" % (file_list, poolname); + file_list = "%s %s" % (file_list, string.join(map(os.path.abspath, arguments))); + return file_list; + +################################################################################ + +def join_with_commas_and(list): + if len(list) == 0: return "nothing"; + if len(list) == 1: return list[0]; + return string.join(list[:-1], ", ") + " and " + list[-1]; + +###################################################################### + +# Originally written by aj, nih-ishly merged into amber by me. + +def make_advisory(advisory_nr, changes_files): + adv_packages = []; + updated_pkgs = {}; # updated_pkgs[distro][arch][file] = {path,md5,size} + + for arg in changes_files: + arg = utils.validate_changes_file_arg(arg); + Katie.pkg.changes_file = arg; + Katie.init_vars(); + Katie.update_vars(); + + src = Katie.pkg.changes["source"]; + if src not in adv_packages: + adv_packages = adv_packages + [src]; + + suites = Katie.pkg.changes["distribution"].keys(); + for suite in suites: + if not updated_pkgs.has_key(suite): + updated_pkgs[suite] = {}; + + files = Katie.pkg.files; + for file in files.keys(): + arch = files[file]["architecture"]; + md5 = files[file]["md5sum"]; + size = files[file]["size"]; + poolname = Cnf["Dir::PoolRoot"] + \ + utils.poolify(src, files[file]["component"]); + if arch == "source" and file[-4:] == ".dsc": + dscpoolname = poolname; + for suite in suites: + if not updated_pkgs[suite].has_key(arch): + updated_pkgs[suite][arch] = {} + updated_pkgs[suite][arch][file] = { + "md5": md5, "size": size, + "poolname": poolname }; + + dsc_files = Katie.pkg.dsc_files; + for file in dsc_files.keys(): + arch = "source" + if not dsc_files[file].has_key("files id"): + continue; + + # otherwise, it's already in the pool and needs to be + # listed specially + md5 = dsc_files[file]["md5sum"]; + size = dsc_files[file]["size"]; + for suite in suites: + if not updated_pkgs[suite].has_key(arch): + updated_pkgs[suite][arch] = {}; + updated_pkgs[suite][arch][file] = { + "md5": md5, "size": size, + "poolname": dscpoolname }; + + if os.environ.has_key("SUDO_UID"): + whoami = string.atol(os.environ["SUDO_UID"]); + else: + whoami = os.getuid(); + whoamifull = pwd.getpwuid(whoami); + username = string.split(whoamifull[4], ",")[0]; + + Subst = { + "__ADVISORY__": advisory_nr, + "__WHOAMI__": username, + "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())), + "__PACKAGE__": string.join(adv_packages,", ") + }; + + adv = ""; + archive = Cnf["Archive::%s::PrimaryMirror" % (utils.where_am_i())]; + for suite in updated_pkgs.keys(): + suite_header = "%s %s (%s)" % (Cnf["Dinstall::MyDistribution"], + Cnf["Suite::%s::Version" % suite], suite); + adv = adv + "%s\n%s\n\n" % (suite_header, "-"*len(suite_header)); + + arches = Cnf.ValueList("Suite::%s::Architectures" % suite); + if "source" in arches: + arches.remove("source"); + if "all" in arches: + arches.remove("all"); + arches.sort(); + + adv = adv + " %s was released for %s.\n\n" % ( + string.capitalize(suite), join_with_commas_and(arches)); + + for a in ["source", "all"] + arches: + if not updated_pkgs[suite].has_key(a): + continue; + + if a == "source": + adv = adv + " Source archives:\n\n"; + elif a == "all": + adv = adv + " Architecture independent packages:\n\n"; + else: + adv = adv + " %s architecture (%s)\n\n" % (a, + Cnf["Architectures::%s" % a]); + + for file in updated_pkgs[suite][a].keys(): + adv = adv + " http://%s/%s%s\n" % ( + archive, updated_pkgs[suite][a][file]["poolname"], file); + adv = adv + " Size/MD5 checksum: %8s %s\n" % ( + updated_pkgs[suite][a][file]["size"], + updated_pkgs[suite][a][file]["md5"]); + adv = adv + "\n"; + adv = string.rstrip(adv); + + Subst["__ADVISORY_TEXT__"] = adv; + + adv = utils.TemplateSubst(Subst, Cnf["Dir::Templates"]+"/amber.advisory"); + utils.send_mail (adv, ""); + +###################################################################### + +def init(): + global Cnf, Katie; + + apt_pkg.init(); + Cnf = utils.get_conf(); + + Arguments = [('h',"help","Amber::Options::Help")]; + + for i in [ "help" ]: + Cnf["Amber::Options::%s" % (i)] = ""; + + arguments = apt_pkg.ParseCommandLine(Cnf,Arguments,sys.argv); + Katie = katie.Katie(Cnf); + + if Cnf["Amber::Options::Help"]: + usage(0); + + if not arguments: + usage(1); + + advisory_number = arguments[0]; + changes_files = sys.argv[2:]; + if advisory_number[-8:] == ".changes": + utils.warn("first argument must be the advisory number."); + usage(1); + for file in changes_files: + file = utils.validate_changes_file_arg(file); + return (advisory_number, changes_files); + +###################################################################### + +def yes_no(prompt): + while 1: + answer = string.lower(utils.our_raw_input(prompt+" ")); + if answer == "y" or answer == "n": + break; + else: + print "Invalid answer; please try again."; + return answer; + +###################################################################### + +def spawn(command): + (result, output) = commands.getstatusoutput(command); + if (result != 0): + utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result); + +###################################################################### + + +def main(): + (advisory_number, changes_files) = init(); + + print "About to install the following files: " + for file in changes_files: + print " %s" % (file); + answer = yes_no("Continue (Y/n)?"); + if answer == "n": + sys.exit(0); + + os.chdir(Cnf["Dir::Queue::Accepted"]); + print "Installing packages into the archive..."; + spawn("%s/katie -pa %s" % (Cnf["Dir::Katie"], string.join(changes_files))); + os.chdir(Cnf["Dir::Katie"]); + print "Updating file lists for apt-ftparchive..."; + spawn("./jenna"); + print "Updating Packages and Sources files..."; + spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file())); + print "Updating Release files..."; + spawn("./ziyi"); + + os.chdir(Cnf["Dir::Queue::Done"]); + print "Generating template advisory..."; + make_advisory(advisory_number, changes_files); + + answer = yes_no("Upload to ftp-master (Y/n)? "); + if answer == "y": + upload_files = get_file_list(changes_files); + print "Uploading files..."; + spawn("lftp -c 'open %s; cd %s; put %s'" % (Cnf["Amber::UploadHost"], + Cnf["Amber::UploadDir"], + upload_files)); + +################################################################################ + +if __name__ == '__main__': + main(); + +################################################################################ diff --git a/apt.conf-security b/apt.conf-security new file mode 100644 index 00000000..44a175a9 --- /dev/null +++ b/apt.conf-security @@ -0,0 +1,36 @@ +Dir +{ + ArchiveDir "/org/security.debian.org/ftp/"; + OverrideDir "/org/security.debian.org/override/"; + CacheDir "/org/security.debian.org/katie-database/"; +}; + +Default +{ + Packages::Compress ". gzip"; + Sources::Compress "gzip"; + DeLinkLimit 0; + FileMode 0664; +} + +tree "dists/potato/updates" +{ + FileList "/org/security.debian.org/katie-database/dists/potato_$(SECTION)_binary-$(ARCH).list"; + SourceFileList "/org/security.debian.org/katie-database/dists/potato_$(SECTION)_source.list"; + Sections "main contrib non-free"; + Architectures "alpha arm i386 m68k powerpc sparc source"; + BinOverride "override.potato.$(SECTION)"; + SrcOverride "override.potato.$(SECTION).src"; + Contents " "; +}; + +tree "dists/woody/updates" +{ + FileList "/org/security.debian.org/katie-database/dists/woody_$(SECTION)_binary-$(ARCH).list"; + SourceFileList "/org/security.debian.org/katie-database/dists/woody_$(SECTION)_source.list"; + Sections "main contrib non-free"; + Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source"; + BinOverride "override.woody.$(SECTION)"; + SrcOverride "override.woody.$(SECTION).src"; + Contents " "; +}; diff --git a/cron.daily-security b/cron.daily-security new file mode 100644 index 00000000..131f22b4 --- /dev/null +++ b/cron.daily-security @@ -0,0 +1,60 @@ +#! /bin/sh +# +# Executed daily via cron, out of katie's crontab. + +set -e +export SCRIPTVARS=/org/security.debian.org/katie/vars-security +. $SCRIPTVARS + +################################################################################ + +rsync -ql ftp-master::indices/override\* $overridedir + +cd $overridedir +find . -name override\*.gz -type f -maxdepth 1 -mindepth 1 | xargs gunzip -f +find . -type l -maxdepth 1 -mindepth 1 | xargs rm + +rm -fr non-US +mkdir non-US +cd non-US +rsync -ql non-us::indices/override\* . +find . -name override\*.gz -type f -maxdepth 1 -mindepth 1 | xargs gunzip +find . -type l -maxdepth 1 -mindepth 1 | xargs rm +for i in *; do + if [ -f ../$i ]; then + cat $i >> ../$i; + fi; +done +cd .. +rm -fr non-US + +for suite in $suites; do + for component in $components; do + for override_type in $override_types; do + case $override_type in + deb) type="" ;; + dsc) type=".src" ;; + udeb) type="skip" ;; + esac + if [ ! "$type" = "skip" ]; then + $masterdir/natalie -q -S -t $override_type -s $suite -c $component < override.$suite.$component$type + fi + done + done +done + +################################################################################ + +cd $masterdir +shania +rhona +apt-ftparchive -q clean apt.conf-security + +pg_dump obscurity > /org/security.debian.org/katie-backup/dump_$(date +%Y.%m.%d-%H:%M:%S) + +# Vacuum the database +set +e +echo "VACUUM; VACUUM ANALYZE;" | psql obscurity 2>&1 | egrep -v "^NOTICE: Skipping \"pg_.*only table or database owner can VACUUM it$|^VACUUM$" +set -e + +################################################################################ diff --git a/katie.conf-security b/katie.conf-security new file mode 100644 index 00000000..b6ecef64 --- /dev/null +++ b/katie.conf-security @@ -0,0 +1,332 @@ +Dinstall +{ + PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; + GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; + SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg"; + SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg"; + SigningKeyIds "722F1AED"; + SendmailCommand "/usr/sbin/sendmail -odq -oi -t"; + MyEmailAddress "Debian Installer "; + MyAdminAddress "ftpmaster@debian.org"; + MyHost "debian.org"; // used for generating user@my_host addresses in e.g. manual_reject() + MyDistribution "Debian"; // Used in emails + BugServer "bugs.debian.org"; + PackagesServer "packages.debian.org"; + LockFile "/org/security.debian.org/katie/lock"; + Bcc "archive@ftp-master.debian.org"; + // GroupOverrideFilename "override.group-maint"; + FutureTimeTravelGrace 28800; // 6 hours + PastCutoffYear "1984"; + SkipTime 300; + CloseBugs "false"; + OverrideDisparityCheck "false"; + BXANotify "false"; + SpecialAcceptedAutoBuild "true"; + DefaultSuite "Woody"; + OverrideMaintainer "katie@security.debian.org"; +}; + +Julia +{ + ValidGID "800"; + // Comma seperated list of users who are in Postgres but not the passwd file + KnownPostgres "postgres,katie"; +}; + +Shania +{ + Options + { + Days 14; + }; + MorgueSubDir "shania"; +}; + +Natalie +{ + Options + { + Component "main"; + Suite "unstable"; + Type "deb"; + }; + + ComponentPosition "prefix"; // Whether the component is prepended or appended to the section name +}; + +Melanie +{ + Options + { + Suite "unstable"; + }; + + MyEmailAddress "Debian Archive Maintenance "; + LogFile "/org/security.debian.org/web/removals.txt"; +}; + +Neve +{ + ExportDir "/org/security.debian.org/katie/neve-files/"; +}; + +Rhona +{ + // How long (in seconds) dead packages are left before being killed + StayOfExecution 129600; // 1.5 days + AcceptedAutoBuildStayOfExecution 86400; // 24 hours + MorgueSubDir "rhona"; + OverrideFilename "override.source-only"; +}; + +Amber +{ + UploadHost "ftp-master.debian.org"; + UploadDir "/pub/UploadQueue"; +}; + +Suite +{ + // Priority determines which suite is used for the Maintainers file + // as generated by charisma (highest wins). + + Potato + { + Components + { + main; + contrib; + non-free; + }; + Architectures + { + source; + all; + alpha; + arm; + i386; + m68k; + powerpc; + sparc; + }; + Announce "katie@security.debian.org"; + Version "2.2"; + Origin "Debian"; + Label "Debian-Security"; + Description "Debian 2.2 Security Updates"; + CodeName "potato/updates"; + OverrideCodeName "potato"; + CopyKatie "/org/security.debian.org/queue/done/"; + }; + + Woody + { + Components + { + main; + contrib; + non-free; + }; + Architectures + { + source; + all; + alpha; + arm; + hppa; + i386; + ia64; + m68k; + mips; + mipsel; + powerpc; + s390; + sparc; + }; + Announce "katie@security.debian.org"; + Version "3.0"; + Origin "Debian"; + Label "Debian-Security"; + Description "Debian 3.0 Security Updates"; + CodeName "woody/updates"; + OverrideCodeName "woody"; + CopyKatie "/org/security.debian.org/queue/done/"; + }; + +}; + +SuiteMappings +{ + "map stable-sec potato"; + "map testing-sec woody"; +}; + +Dir +{ + Root "/org/security.debian.org/ftp/"; + Pool "/org/security.debian.org/ftp/pool/"; + Katie "/org/security.debian.org/katie/"; + Templates "/org/security.debian.org/katie/templates/"; + PoolRoot "pool/"; + Override "/org/security.debian.org/override/"; + Lists "/org/security.debian.org/katie-database/dists/"; + Log "/org/security.debian.org/katie-log/"; + Morgue "/org/security.debian.org/morgue/"; + MorgueReject "reject"; + Override "/org/security.debian.org/scripts/override/"; + Queue + { + Root "/org/security.debian.org/queue/"; + Accepted "/org/security.debian.org/queue/accepted/"; + Byhand "/org/security.debian.org/queue/byhand/"; + Done "/org/security.debian.org/queue/done/"; + Holding "/org/security.debian.org/queue/holding/"; + New "/org/security.debian.org/queue/new/"; + Reject "/org/security.debian.org/queue/reject/"; + Unchecked "/org/security.debian.org/queue/unchecked/"; + }; +}; + +DB +{ + Name "obscurity"; + Host ""; + Port -1; + +}; + +Architectures +{ + + source "Source"; + all "Architecture Independent"; + alpha "DEC Alpha"; + hppa "HP PA RISC"; + arm "Arm"; + i386 "Intel ia32"; + ia64 "Intel ia64"; + m68k "Motorola Mc680x0"; + mips "SGI MIPS"; + mipsel "SGI MIPS (Little Endian)"; + powerpc "PowerPC"; + s390 "IBM S/390"; + sparc "Sun SPARC/UltraSPARC"; + +}; + +Archive +{ + + security + { + OriginServer "security.debian.org"; + PrimaryMirror "security.debian.org"; + Description "Security Updates for the Debian project"; + }; + +}; + +Component +{ + + main + { + Description "Main"; + MeetsDFSG "true"; + }; + + contrib + { + Description "Contrib"; + MeetsDFSG "true"; + }; + + non-free + { + Description "Software that fails to meet the DFSG"; + MeetsDFSG "false"; + }; + +}; + +Section +{ + admin; + base; + comm; + debian-installer; + devel; + doc; + editors; + electronics; + games; + graphics; + hamradio; + interpreters; + libs; + mail; + math; + misc; + net; + news; + oldlibs; + otherosfs; + science; + shells; + sound; + tex; + text; + utils; + web; + x11; + non-US; +}; + +Priority +{ + required 1; + important 2; + standard 3; + optional 4; + extra 5; + source 0; // i.e. unused +}; + +OverrideType +{ + deb; + udeb; + dsc; +}; + +Location +{ + /org/security.debian.org/ftp/dists/ + { + Archive "security"; + Suites + { + Potato; + }; + Type "legacy"; + }; + + /org/security.debian.org/ftp/pool/ + { + Archive "security"; + Type "pool"; + }; +}; + +Urgency +{ + Default "low"; + Valid + { + low; + medium; + high; + emergency; + critical; + }; +}; diff --git a/templates/amber.advisory b/templates/amber.advisory new file mode 100644 index 00000000..de6459d6 --- /dev/null +++ b/templates/amber.advisory @@ -0,0 +1,34 @@ +------------------------------------------------------------------------ +Debian Security Advisory __ADVISORY__ +http://www.debian.org/security/ + +Issued by __WHOAMI__ +__DATE__ +------------------------------------------------------------------------ + +Package : __PACKAGE__ +Problem type : +Debian-specific: + +... + +__ADVISORY_TEXT__ + +------------------------------------------------------------------------ + +Obtaining updates: + + By hand: + + wget URL + will fetch the file for you. + dpkg -i FILENAME.deb + will install the fetched file. + + With apt: + + deb http://security.debian.org/ potato/updates main + added to /etc/apt/sources.list will give you access to potato updates. + deb http://security.debian.org/ woody/updates main + added to /etc/apt/sources.list will give you access to woody updates. + diff --git a/vars-security b/vars-security new file mode 100644 index 00000000..4ce34ab0 --- /dev/null +++ b/vars-security @@ -0,0 +1,19 @@ +# locations used by many scripts + +base=/org/security.debian.org +masterdir=$base/katie/ +overridedir=$base/override +queuedir=$base/queue/ +accepted=$queuedir/accepted/ +done=$queuedir/done/ + +uploadhost=ftp-master.debian.org +uploaddir=/pub/UploadQueue/ + +components="main non-free contrib" +suites="potato woody" +override_types="deb dsc udeb" + +PATH=$masterdir:$PATH +umask 022 +