From 3c2b932e8e034c8f314537231e14f62e7e61537c Mon Sep 17 00:00:00 2001 From: Joerg Jaspert Date: Sun, 16 Nov 2008 23:47:00 +0100 Subject: [PATCH] security change it to use a local queued for uploads to ftpmaster. long term wish from security team to get rid of the old and unreliable direct ftp. Signed-off-by: Joerg Jaspert --- config/debian-security/dak.conf | 1 + dak/new_security_install.py | 8 +- dak/security_install.py | 8 +- tools/debianqueued-0.9/config-security | 141 +++++++++++++++++++++++++ 4 files changed, 152 insertions(+), 6 deletions(-) mode change 100644 => 100755 dak/security_install.py create mode 100644 tools/debianqueued-0.9/config-security diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index 8cff5ada..68216d57 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -205,6 +205,7 @@ Dir MorgueReject "reject"; Override "/org/security.debian.org/scripts/override/"; QueueBuild "/org/security.debian.org/buildd/"; + Upload "/srv/queued/UploadQueue/"; Queue { Accepted "/org/security.debian.org/queue/accepted/"; diff --git a/dak/new_security_install.py b/dak/new_security_install.py index 024702ca..99dae8c1 100755 --- a/dak/new_security_install.py +++ b/dak/new_security_install.py @@ -278,9 +278,11 @@ def actually_upload(changes_files): for uri in uploads.keys(): uploads[uri].extend(changesfiles[uri]) (host, path) = uri.split(":") - file_list = " ".join(uploads[uri]) - print "Uploading files to %s..." % (host) - spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list)) + # file_list = " ".join(uploads[uri]) + print "Moving files to UploadQueue" + for filename in uploads[uri]: + utils.copy(filename, Cnf["Dir::Upload"]) + #spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list)) if not Options["No-Action"]: filename = "%s/testing-processed" % (Cnf["Dir::Log"]) diff --git a/dak/security_install.py b/dak/security_install.py old mode 100644 new mode 100755 index 3aebedc1..96aa604f --- a/dak/security_install.py +++ b/dak/security_install.py @@ -132,9 +132,11 @@ def do_upload(changes_files): for uri in uploads.keys(): uploads[uri].extend(changesfiles[uri]) (host, path) = uri.split(":") - file_list = " ".join(uploads[uri]) - print "Uploading files to %s..." % (host) - spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list)) + #file_list = " ".join(uploads[uri]) + print "Moving files to UploadQueue" + for filename in uploads[uri]: + utils.copy(filename, Cnf["Dir::Upload"]) + #spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list)) if not Options["No-Action"]: filename = "%s/testing-processed" % (Cnf["Dir::Log"]) diff --git a/tools/debianqueued-0.9/config-security b/tools/debianqueued-0.9/config-security new file mode 100644 index 00000000..0dcb7db0 --- /dev/null +++ b/tools/debianqueued-0.9/config-security @@ -0,0 +1,141 @@ +# +# example configuration file for debianqueued +# + +# set to != 0 for debugging output (to log file) +$debug = 0; + +# various programs: +# ----------------- +$gpg = "/usr/bin/gpg"; +$ssh = "/usr/bin/ssh"; +$scp = "/usr/bin/scp"; +$ssh_agent = "/usr/bin/ssh-agent"; +$ssh_add = "/usr/bin/ssh-add"; +$md5sum = "/usr/bin/md5sum"; +$mail = "/usr/sbin/sendmail"; +$mkfifo = "/usr/bin/mkfifo"; +$tar = "/bin/tar"; # must be GNU tar! +$gzip = "/bin/gzip"; +$ar = "/usr/bin/ar"; # must support p option, optional +$ls = "/bin/ls"; +$cp = "/bin/cp"; +$chmod = "/bin/chmod"; + +# binaries which existance should be tested before each queue run +#@test_binaries = (); + +# general options to ssh/scp +$ssh_options = "-o'BatchMode yes' -o'FallBackToRsh no' ". + "-o'ForwardAgent no' -o'ForwardX11 no' ". + "-o'PasswordAuthentication no' -o'StrictHostKeyChecking yes'"; + +# ssh key file to use for connects to master (empty: default ~/.ssh/identity) +$ssh_key_file = ""; + +# the incoming dir we live in +$incoming = "/srv/queued/UploadQueue"; + +# the delayed incoming directories +$incoming_delayed = "/srv/queued/UploadQueue/DELAYED/%d-day"; + +# maximum delay directory, -1 for no delayed directory, +# incoming_delayed and target_delayed need to exist. +$max_delayed = -1; + +# files not to delete in $incoming (regexp) +$keep_files = '(status|\.message|README)$'; + +# file patterns that aren't deleted right away +$valid_files = '(\.changes|\.tar\.gz|\.dsc|\.u?deb|diff\.gz|\.sh)$'; + +# Change files to mode 644 locally (after md5 check) or only on master? +$chmod_on_target = 0; + +# Do an md5sum check? +$check_md5sum = 0; + +# name of the status file or named pipe in the incoming dir +$statusfile = "$incoming/status"; + +# if 0, status file implemented as FIFO; if > 0, status file is plain +# file and updated with a delay of this many seconds +$statusdelay = 30; + +# names of the keyring files +@keyrings = ( "/srv/keyring.debian.org/keyrings/debian-keyring.gpg", + "/srv/keyring.debian.org/keyrings/debian-keyring.pgp"); + +# our log file +$logfile = "$queued_dir/log"; + +# our pid file +$pidfile = "$queued_dir/pid"; + +# upload method (ssh, copy, ftp) +$upload_method = "ftp"; + +# name of target host (ignored on copy method) +$target = "ftp.upload.debian.org"; + +# login name on target host (for ssh, always 'ftp' for ftp, ignored for copy) +$targetlogin = "ftp"; + +# incoming on target host +$targetdir = "/pub/UploadQueue/"; + +# incoming/delayed on target host +$targetdir_delayed = "/srv/queued/DEFERRED/%d-day"; + +# select FTP debugging +$ftpdebug = 0; + +# FTP timeout +$ftptimeout = 900; + +# max. number of tries to upload +$max_upload_retries = 8; + +# delay after first failed upload +$upload_delay_1 = 30*60; # 30 min. + +# delay between successive failed uploads +$upload_delay_2 = 4*60*60; # 4 hours + +# packages that must go to nonus.debian.org and thus are rejected here +#@nonus_packages = qw(gpg-rsaidea); + +# timings: +# -------- +# time between two queue checks +$queue_delay = 5*60; # 5 min. +# when are stray files deleted? +$stray_remove_timeout = 24*60*60; # 1 day +# delay before reporting problems with a .changes file (not +# immediately for to-be-continued uploads) +$problem_report_timeout = 30*60; # 30 min. +# delay before reporting that a .changes file is missing (not +# immediately for to-be-continued uploads) +$no_changes_timeout = 30*60; # 30 min. +# when are .changes with persistent problems removed? +$bad_changes_timeout = 2*24*60*60; # 2 days +# how long may a remote operation (ssh/scp) take? +$remote_timeout = 3*60*60; # 3 hours + +# mail address of maintainer +$maintainer_mail = "ftpmaster\@debian.org"; + + +# logfile rotating: +# ----------------- +# how often to rotate (in days) +$log_age = 7; +# how much old logs to keep +$log_keep = 4; +# send summary mail when rotating logs? +$mail_summary = 1; +# write summary to file when rotating logs? (no if name empty) +$summary_file = "$queued_dir/summary"; + +# don't remove this, Perl needs it! +1; -- 2.39.5