3 """ Wrapper for Debian Security team """
4 # Copyright (C) 2006 Anthony Towns <ajt@debian.org>
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
21 ################################################################################
23 import apt_pkg, os, sys, pwd, time, commands
25 from daklib import queue
26 from daklib import daklog
27 from daklib import utils
28 from daklib.dbconn import DBConn, get_build_queue, get_suite_architectures
29 from daklib.regexes import re_taint_free
41 global Cnf, Upload, Options, Logger
43 Cnf = utils.get_conf()
44 Cnf["Dinstall::Options::No-Mail"] = "y"
45 Arguments = [('h', "help", "Security-Install::Options::Help"),
46 ('a', "automatic", "Security-Install::Options::Automatic"),
47 ('n', "no-action", "Security-Install::Options::No-Action"),
48 ('s', "sudo", "Security-Install::Options::Sudo"),
49 (' ', "no-upload", "Security-Install::Options::No-Upload"),
50 ('u', "fg-upload", "Security-Install::Options::Foreground-Upload"),
51 (' ', "drop-advisory", "Security-Install::Options::Drop-Advisory"),
52 ('A', "approve", "Security-Install::Options::Approve"),
53 ('R', "reject", "Security-Install::Options::Reject"),
54 ('D', "disembargo", "Security-Install::Options::Disembargo") ]
59 arguments = apt_pkg.ParseCommandLine(Cnf, Arguments, sys.argv)
61 Options = Cnf.SubTree("Security-Install::Options")
63 username = utils.getusername()
65 print "Non-dak user: %s" % username
72 if len(arguments) == 0:
73 utils.fubar("Process what?")
75 Upload = queue.Upload(Cnf)
76 if Options["No-Action"]:
78 if not Options["Sudo"] and not Options["No-Action"]:
79 Logger = Upload.Logger = daklog.Logger(Cnf, "new-security-install")
88 def load_args(arguments):
89 global advisory, changes
92 if not arguments[0].endswith(".changes"):
93 adv_ids [arguments[0]] = 1
94 arguments = arguments[1:]
101 utils.fubar("can only deal with files in the current directory")
102 if not a.endswith(".changes"):
103 utils.fubar("not a .changes file: %s" % (a))
105 Upload.pkg.changes_file = a
107 if "adv id" in Upload.pkg.changes:
109 adv_ids[Upload.pkg.changes["adv id"]] = 1
111 null_adv_changes.append(a)
113 adv_ids = adv_ids.keys()
115 utils.fubar("multiple advisories selected: %s" % (", ".join(adv_ids)))
119 advisory = adv_ids[0]
121 changes = changesfiles.keys()
122 return null_adv_changes
124 def load_adv_changes():
125 global srcverarches, changes
127 for c in os.listdir("."):
128 if not c.endswith(".changes"): continue
130 Upload.pkg.changes_file = c
132 if "adv id" not in Upload.pkg.changes:
134 if Upload.pkg.changes["adv id"] != advisory:
137 if c not in changes: changes.append(c)
138 srcver = "%s %s" % (Upload.pkg.changes["source"],
139 Upload.pkg.changes["version"])
140 srcverarches.setdefault(srcver, {})
141 for arch in Upload.pkg.changes["architecture"].keys():
142 srcverarches[srcver][arch] = 1
146 print "Advisory: %s" % (advisory)
152 svs = srcverarches.keys()
155 as_ = srcverarches[sv].keys()
157 print " %s (%s)" % (sv, ", ".join(as_))
159 def prompt(opts, default):
165 p += ", [%s]%s" % (o[0], o[1:])
171 if Options["Automatic"]:
175 a = utils.our_raw_input(p) + default
180 def add_changes(extras):
184 Upload.pkg.changes_file = c
186 srcver = "%s %s" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
187 srcverarches.setdefault(srcver, {})
188 for arch in Upload.pkg.changes["architecture"].keys():
189 srcverarches[srcver][arch] = 1
190 Upload.pkg.changes["adv id"] = advisory
191 Upload.dump_vars(os.getcwd())
194 if Options["Automatic"]: return True
196 answer = utils.our_raw_input(prompt + " ").lower()
199 print "Invalid answer; please try again."
202 if Options["No-Upload"]:
203 print "Not uploading as requested"
204 elif Options["Foreground-Upload"]:
205 actually_upload(changes)
209 actually_upload(changes)
211 print "Uploading in the background"
213 def actually_upload(changes_files):
216 component_mapping = {}
217 for component in Cnf.SubTree("Security-Install::ComponentMappings").List():
218 component_mapping[component] = Cnf["Security-Install::ComponentMappings::%s" % (component)]
219 uploads = {}; # uploads[uri] = file_list
220 changesfiles = {}; # changesfiles[uri] = file_list
221 package_list = {} # package_list[source_name][version]
222 changes_files.sort(utils.changes_compare)
223 for changes_file in changes_files:
224 changes_file = utils.validate_changes_file_arg(changes_file)
230 # Parse the .dak file for the .changes file
231 Upload.pkg.changes_file = changes_file
233 files = Upload.pkg.files
234 changes = Upload.pkg.changes
236 # Build the file list for this .changes file
237 for file in files.keys():
238 poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"],
239 utils.poolify(changes["source"], files[file]["component"]),
241 file_list.append(poolname)
242 orig_component = files[file].get("original component", files[file]["component"])
243 components[orig_component] = ""
244 # Determine the upload uri for this .changes file
245 for component in components.keys():
246 upload_uri = component_mapping.get(component)
248 upload_uris[upload_uri] = ""
249 num_upload_uris = len(upload_uris.keys())
250 if num_upload_uris == 0:
251 utils.fubar("%s: No valid upload URI found from components (%s)."
252 % (changes_file, ", ".join(components.keys())))
253 elif num_upload_uris > 1:
254 utils.fubar("%s: more than one upload URI (%s) from components (%s)."
255 % (changes_file, ", ".join(upload_uris.keys()),
256 ", ".join(components.keys())))
257 upload_uri = upload_uris.keys()[0]
258 # Update the file list for the upload uri
259 if not uploads.has_key(upload_uri):
260 uploads[upload_uri] = []
261 uploads[upload_uri].extend(file_list)
262 # Update the changes list for the upload uri
263 if not changesfiles.has_key(upload_uri):
264 changesfiles[upload_uri] = []
265 changesfiles[upload_uri].append(changes_file)
266 # Remember the suites and source name/version
267 for suite in changes["distribution"].keys():
269 # Remember the source name and version
270 if changes["architecture"].has_key("source") and \
271 changes["distribution"].has_key("testing"):
272 if not package_list.has_key(dsc["source"]):
273 package_list[dsc["source"]] = {}
274 package_list[dsc["source"]][dsc["version"]] = ""
276 for uri in uploads.keys():
277 uploads[uri].extend(changesfiles[uri])
278 (host, path) = uri.split(":")
279 # file_list = " ".join(uploads[uri])
280 print "Moving files to UploadQueue"
281 for filename in uploads[uri]:
282 utils.copy(filename, Cnf["Dir::Upload"])
283 # .changes files have already been moved to queue/done by p-a
284 if not filename.endswith('.changes'):
285 remove_from_buildd(suites, filename)
286 #spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
288 if not Options["No-Action"]:
289 filename = "%s/testing-processed" % (Cnf["Dir::Log"])
290 file = utils.open_file(filename, 'a')
291 for source in package_list.keys():
292 for version in package_list[source].keys():
293 file.write(" ".join([source, version])+'\n')
296 def remove_from_buildd(suites, filename):
297 """Check the buildd dir for each suite and remove the file if needed"""
298 builddbase = Cnf["Dir::QueueBuild"]
299 filebase = os.path.basename(filename)
302 os.unlink(os.path.join(builddbase, s, filebase))
305 # About no value printing this warning - it only confuses the security team,
306 # yet makes no difference otherwise.
307 #utils.warn("Problem removing %s from buildd queue %s [%s]" % (filebase, s, str(e)))
310 def generate_advisory(template):
311 global changes, advisory
314 updated_pkgs = {}; # updated_pkgs[distro][arch][file] = {path,md5,size}
317 arg = utils.validate_changes_file_arg(arg)
318 Upload.pkg.changes_file = arg
322 src = Upload.pkg.changes["source"]
323 src_ver = "%s (%s)" % (src, Upload.pkg.changes["version"])
324 if src_ver not in adv_packages:
325 adv_packages.append(src_ver)
327 suites = Upload.pkg.changes["distribution"].keys()
329 if not updated_pkgs.has_key(suite):
330 updated_pkgs[suite] = {}
332 files = Upload.pkg.files
333 for file in files.keys():
334 arch = files[file]["architecture"]
335 md5 = files[file]["md5sum"]
336 size = files[file]["size"]
337 poolname = Cnf["Dir::PoolRoot"] + \
338 utils.poolify(src, files[file]["component"])
339 if arch == "source" and file.endswith(".dsc"):
340 dscpoolname = poolname
342 if not updated_pkgs[suite].has_key(arch):
343 updated_pkgs[suite][arch] = {}
344 updated_pkgs[suite][arch][file] = {
345 "md5": md5, "size": size, "poolname": poolname }
347 dsc_files = Upload.pkg.dsc_files
348 for file in dsc_files.keys():
350 if not dsc_files[file].has_key("files id"):
353 # otherwise, it's already in the pool and needs to be
355 md5 = dsc_files[file]["md5sum"]
356 size = dsc_files[file]["size"]
358 if not updated_pkgs[suite].has_key(arch):
359 updated_pkgs[suite][arch] = {}
360 updated_pkgs[suite][arch][file] = {
361 "md5": md5, "size": size, "poolname": dscpoolname }
363 if os.environ.has_key("SUDO_UID"):
364 whoami = long(os.environ["SUDO_UID"])
367 whoamifull = pwd.getpwuid(whoami)
368 username = whoamifull[4].split(",")[0]
371 "__ADVISORY__": advisory,
372 "__WHOAMI__": username,
373 "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())),
374 "__PACKAGE__": ", ".join(adv_packages),
375 "__DAK_ADDRESS__": Cnf["Dinstall::MyEmailAddress"]
378 if Cnf.has_key("Dinstall::Bcc"):
379 Subst["__BCC__"] = "Bcc: %s" % (Cnf["Dinstall::Bcc"])
382 archive = Cnf["Archive::%s::PrimaryMirror" % (utils.where_am_i())]
383 for suite in updated_pkgs.keys():
384 ver = Cnf["Suite::%s::Version" % suite]
385 if ver != "": ver += " "
386 suite_header = "%s %s(%s)" % (Cnf["Dinstall::MyDistribution"],
388 adv += "%s\n%s\n\n" % (suite_header, "-"*len(suite_header))
390 arches = [x.arch_name for x in get_suite_architectures(suite)]
391 if "source" in arches:
392 arches.remove("source")
397 adv += "%s updates are available for %s.\n\n" % (
398 suite.capitalize(), utils.join_with_commas_and(arches))
400 for a in ["source", "all"] + arches:
401 if not updated_pkgs[suite].has_key(a):
405 adv += "Source archives:\n\n"
407 adv += "Architecture independent packages:\n\n"
409 adv += "%s architecture (%s)\n\n" % (a,
410 Cnf["Architectures::%s" % a])
412 for file in updated_pkgs[suite][a].keys():
413 adv += " http://%s/%s%s\n" % (
414 archive, updated_pkgs[suite][a][file]["poolname"], file)
415 adv += " Size/MD5 checksum: %8s %s\n" % (
416 updated_pkgs[suite][a][file]["size"],
417 updated_pkgs[suite][a][file]["md5"])
421 Subst["__ADVISORY_TEXT__"] = adv
423 adv = utils.TemplateSubst(Subst, template)
427 if not re_taint_free.match(command):
428 utils.fubar("Invalid character in \"%s\"." % (command))
430 if Options["No-Action"]:
431 print "[%s]" % (command)
433 (result, output) = commands.getstatusoutput(command)
435 utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result)
438 ##################### ! ! ! N O T E ! ! ! #####################
440 # These functions will be reinvoked by semi-priveleged users, be careful not
441 # to invoke external programs that will escalate privileges, etc.
443 ##################### ! ! ! N O T E ! ! ! #####################
445 def sudo(arg, fn, exit):
448 utils.fubar("Must set advisory name")
449 os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H",
450 "/usr/local/bin/dak", "new-security-install", "-"+arg, "--", advisory)
456 def do_Approve(): sudo("A", _do_Approve, True)
458 # 1. dump advisory in drafts
459 draft = "/org/security.debian.org/advisories/drafts/%s" % (advisory)
460 print "Advisory in %s" % (draft)
461 if not Options["No-Action"]:
462 adv_file = "./advisory.%s" % (advisory)
463 if not os.path.exists(adv_file):
464 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
465 adv_fd = os.open(draft, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0664)
466 os.write(adv_fd, generate_advisory(adv_file))
470 # 2. run dak process-accepted on changes
471 print "Accepting packages..."
472 spawn("dak process-accepted -pa %s" % (" ".join(changes)))
474 # 3. run dak make-suite-file-list / apt-ftparchve / dak generate-releases
475 print "Updating file lists for apt-ftparchive..."
476 spawn("dak make-suite-file-list")
477 spawn("dak generate-filelist")
478 print "Updating Packages and Sources files..."
479 spawn("/org/security.debian.org/dak/config/debian-security/map.sh")
480 spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
481 print "Updating Release files..."
482 spawn("dak generate-releases")
483 print "Triggering security mirrors..."
484 spawn("sudo -u archvsync -H /home/archvsync/signal_security")
486 # 4. chdir to done - do upload
487 if not Options["No-Action"]:
488 os.chdir(Cnf["Dir::Queue::Done"])
491 def do_Disembargo(): sudo("D", _do_Disembargo, True)
492 def _do_Disembargo():
493 if os.getcwd() != Cnf["Dir::Queue::Embargoed"].rstrip("/"):
494 utils.fubar("Can only disembargo from %s" % Cnf["Dir::Queue::Embargoed"])
496 session = DBConn().session()
498 dest = Cnf["Dir::Queue::Unembargoed"]
499 emb_q = get_build_queue("embargoed", session)
500 une_q = get_build_queue("unembargoed", session)
503 print "Disembargoing %s" % (c)
506 Upload.pkg.changes_file = c
509 if "source" in Upload.pkg.changes["architecture"].keys():
510 print "Adding %s %s to disembargo table" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
511 session.execute("INSERT INTO disembargo (package, version) VALUES (:package, :version)",
512 {'package': Upload.pkg.changes["source"], 'version': Upload.pkg.changes["version"]})
515 for suite in Upload.pkg.changes["distribution"].keys():
516 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
518 dest_dir = Cnf["Dir::QueueBuild"]
519 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
520 dest_dir = os.path.join(dest_dir, suite)
521 for file in Upload.pkg.files.keys():
522 files[os.path.join(dest_dir, file)] = 1
526 session.execute("UPDATE queue_build SET queue = :unembargoed WHERE filename = :filename AND queue = :embargoed",
527 {'unembargoed': une_q.queue_id, 'filename': f, 'embargoed': emb_q.queue_id})
530 for file in Upload.pkg.files.keys():
531 utils.copy(file, os.path.join(dest, file))
535 utils.copy(c, os.path.join(dest, c))
538 utils.copy(k, os.path.join(dest, k))
543 def do_Reject(): sudo("R", _do_Reject, True)
547 session = DBConn().session()
550 print "Rejecting %s..." % (c)
552 Upload.pkg.changes_file = c
555 for suite in Upload.pkg.changes["distribution"].keys():
556 if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
558 dest_dir = Cnf["Dir::QueueBuild"]
559 if Cnf.FindB("Dinstall::SecurityQueueBuild"):
560 dest_dir = os.path.join(dest_dir, suite)
561 for file in Upload.pkg.files.keys():
562 files[os.path.join(dest_dir, file)] = 1
566 aborted = Upload.do_reject()
568 os.unlink(c[:-8]+".dak")
570 session.execute("DELETE FROM queue_build WHERE filename = :filename",
574 print "Updating buildd information..."
575 spawn("/org/security.debian.org/dak/config/debian-security/cron.buildd")
577 adv_file = "./advisory.%s" % (advisory)
578 if os.path.exists(adv_file):
583 def do_DropAdvisory():
586 Upload.pkg.changes_file = c
588 del Upload.pkg.changes["adv id"]
589 Upload.dump_vars(os.getcwd())
593 adv_file = "./advisory.%s" % (advisory)
594 if not os.path.exists(adv_file):
595 utils.copy(Cnf["Dir::Templates"]+"/security-install.advisory", adv_file)
596 editor = os.environ.get("EDITOR", "vi")
597 result = os.system("%s %s" % (editor, adv_file))
599 utils.fubar("%s invocation failed for %s." % (editor, adv_file))
602 adv_file = "./advisory.%s" % (advisory)
603 if not os.path.exists(adv_file):
604 adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
605 print "====\n%s\n====" % (generate_advisory(adv_file))
614 extras = load_args(args)
621 if srcverarches == {}:
622 if not yes_no("Create new advisory %s?" % (advisory)):
623 print "Not doing anything, then"
629 if yes_no("Add %s to %s?" % (c, advisory)):
635 utils.fubar("Must specify an advisory id")
638 utils.fubar("No changes specified")
640 if Options["Approve"]:
643 elif Options["Reject"]:
646 elif Options["Disembargo"]:
649 elif Options["Drop-Advisory"]:
655 opts = ["Approve", "Edit advisory"]
656 if os.path.exists("./advisory.%s" % advisory):
660 if os.getcwd() == Cnf["Dir::Queue::Embargoed"].rstrip("/"):
661 opts.append("Disembargo")
662 opts += ["Show advisory", "Reject", "Quit"]
665 what = prompt(opts, default)
669 elif what == "Approve":
671 elif what == "Edit advisory":
673 elif what == "Show advisory":
675 elif what == "Disembargo":
677 elif what == "Reject":
680 utils.fubar("Impossible answer '%s', wtf?" % (what))
682 ################################################################################
684 if __name__ == '__main__':
687 ################################################################################
projects / dak.git / blob