2 # dgit repos policy hook script for Debian
5 $SIG{__WARN__} = sub { die $_[0]; };
9 use File::Temp qw(tempfile);
14 use Debian::Dgit qw(:DEFAULT :policyflags);
15 use Debian::Dgit::Policy::Debian;
18 enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};
20 our $distro = shift @ARGV // die "need DISTRO";
21 our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
22 our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
23 our $distrodir = shift @ARGV // die "need DISTRO-DIR";
24 our $action = shift @ARGV // die "need ACTION";
26 our $publicmode = 02775;
27 our $new_upload_propagation_slop = 3600*4 + 100;# fixme config;
32 our ($pkg_exists,$pkg_secret);
36 our ($version,$suite,$tagname);
39 # We assume that it is not possible for NEW to have a version older
42 # Whenever pushing, we check for
43 # source-package-local tainted history
44 # global tainted history
45 # can be overridden by --deliberately except for an admin prohib taint
47 # ALL of the following apply only if history is secret:
49 # if NEW has no version, or a version which is not in our history[1]
52 # if any suite's version is in our history[1], publish our history
53 # otherwise discard our history,
54 # tainting --deliberately-include-questionable-history
56 # if NEW has a version which is in our history[1]
58 # require explicit specification of one of
59 # --deliberately-include-questionable-history
60 # --deliberately-not-fast-forward
61 # (latter will taint old NEW version --d-i-q-h)
65 # [1] looking for the relevant git tag for the version number and not
66 # caring what that tag refers to.
68 # A wrinkle: if we approved a push recently, we treat NEW as having
69 # a version which is in our history. This is because the package may
70 # still be being uploaded. (We record this using the timestamp of the
71 # package's git repo directory.)
73 # We aim for the following invariants and properties:
75 # - .dsc of published dgit package will have corresponding publicly
76 # visible dgit-repo (soon)
78 # - when a new package is rejected we help maintainer avoid
79 # accidentally including bad objects in published dgit history
81 # - .dsc of NEW dgit package has corresponding dgit-repo but not
87 my $cmd = "$dgitlive/dgit -d$distro \$DGIT_TEST_OPTS";
88 $cmd .= " -".("D" x $debuglevel) if $debuglevel;
89 $cmd .= " archive-api-query $subpath";
90 printdebug "apiquery $cmd\n";
91 $!=0; $?=0; my $json = `$cmd`;
92 defined $json && !$? or die "$subpath $! $?";
93 my $r = decode_json $json;
94 my $d = new Data::Dumper([$r], [qw(r)]);
95 printdebug "apiquery $subpath | ", $d->Dump() if $debuglevel>=2;
99 sub specific_suite_has_vsn_in_our_history ($) {
101 my $in_suite = apiquery "dsc_in_suite/$suite/$pkg";
102 foreach my $entry (@$in_suite) {
103 my $vsn = $entry->{version};
104 die "$pkg ?" unless defined $vsn;
105 my $tagref = "refs/tags/".debiantag $vsn;
106 printdebug " checking history suite=$suite vsn=$vsn tagref=$tagref\n";
107 $?=0; my $r = system qw(git show-ref --verify --quiet), $tagref;
110 die "$pkg tagref $tagref $? $!";
115 sub new_has_vsn_in_our_history () {
116 return specific_suite_has_vsn_in_our_history('new');
119 sub good_suite_has_vsn_in_our_history () {
120 my $suites = apiquery "suites";
121 foreach my $suitei (@$suites) {
122 my $suite = $suitei->{name};
123 die unless defined $suite;
124 next if $suite =~ m/\bnew$/;
125 return 1 if specific_suite_has_vsn_in_our_history($suite);
131 $pkgdir = "$repos/$pkg.git";
132 if (!stat_exists $pkgdir) {
133 printdebug "statpackage $pkg => ENOENT\n";
137 $pkg_secret = !!(~(stat _)[2] & 05);
138 printdebug "statpackage $pkg => exists, secret=$pkg_secret.\n";
143 die unless @ARGV >= 1;
145 die unless $pkg =~ m/^$package_re$/;
151 my ($refobj, $reason) = @_;
153 printdebug "TAINTING $refobj\n",
154 (map { "\%| $_" } split "\n", $reason),
157 my $tf = new File::Temp or die $!;
158 print $tf "$refobj^0\n" or die $!;
160 seek $tf,0,0 or die $!;
162 my $gcfpid = open GCF, "-|";
163 defined $gcfpid or die $!;
165 open STDIN, "<&", $tf or die $!;
166 exec 'git', 'cat-file', '--batch';
173 m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
179 if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
180 $!=0; read GCF, $gitobjdata, $bytes == $bytes
181 or die "$gitobjid $bytes $!";
185 $poldbh->do("INSERT INTO taints".
186 " (package, gitobjid, gitobjtype, gitobjdata, time, comment)".
187 " VALUES (?,?,?,?,?,?)", {},
188 $pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);
190 my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
191 die unless defined $taint_id;
193 $poldbh->do("INSERT INTO taintoverrides".
194 " (taint_id, deliberately)".
195 " VALUES (?, '--deliberately-include-questionable-history')",
199 sub add_taint_by_tag ($$) {
200 my ($tagname,$refobjid) = @_;
202 "tag $tagname referred to this object in git tree but all".
203 " previously pushed versions were found to have been".
204 " removed from NEW (ie, rejected) (or never arrived)");
207 sub action_check_package () {
209 return 0 unless $pkg_exists;
210 return 0 unless $pkg_secret;
212 printdebug "check_package\n";
214 chdir $pkgdir or die "$pkgdir $!";
216 stat '.' or die "$pkgdir $!";
217 my $mtime = ((stat _)[9]);
218 my $age = time - $mtime;
219 printdebug "check_package age=$age\n";
221 return 0 if $age < $new_upload_propagation_slop;
223 return 0 if new_has_vsn_in_our_history();
225 if (good_suite_has_vsn_in_our_history) {
226 chmod $publicmode, "." or die $!;
230 printdebug "check_package secret, deleted, tainting\n";
232 git_for_each_ref('refs/tags', sub {
233 my ($objid,$objtype,$fullrefname,$tagname) = @_;
234 add_taint_by_tag($tagname,$objid);
241 die unless @ARGV >= 4;
242 $version = shift @ARGV;
243 $suite = shift @ARGV;
244 $tagname = shift @ARGV;
245 my $delibs = shift @ARGV;
246 foreach my $delib (split /\,/, $delibs) {
247 $deliberately{$delib} = 1;
251 sub deliberately ($) { return $deliberately{$_[0]}; }
257 return 0 unless $pkg_exists;
258 return 0 unless $pkg_secret;
260 # we suppose that NEW has a version which is already in our
261 # history, as otherwise the repo would have been blown away
263 if (deliberately('not-fast-forward')) {
264 add_taint(server_ref($suite),
265 "suite $suite when --deliberately-not-fast-forward".
266 " specified in signed tag $tagname for upload of".
267 " version $version into suite $suite");
268 return NOFFCHECK|FRESHREPO;
270 if (deliberately('include-questionable-history')) {
273 die "Package is in NEW and has not been accepted or rejected yet;".
274 " use a --deliberately option to specify whether you are".
275 " keeping or discarding the previously pushed history. ".
276 " Please RTFM dgit(1).\n";
279 sub action_push_confirm () {
282 die unless @ARGV >= 1;
283 my $freshrepo = shift @ARGV;
285 my $initq = $poldbh->prepare(<<END);
286 SELECT taint_id, gitobjid FROM taints t
287 WHERE (package = ? OR package = '')
289 $initq->execute($pkg);
292 my $chkinput = tempfile();
293 while (my $taint = $initq->fetchrow_hashref()) {
294 push @taintids, $taint->{taint_id};
295 print $chkinput $taint->{gitobjid}, "\n" or die $!;
297 flush $chkinput or die $!;
298 seek $chkinput,0,0 or die $!;
300 my $checkpid = open CHKOUT, "-|" // die $!;
302 open STDIN, "<&", $chkinput or die $!;
303 exec qw(git cat-file --batch) or die $!;
306 my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
308 my $overridesstmt = <<END;
309 SELECT deliberately FROM taintoverrides WHERE (
312 my @overridesv = sort keys %deliberately;
313 $overridesstmt .= <<END foreach @overridesv;
316 $overridesstmt .= <<END;
318 ORDER BY deliberately ASC
323 while (my $taintid = shift @taintids) {
324 # git cat-file prints a spurious newline after it gets EOF
325 # This is not documented. I guess it might go away. So we
326 # just read what we expect and then let it get SIGPIPE.
328 die "$? $!" unless defined $_;
330 next if m/^\w+ missing$/;
331 die unless m/^(\w+) (\w+) (\d+)\s/;
332 my ($objid,$objtype,$nbytes) = ($1,$2,$3);
335 (read CHKOUT, $drop, $nbytes) == $nbytes or die;
337 $taintinfoq ||= $poldbh->prepare(<<END);
338 SELECT package, time, comment FROM taints WHERE taint_id = ?
340 $taintinfoq->execute($taintid);
342 my $ti = $taintinfoq->fetchrow_hashref();
345 my $timeshow = defined $ti->{time}
346 ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
348 my $pkgshow = length $ti->{package}
349 ? "package $ti->{package}"
354 History contains tainted $objtype $objid
355 Taint recorded$timeshow for $pkgshow
356 Reason: $ti->{comment}
359 printdebug "SQL overrides: @overridesv $taintid /\n$overridesstmt\n";
361 $overridesq ||= $poldbh->prepare($overridesstmt);
362 $overridesq->execute(@overridesv, $taintid);
363 my ($ovwhy) = $overridesq->fetchrow_array();
364 if (!defined $ovwhy) {
365 $overridesanyq ||= $poldbh->prepare(<<END);
366 SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
368 $overridesanyq->execute($taintid);
369 my ($ovany) = $overridesanyq->fetchrow_array();
370 $stderr .= $ovany ? <<END : <<END;
371 Could be forced using --deliberately. Consult documentation.
373 Uncorrectable error. If confused, consult administrator.
378 Forcing due to --deliberately-$ovwhy
380 $untaintq ||= $poldbh->prepare(<<END);
381 DELETE FROM taints WHERE taint_id = ?
383 $untaintq->execute($taintid);
391 Rejecting push due to questionable history.
396 if (length $freshrepo) {
397 if (!good_suite_has_vsn_in_our_history()) {
398 stat $freshrepo or die "$freshrepo $!";
399 my $oldmode = ((stat _)[2]);
400 my $oldwrites = $oldmode & 0222;
401 # remove r and x bits which have corresponding w bits clear
402 my $newmode = $oldmode &
403 (~0555 | ($oldwrites << 1) | ($oldwrites >> 1));
404 printdebug sprintf "chmod %#o (was %#o) %s\n",
405 $newmode, $oldmode, $freshrepo;
406 chmod $newmode, $freshrepo or die $!;
407 utime undef, undef, $freshrepo or die $!;
414 sub action_check_list () {
415 opendir L, "$repos" or die "$repos $!";
416 while (defined (my $dent = readdir L)) {
417 next unless $dent =~ m/^($package_re)\.git$/;
420 next unless $pkg_exists;
421 next unless $pkg_secret;
422 print "$pkg\n" or die $!;
424 closedir L or die $!;
425 close STDOUT or die $!;
430 my $fn = ${*::}{"action_$action"};
432 printdebug "dgit-repos-policy-debian: unknown action $action\n";
440 poldb_setup(poldb_path($repos));
444 die unless defined $rcode;
446 eval { $poldbh->commit; };
447 last unless length $@;
449 die if $sleepy >= 20;
450 print STDERR "[policy database busy, retrying]\n";
456 print STDERR $stderr;