Infra: dgit-repos-server-debian: Run check_package on push

[dgit.git] / infra / dgit-repos-policy-debian

diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index 30dbbbeca15cb71a9c0b7d47e460e76cfb5b17db..e665a636566242c95b844c518a3eebaad93870ce 100755 (executable)
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -206,8 +206,7 @@ sub add_taint_by_tag ($$) {
              " removed from NEW (ie, rejected) (or never arrived)");
 }
 
-sub action_check_package () {
-    getpackage();
+sub check_package () {
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;
 
@@ -220,15 +219,16 @@ sub action_check_package () {
     my $age = time -  $mtime;
     printdebug "check_package age=$age\n";
 
-    return 0 if $age < $new_upload_propagation_slop;
-
-    return 0 if new_has_vsn_in_our_history();
-
     if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
+       $pkg_secret = 0;
        return 0;
     }
 
+    return 0 if $age < $new_upload_propagation_slop;
+
+    return 0 if new_has_vsn_in_our_history();
+
     printdebug "check_package secret, deleted, tainting\n";
 
     git_for_each_ref('refs/tags', sub {
@@ -239,6 +239,11 @@ sub action_check_package () {
     return FRESHREPO;
 }
 
+sub action_check_package () {
+    getpackage();
+    return check_package();
+}
+
 sub getpushinfo () {
     die unless @ARGV >= 4;
     $version = shift @ARGV;
@@ -256,6 +261,8 @@ sub action_push () {
     getpackage();
     getpushinfo();
 
+    check_package(); # might make package public, or might add taints
+
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;
 
@@ -291,6 +298,7 @@ END
     $initq->execute($pkg);
 
     my @objscatcmd = qw(git);
+    push @objscatcmd, qw(--git-dir), $freshrepo if length $freshrepo;
     push @objscatcmd, qw(cat-file --batch);
     debugcmd '|',@objscatcmd if $debuglevel>=2;