Infra: dgit-repos-server-debian: Run check_package on push

[dgit.git] / infra / dgit-repos-policy-debian

diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index 8a105366211754a5d04541bdd0d0d33724a465e6..e665a636566242c95b844c518a3eebaad93870ce 100755 (executable)
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -17,6 +17,8 @@ use Debian::Dgit::Policy::Debian;
 initdebug('%');
 enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};
 
+END { $? = 127; } # deliberate exit uses _exit
+
 our $distro = shift @ARGV // die "need DISTRO";
 our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
 our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
@@ -98,15 +100,16 @@ sub apiquery ($) {
 
 sub specific_suite_has_vsn_in_our_history ($) {
     my ($suite) = @_;
-    my $in_suite = apiquery "/dsc_in_suite/$suite/$pkg";
+    my $in_suite = apiquery "dsc_in_suite/$suite/$pkg";
     foreach my $entry (@$in_suite) {
        my $vsn = $entry->{version};
        die "$pkg ?" unless defined $vsn;
-       my $tag = debiantag $vsn;
-       $?=0; my $r = system qw(git show-ref --verify --quiet), $tag;
+       my $tagref = "refs/tags/".debiantag $vsn;
+       printdebug " checking history suite=$suite vsn=$vsn tagref=$tagref\n";
+       $?=0; my $r = system qw(git show-ref --verify --quiet), $tagref;
        return 1 if !$r;
        next if $r==256;
-       die "$pkg tag $tag $? $!";
+       die "$pkg tagref $tagref $? $!";
     }
     return 0;
 }
@@ -116,7 +119,7 @@ sub new_has_vsn_in_our_history () {
 }
 
 sub good_suite_has_vsn_in_our_history () {
-    my $suites = apiquery "/suites";
+    my $suites = apiquery "suites";
     foreach my $suitei (@$suites) {
        my $suite = $suitei->{name};
        die unless defined $suite;
@@ -203,8 +206,7 @@ sub add_taint_by_tag ($$) {
              " removed from NEW (ie, rejected) (or never arrived)");
 }
 
-sub action_check_package () {
-    getpackage();
+sub check_package () {
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;
 
@@ -217,15 +219,16 @@ sub action_check_package () {
     my $age = time -  $mtime;
     printdebug "check_package age=$age\n";
 
-    return 0 if $age < $new_upload_propagation_slop;
-
-    return 0 if new_has_vsn_in_our_history();
-
     if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
+       $pkg_secret = 0;
        return 0;
     }
 
+    return 0 if $age < $new_upload_propagation_slop;
+
+    return 0 if new_has_vsn_in_our_history();
+
     printdebug "check_package secret, deleted, tainting\n";
 
     git_for_each_ref('refs/tags', sub {
@@ -236,6 +239,11 @@ sub action_check_package () {
     return FRESHREPO;
 }
 
+sub action_check_package () {
+    getpackage();
+    return check_package();
+}
+
 sub getpushinfo () {
     die unless @ARGV >= 4;
     $version = shift @ARGV;
@@ -247,12 +255,14 @@ sub getpushinfo () {
     }
 }
 
-sub deliberately ($) { return $deliberately{$_[0]}; }
+sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; }
 
 sub action_push () {
     getpackage();
     getpushinfo();
 
+    check_package(); # might make package public, or might add taints
+
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;
 
@@ -261,9 +271,9 @@ sub action_push () {
 
     if (deliberately('not-fast-forward')) {
        add_taint(server_ref($suite),
-                 "suite $suite when --deliberately-not-fast-forward".
+                 "rewound suite $suite; --deliberately-not-fast-forward".
                  " specified in signed tag $tagname for upload of".
-                 " version $version into suite $suite");
+                 " version $version");
        return NOFFCHECK|FRESHREPO;
     }
     if (deliberately('include-questionable-history')) {
@@ -287,11 +297,17 @@ sub action_push_confirm () {
 END
     $initq->execute($pkg);
 
+    my @objscatcmd = qw(git);
+    push @objscatcmd, qw(--git-dir), $freshrepo if length $freshrepo;
+    push @objscatcmd, qw(cat-file --batch);
+    debugcmd '|',@objscatcmd if $debuglevel>=2;
+
     my @taintids;
     my $chkinput = tempfile();
     while (my $taint = $initq->fetchrow_hashref()) {
        push @taintids, $taint->{taint_id};
        print $chkinput $taint->{gitobjid}, "\n" or die $!;
+       printdebug '|> ', $taint->{gitobjid}, "\n" if $debuglevel>=2;
     }
     flush $chkinput or die $!;
     seek $chkinput,0,0 or die $!;
@@ -299,7 +315,7 @@ END
     my $checkpid = open CHKOUT, "-|" // die $!;
     if (!$checkpid) {
        open STDIN, "<&", $chkinput or die $!;
-       exec qw(git cat-file --batch) or die $!;
+       exec @objscatcmd or die $!;
     }
 
     my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
@@ -325,6 +341,7 @@ END
        # just read what we expect and then let it get SIGPIPE.
        $!=0; $_ = <CHKOUT>;
        die "$? $!" unless defined $_;
+       printdebug "|< ", $_ if $debuglevel>=2;
 
        next if m/^\w+ missing$/;
        die unless m/^(\w+) (\w+) (\d+)\s/;
@@ -433,7 +450,7 @@ if (!$fn) {
 }
 
 my $sleepy=0;
-our $rcode = 127;
+my $rcode;
 
 for (;;) {
     poldb_setup(poldb_path($repos));
@@ -452,5 +469,6 @@ for (;;) {
     $poldbh->rollback;
 }
 
-print STDERR $stderr;
-exit $rcode;
+print STDERR $stderr or die $!;
+flush STDERR or die $!;
+_exit $rcode;