X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=blobdiff_plain;f=infra%2Fdgit-repos-policy-debian;h=cff5d06cd33d80107a281dad33135db87e81e99d;hp=66bf8be6d63ffc937e776c78c04cb95fe8ef3b5a;hb=86cbeb5e4396d0722aaf3049cc01d084117bb8a4;hpb=b7dec4080f555d202570cd3293465db52a9139ec
diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index 66bf8be6..cff5d06c 100755
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -1,42 +1,60 @@
#!/usr/bin/perl -w
# dgit repos policy hook script for Debian
#
-# usages:
-# dgit-repos-policy-debian DISTRO DGIT-REPOS-DIR ACTION...
-# ie.
-# dgit-repos-policy-debian ... check-list [...]
-# dgit-repos-policy-debian ... check-package PACKAGE [...]
-# dgit-repos-policy-debian ... push PACKAGE \
-# VERSION SUITE TAGNAME DELIBERATELIES [...]
+# Copyright (C) 2015-2016 Ian Jackson
#
-# cwd for push is a temporary repo where the to-be-pushed objects have
-# been received; TAGNAME is the version-based tag
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
#
-# if push requested FRESHREPO, push-confirm happens in said fresh repo
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
#
-# policy hook for a particular package will be invoked only once at
-# a time
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
use strict;
+
+use Debian::Dgit::Infra; # must precede Debian::Dgit; - can change @INC!
+use Debian::Dgit qw(:DEFAULT :policyflags);
+setup_sigwarn();
+
use POSIX;
use JSON;
-use File::Temp;
+use File::Temp qw(tempfile);
+use DBI;
+use IPC::Open2;
+use Data::Dumper;
-use Debian::Dgit qw(:DEFAULT :policyflags);
+use Debian::Dgit::Policy::Debian;
+
+initdebug('%');
+enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};
+
+END { $? = 127; } # deliberate exit uses _exit
our $distro = shift @ARGV // die "need DISTRO";
our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
+our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
+our $distrodir = shift @ARGV // die "need DISTRO-DIR";
our $action = shift @ARGV // die "need ACTION";
our $publicmode = 02775;
-our $policydb = "dbi:SQLite:$repos/policy";
-our $new_upload_propagation_slop = 3600*4 + 100;
+our $new_upload_propagation_slop = 3600*4 + 100;# fixme config;
our $poldbh;
our $pkg;
our $pkgdir;
our ($pkg_exists,$pkg_secret);
+our $stderr;
+
+our ($version,$suite,$tagname);
+our %deliberately;
+
# We assume that it is not possible for NEW to have a version older
# than sid.
@@ -66,135 +84,148 @@ our ($pkg_exists,$pkg_secret);
# [1] looking for the relevant git tag for the version number and not
# caring what that tag refers to.
#
+# When we are doing a push to a fresh repo, any version will do: in
+# this case, this is the first dgit upload of an existing package,
+# and we trust that the uploader hasn't included in their git
+# history any previous non-dgit uploads.
+#
# A wrinkle: if we approved a push recently, we treat NEW as having
# a version which is in our history. This is because the package may
# still be being uploaded. (We record this using the timestamp of the
# package's git repo directory.)
-
-sub poldb_setup () {
- $poldbh = DBI->connect($policydb,'','', {
- RaiseError=>1, PrintError=>1, AutoCommit=>0
- });
- $poldbh->do("PRAGMA foreign_keys = ON");
-
- $poldbh->do(<do(<do(<commit;
-}
+# We aim for the following invariants and properties:
+#
+# - .dsc of published dgit package will have corresponding publicly
+# visible dgit-repo (soon)
+#
+# - when a new package is rejected we help maintainer avoid
+# accidentally including bad objects in published dgit history
+#
+# - .dsc of NEW dgit package has corresponding dgit-repo but not
+# publicly readable
sub apiquery ($) {
my ($subpath) = @_;
local $/=undef;
- $!=0; $?=0; my $json = `dgit -d $distro archive-api-query $subpath`;
- defined $json or die "$subpath $! $?";
- return decode_json $json;
+ my $dgit = "$dgitlive/dgit";
+ $dgit = "dgit" if !stat_exists $dgit;
+ my $cmd = "$dgit -d$distro \$DGIT_TEST_OPTS";
+ $cmd .= " -".("D" x $debuglevel) if $debuglevel;
+ $cmd .= " archive-api-query $subpath";
+ printdebug "apiquery $cmd\n";
+ $!=0; $?=0; my $json = `$cmd`;
+ defined $json && !$? or die "$subpath $! $?";
+ my $r = decode_json $json;
+ my $d = new Data::Dumper([$r], [qw(r)]);
+ printdebug "apiquery $subpath | ", $d->Dump() if $debuglevel>=2;
+ return $r;
+}
+
+sub vsn_in_our_history ($) {
+ my ($vsn) = @_;
+
+ # Eventually, when we withdraw support for old-format (DEP-14
+ # namespace) tags, we will need to change this to only look
+ # for debiantag_new. See the commit
+ # "Tag change: Update dgit-repos-policy-debian"
+ # (reverting which is a good start for that change).
+
+ my @tagrefs = map { "refs/tags/".$_ } debiantags $vsn, $distro;
+ printdebug " checking history vsn=$vsn tagrefs=@tagrefs\n";
+ open F, "-|", qw(git for-each-ref), @tagrefs;
+ $_ = ;
+ close F;
+ return 1 if defined && m/\S/;
+ die "$pkg tagrefs @tagrefs $? $!" if $?;
+ return 0;
}
-sub specific_suite_has_vsn_in_our_history ($) {
- my ($suite) = @_;
- my $in_new = apiquery "/dsc_in_suite/$suite/$pkg";
- foreach my $entry (@$in_new) {
+sub specific_suite_has_suitable_vsn ($$) {
+ my ($suite, $vsn_check) = @_; # tests $vsn_check->($version)
+ my $in_suite = apiquery "dsc_in_suite/$suite/$pkg";
+ foreach my $entry (@$in_suite) {
my $vsn = $entry->{version};
die "$pkg ?" unless defined $vsn;
- my $tag = debiantag $vsn;
- $?=0; my $r = system qw(git show-ref --verify --quiet), $tag;
- return 1 if !$r;
- next if $r==256;
- die "$pkg tag $tag $? $!";
+ printdebug " checking history found suite=$suite vsn=$vsn\n";
+ return 1 if $vsn_check->($vsn);
}
return 0;
}
sub new_has_vsn_in_our_history () {
- stat $pkgdir or die "$pkgdir $!";
- my $mtime = ((stat _)[9]);
- my $age = time - $mtime;
- return 1 if $age < $new_upload_propagation_slop;
- return specific_suite_has_vsn_in_our_history('new');
+ return specific_suite_has_suitable_vsn('new', \&vsn_in_our_history);
}
-sub good_suite_has_vsn_in_our_history () {
- my $suites = apiquery "/suites";
+sub good_suite_has_suitable_vsn ($) {
+ my ($vsn_check) = @_; # as for specific_suite_has_specific_vsn
+ my $suites = apiquery "suites";
foreach my $suitei (@$suites) {
my $suite = $suitei->{name};
die unless defined $suite;
next if $suite =~ m/\bnew$/;
- return 1 if specific_suite_has_vsn_in_our_history($suite);
+ return 1 if specific_suite_has_suitable_vsn($suite, $vsn_check);
}
return 0;
}
+sub statpackage () {
+ $pkgdir = "$repos/$pkg.git";
+ if (!stat_exists $pkgdir) {
+ printdebug "statpackage $pkg => ENOENT\n";
+ $pkg_exists = 0;
+ } else {
+ $pkg_exists = 1;
+ $pkg_secret = !!(~(stat _)[2] & 05);
+ printdebug "statpackage $pkg => exists, secret=$pkg_secret.\n";
+ }
+}
+
sub getpackage () {
- die unless @ARGV > 1;
+ die unless @ARGV >= 1;
$pkg = shift @ARGV;
- die if $pkg =~ m#[^-+.0-9a-z]#;
- die unless $pkg =~ m#^[^-]#;
+ die unless $pkg =~ m/^$package_re$/;
- $pkgdir = "$repos/$pkg";
- if (!stat $pkgdir) {
- die "$pkgdir $!" unless $!==ENOENT;
- $pkg_exists = 0;
- }
- $pkg_exists = 1;
- $pkg_secret = !!(~(stat _)[2] & 05);
+ statpackage();
}
sub add_taint ($$) {
- my ($gitobjid, $gitobjtype, $reason) = @_;
+ my ($refobj, $reason) = @_;
+
+ printdebug "TAINTING $refobj\n",
+ (map { "\%| $_" } split "\n", $reason),
+ "\n";
my $tf = new File::Temp or die $!;
- print $tf "$gitobjid\n" or die $!;
+ print $tf "$refobj^0\n" or die $!;
+ flush $tf or die $!;
+ seek $tf,0,0 or die $!;
my $gcfpid = open GCF, "-|";
defined $gcfpid or die $!;
if (!$gcfpid) {
open STDIN, "<&", $tf or die $!;
- exec 'git', 'cat-file';
+ exec 'git', 'cat-file', '--batch';
die $!;
}
close $tf or die $!;
$_ = ;
- m/^(\w+) (\w+) (\d+)\n/ or die "$objline ?";
- $1 eq $gitobjid or die "$! $gitobjid ?";
- $2 eq $gitobjtype or die "$! $gitobjtype ?";
+ defined $_ or die;
+ m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
+ my $gitobjid = $1;
+ my $gitobjtype = $2;
my $bytes = $3;
my $gitobjdata;
- $!=0; read GCF, $gitobjdata, $bytes == $bytes or die "$gitobjid $bytes $!";
+ if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
+ $!=0; read GCF, $gitobjdata, $bytes == $bytes
+ or die "$gitobjid $bytes $!";
+ }
close GCF;
$poldbh->do("INSERT INTO taints".
- " (package, gitobjid, gitobjtype, gitobjdata, time, comment)",
+ " (package, gitobjid, gitobjtype, gitobjdata, time, comment)".
" VALUES (?,?,?,?,?,?)", {},
$pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);
@@ -202,61 +233,306 @@ sub add_taint ($$) {
die unless defined $taint_id;
$poldbh->do("INSERT INTO taintoverrides".
- " (taint_id, 'include-questionable-history')",
- " VALUES (?)", {},
- $taint_id);
+ " (taint_id, deliberately)".
+ " VALUES (?, '--deliberately-include-questionable-history')",
+ {}, $taint_id);
}
+sub add_taint_by_tag ($$) {
+ my ($tagname,$refobjid) = @_;
+ add_taint($refobjid,
+ "tag $tagname referred to this object in git tree but all".
+ " previously pushed versions were found to have been".
+ " removed from NEW (ie, rejected) (or never arrived)");
+}
-sub action__check_package () {
- getpackage();
+sub check_package () {
return 0 unless $pkg_exists;
return 0 unless $pkg_secret;
+ printdebug "check_package\n";
+
chdir $pkgdir or die "$pkgdir $!";
- return if new_has_vsn_in_our_history();
- if (good_suite_has_vsn_in_our_history) {
+ stat '.' or die "$pkgdir $!";
+ my $mtime = ((stat _)[9]);
+ my $age = time - $mtime;
+ printdebug "check_package age=$age\n";
+
+ if (good_suite_has_suitable_vsn(\&vsn_in_our_history)) {
chmod $publicmode, "." or die $!;
+ $pkg_secret = 0;
return 0;
}
+ return 0 if $age < $new_upload_propagation_slop;
+
+ return 0 if new_has_vsn_in_our_history();
+
+ printdebug "check_package secret, deleted, tainting\n";
+
git_for_each_ref('refs/tags', sub {
my ($objid,$objtype,$fullrefname,$tagname) = @_;
- add_taint($objid,$objtype,
- "tag $tagname referred to this object in git tree but all".
- " previously pushed versions were found to have been".
- " removed from NEW (ie, rejected) (or never arrived)");
+ add_taint_by_tag($tagname,$objid);
});
- $?=0; $!=0; close TAGL or die "git for-each-ref $? $!";
return FRESHREPO;
}
-sub action_push () {
- # we suppose that NEW has a version which is already in our
- # history, as otherwise the repo would have been blown away
+sub action_check_package () {
+ getpackage();
+ return check_package();
+}
+
+sub getpushinfo () {
+ die unless @ARGV >= 4;
+ $version = shift @ARGV;
+ $suite = shift @ARGV;
+ $tagname = shift @ARGV;
+ my $delibs = shift @ARGV;
+ foreach my $delib (split /\,/, $delibs) {
+ $deliberately{$delib} = 1;
+ }
+}
+sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; }
+
+sub action_push () {
getpackage();
+ getpushinfo();
+
+ check_package(); # might make package public, or might add taints
+
return 0 unless $pkg_exists;
return 0 unless $pkg_secret;
- xxx up to here
+ # we suppose that NEW has a version which is already in our
+ # history, as otherwise the repo would have been blown away
+
+ if (deliberately('not-fast-forward')) {
+ add_taint(server_ref($suite),
+ "rewound suite $suite; --deliberately-not-fast-forward".
+ " specified in signed tag $tagname for upload of".
+ " version $version");
+ return NOFFCHECK|FRESHREPO;
+ }
+ if (deliberately('include-questionable-history')) {
+ return 0;
+ }
+ die "\nPackage is in NEW and has not been accepted or rejected yet;".
+ " use a --deliberately option to specify whether you are".
+ " keeping or discarding the previously pushed history. ".
+ " Please RTFM dgit(1).\n\n";
}
+sub action_push_confirm () {
+ getpackage();
+ getpushinfo();
+ die unless @ARGV >= 1;
+ my $freshrepo = shift @ARGV;
+
+ my $initq = $poldbh->prepare(<execute($pkg);
+
+ my @objscatcmd = qw(git);
+ push @objscatcmd, qw(--git-dir), $freshrepo if length $freshrepo;
+ push @objscatcmd, qw(cat-file --batch);
+ debugcmd '|',@objscatcmd if $debuglevel>=2;
+
+ my @taintids;
+ my $chkinput = tempfile();
+ while (my $taint = $initq->fetchrow_hashref()) {
+ push @taintids, $taint->{taint_id};
+ print $chkinput $taint->{gitobjid}, "\n" or die $!;
+ printdebug '|> ', $taint->{gitobjid}, "\n" if $debuglevel>=2;
+ }
+ flush $chkinput or die $!;
+ seek $chkinput,0,0 or die $!;
+
+ my $checkpid = open CHKOUT, "-|" // die $!;
+ if (!$checkpid) {
+ open STDIN, "<&", $chkinput or die $!;
+ delete $ENV{GIT_ALTERNATE_OBJECT_DIRECTORIES};
+ # ^ recent versions of git set this in the environment of
+ # receive hooks. This can cause us to see things which
+ # the user is trying to abolish.
+ exec @objscatcmd or die $!;
+ }
+
+ my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
+
+ my $overridesstmt = <;
+ die "($taintid @objscatcmd) $!" unless defined $_;
+ printdebug "|< ", $_ if $debuglevel>=2;
+
+ next if m/^\w+ missing$/;
+ die "($taintid @objscatcmd) $_ ?" unless m/^(\w+) (\w+) (\d+)\s/;
+ my ($objid,$objtype,$nbytes) = ($1,$2,$3);
+
+ my $drop;
+ (read CHKOUT, $drop, $nbytes) == $nbytes
+ or die "($taintid @objscatcmd) $!";
+
+ $!=0; $_ = ;
+ die "($taintid @objscatcmd) $!" unless defined $_;
+ die "($taintid @objscatcmd) $_ ?" if m/\S/;
+
+ $taintinfoq ||= $poldbh->prepare(<execute($taintid);
+
+ my $ti = $taintinfoq->fetchrow_hashref();
+ die "($taintid)" unless $ti;
+
+ my $timeshow = defined $ti->{time}
+ ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
+ : "";
+ my $pkgshow = length $ti->{package}
+ ? "package $ti->{package}"
+ : "any package";
+
+ $stderr .= <{comment}
+END
+
+ printdebug "SQL overrides: @overridesv $taintid /\n$overridesstmt\n";
+ $overridesq ||= $poldbh->prepare($overridesstmt);
+ $overridesq->execute(@overridesv, $taintid);
+ my ($ovwhy) = $overridesq->fetchrow_array();
+ if (!defined $ovwhy) {
+ $overridesanyq ||= $poldbh->prepare(<execute($taintid);
+ my ($ovany) = $overridesanyq->fetchrow_array();
+ $stderr .= $ovany ? <prepare(<execute($taintid);
+ }
+ }
+ close CHKOUT;
+
+ if ($mustreject) {
+ $stderr .= <> 1));
+ printdebug sprintf "chmod %#o (was %#o) %s\n",
+ $newmode, $oldmode, $freshrepo;
+ chmod $newmode, $freshrepo or die $!;
+ utime undef, undef, $freshrepo or die $!;
+ }
+ }
+
+ return 0;
}
-my $fn = ${*::}{"action__$cmd"};
-$fn or die "unknown ACTION";
+sub action_check_list () {
+ opendir L, "$repos" or die "$repos $!";
+ while (defined (my $dent = readdir L)) {
+ next unless $dent =~ m/^($package_re)\.git$/;
+ $pkg = $1;
+ statpackage();
+ next unless $pkg_exists;
+ next unless $pkg_secret;
+ print "$pkg\n" or die $!;
+ }
+ closedir L or die $!;
+ close STDOUT or die $!;
+ return 0;
+}
+
+$action =~ y/-/_/;
+my $fn = ${*::}{"action_$action"};
+if (!$fn) {
+ printdebug "dgit-repos-policy-debian: unknown action $action\n";
+ exit 0;
+}
+
+my $sleepy=0;
+my $rcode;
+
+my $db_busy_exception= 'Debian::Dgit::Policy::Debian::DB_BUSY';
+
+my @orgargv = @ARGV;
-poldb_setup();
+for (;;) {
+ @ARGV = @orgargv;
+ eval {
+ poldb_setup(poldb_path($repos), sub {
+ $poldbh->{HandleError} = sub {
+ return 0 unless $poldbh->err == 5; # SQLITE_BUSY, not in .pm :-(
+ die bless { }, $db_busy_exception;
+ };
-my $rcode = $fn->();
-die unless defined $rcode;
+ eval ($ENV{'DGIT_RPD_TEST_DBLOOP_HOOK'}//'');
+ die $@ if length $@;
+ # used by tests/tests/debpolicy-dbretry
+ });
+
+ $stderr = '';
+
+ $rcode = $fn->();
+ die unless defined $rcode;
+
+ $poldbh->commit;
+ };
+ last unless length $@;
+ die $@ unless ref $@ eq $db_busy_exception;
+
+ die if $sleepy >= 20;
+ $sleepy++;
+ print STDERR "[policy database busy, retrying (${sleepy}s)]\n";
+
+ eval { $poldbh->rollback; };
+}
-poldb_commit();
-exit $rcode;
+print STDERR $stderr or die $!;
+flush STDERR or die $!;
+_exit $rcode;