# dgit repos policy hook script for Debian
use strict;
+$SIG{__WARN__} = sub { die $_[0]; };
+
use POSIX;
use JSON;
use File::Temp qw(tempfile);
use DBI;
use IPC::Open2;
+use Data::Dumper;
use Debian::Dgit qw(:DEFAULT :policyflags);
use Debian::Dgit::Policy::Debian;
+initdebug('%');
+enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};
+
our $distro = shift @ARGV // die "need DISTRO";
our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
+our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
+our $distrodir = shift @ARGV // die "need DISTRO-DIR";
our $action = shift @ARGV // die "need ACTION";
our $publicmode = 02775;
-our $new_upload_propagation_slop = 3600*4 + 100;
+our $new_upload_propagation_slop = 3600*4 + 100;# fixme config;
our $poldbh;
our $pkg;
sub apiquery ($) {
my ($subpath) = @_;
local $/=undef;
- $!=0; $?=0; my $json = `dgit -d $distro archive-api-query $subpath`;
- defined $json or die "$subpath $! $?";
- return decode_json $json;
+ my $cmd = "$dgitlive/dgit -d$distro \$DGIT_TEST_OPTS";
+ $cmd .= " -".("D" x $debuglevel) if $debuglevel;
+ $cmd .= " archive-api-query $subpath";
+ printdebug "apiquery $cmd\n";
+ $!=0; $?=0; my $json = `$cmd`;
+ defined $json && !$? or die "$subpath $! $?";
+ my $r = decode_json $json;
+ my $d = new Data::Dumper([$r], [qw(r)]);
+ printdebug "apiquery $subpath | ", $d->Dump() if $debuglevel>=2;
+ return $r;
}
sub specific_suite_has_vsn_in_our_history ($) {
}
sub new_has_vsn_in_our_history () {
- stat $pkgdir or die "$pkgdir $!";
- my $mtime = ((stat _)[9]);
- my $age = time - $mtime;
- return 1 if $age < $new_upload_propagation_slop;
return specific_suite_has_vsn_in_our_history('new');
}
return 0;
}
-sub getpackage () {
- die unless @ARGV >= 1;
- $pkg = shift @ARGV;
- die unless $pkg =~ m/^$package_re$/;
-
- $pkgdir = "$repos/$pkg";
+sub statpackage () {
+ $pkgdir = "$repos/$pkg.git";
if (!stat_exists $pkgdir) {
+ printdebug "statpackage $pkg => ENOENT\n";
$pkg_exists = 0;
} else {
$pkg_exists = 1;
$pkg_secret = !!(~(stat _)[2] & 05);
+ printdebug "statpackage $pkg => exists, secret=$pkg_secret.\n";
}
}
+sub getpackage () {
+ die unless @ARGV >= 1;
+ $pkg = shift @ARGV;
+ die unless $pkg =~ m/^$package_re$/;
+
+ statpackage();
+}
+
sub add_taint ($$) {
- my ($refobj, $reason);
+ my ($refobj, $reason) = @_;
+
+ printdebug "TAINTING $refobj\n",
+ (map { "\%| $_" } split "\n", $reason),
+ "\n";
my $tf = new File::Temp or die $!;
print $tf "$refobj^0\n" or die $!;
+ flush $tf or die $!;
+ seek $tf,0,0 or die $!;
my $gcfpid = open GCF, "-|";
defined $gcfpid or die $!;
if (!$gcfpid) {
open STDIN, "<&", $tf or die $!;
- exec 'git', 'cat-file';
+ exec 'git', 'cat-file', '--batch';
die $!;
}
close $tf or die $!;
$_ = <GCF>;
+ defined $_ or die;
m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
my $gitobjid = $1;
my $gitobjtype = $2;
close GCF;
$poldbh->do("INSERT INTO taints".
- " (package, gitobjid, gitobjtype, gitobjdata, time, comment)",
+ " (package, gitobjid, gitobjtype, gitobjdata, time, comment)".
" VALUES (?,?,?,?,?,?)", {},
$pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);
die unless defined $taint_id;
$poldbh->do("INSERT INTO taintoverrides".
- " (taint_id, deliberately)",
- " VALUES (?, 'include-questionable-history')", {},
- $taint_id);
+ " (taint_id, deliberately)".
+ " VALUES (?, '--deliberately-include-questionable-history')",
+ {}, $taint_id);
}
sub add_taint_by_tag ($$) {
" removed from NEW (ie, rejected) (or never arrived)");
}
-sub action__check_package () {
+sub action_check_package () {
getpackage();
return 0 unless $pkg_exists;
return 0 unless $pkg_secret;
+ printdebug "check_package\n";
+
chdir $pkgdir or die "$pkgdir $!";
- return if new_has_vsn_in_our_history();
+
+ stat '.' or die "$pkgdir $!";
+ my $mtime = ((stat _)[9]);
+ my $age = time - $mtime;
+ printdebug "check_package age=$age\n";
+
+ return 0 if $age < $new_upload_propagation_slop;
+
+ return 0 if new_has_vsn_in_our_history();
if (good_suite_has_vsn_in_our_history) {
chmod $publicmode, "." or die $!;
return 0;
}
+ printdebug "check_package secret, deleted, tainting\n";
+
git_for_each_ref('refs/tags', sub {
my ($objid,$objtype,$fullrefname,$tagname) = @_;
add_taint_by_tag($tagname,$objid);
}
sub action_push_confirm () {
+ getpackage();
+ die unless @ARGV >= 5;
+ my $freshrepo = $ARGV[4];
+
my $initq = $poldbh->prepare(<<END);
SELECT taint_id, gitobjid FROM taints t
WHERE (package = ? OR package = '')
my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
my $overridesstmt = <<END;
- SELECT deliberately FROM taintoverrides WHERE ( 1
+ SELECT deliberately FROM taintoverrides WHERE (
+ 1=0
END
my @overridesv = sort keys %deliberately;
- $overridesstmt .= join '', (<<END x @overridesv);
+ $overridesstmt .= <<END foreach @overridesv;
OR deliberately = ?
END
$overridesstmt .= <<END;
Reason: $ti->{comment}
END
+ printdebug "SQL overrides: @overridesv $taintid /\n$overridesstmt\n";
+
$overridesq ||= $poldbh->prepare($overridesstmt);
$overridesq->execute(@overridesv, $taintid);
my ($ovwhy) = $overridesq->fetchrow_array();
return 1;
}
+ if (length $freshrepo) {
+ if (!good_suite_has_vsn_in_our_history()) {
+ stat $freshrepo or die "$freshrepo $!";
+ my $oldmode = ((stat _)[2]);
+ my $oldwrites = $oldmode & 0222;
+ # remove r and x bits which have corresponding w bits clear
+ my $newmode = $oldmode &
+ (~0555 | ($oldwrites << 1) | ($oldwrites >> 1));
+ printdebug sprintf "chmod %#o (was %#o) %s\n",
+ $newmode, $oldmode, $freshrepo;
+ chmod $newmode, $freshrepo or die $!;
+ utime undef, undef, $freshrepo or die $!;
+ }
+ }
+
+ return 0;
+}
+
+sub action_check_list () {
+ opendir L, "$repos" or die "$repos $!";
+ while (defined (my $dent = readdir L)) {
+ next unless $dent =~ m/^($package_re)\.git$/;
+ $pkg = $1;
+ statpackage();
+ next unless $pkg_exists;
+ next unless $pkg_secret;
+ print "$pkg\n" or die $!;
+ }
+ closedir L or die $!;
+ close STDOUT or die $!;
return 0;
}
$action =~ y/-/_/;
my $fn = ${*::}{"action_$action"};
if (!$fn) {
+ printdebug "dgit-repos-policy-debian: unknown action $action\n";
exit 0;
}