# NOCOMMITCHECK (8)
# suppress dgit-repos-server's check that commits do
# not lack "committer" info (eg as produced by #849041)
+# ("push" only)
# any unexpected bits mean failure, and then known set bits are ignored
# if no unexpected bits set, operation continues (subject to meaning
# of any expected bits set). So, eg, exit 0 means "continue normally"
die "\ndgit-repos-server: reject: $why\n\n";
}
-sub runcmd {
- debugcmd '+',@_;
- $!=0; $?=0;
- my $r = system @_;
- die (shellquote @_)." $? $!" if $r;
-}
-
sub policyhook {
my ($policyallowbits, @polargs) = @_;
# => ($exitstatuspolicybitmap);
rmtree "${workrepo}_fresh";
}
+sub mkscript ($$) {
+ my ($path,$contents) = @_;
+ my $fh = new IO::File $path, O_WRONLY|O_CREAT|O_TRUNC, 0777
+ or die "$path: $!";
+ print $fh $contents or die "$path: $!";
+ close $fh or die "$path: $!";
+}
+
sub setupstunthook () {
my $prerecv = "$workrepo/hooks/pre-receive";
- my $fh = new IO::File $prerecv, O_WRONLY|O_CREAT|O_TRUNC, 0777
- or die "$prerecv: $!";
- print $fh <<END or die "$prerecv: $!";
+ mkscript $prerecv, <<END;
#!/bin/sh
set -e
exec $0 --pre-receive-hook $package
END
- close $fh or die "$prerecv: $!";
$ENV{'DGIT_DRS_WORK'}= $workrepo;
$ENV{'DGIT_DRS_DEST'}= $destrepo;
printdebug " stunt hook set up $prerecv\n";
STDIN->error and die $!;
reject "push is missing tag ref update" unless %tags;
- my @newtags = grep { m#^archive/# } keys %tags;
- my @omtags = grep { !m#^archive/# } keys %tags;
- reject "pushing too many similar tags" if @newtags>1 || @omtags>1;
- if (@newtags) {
- ($tagname) = @newtags;
- ($maint_tagname) = @omtags;
- } else {
- ($tagname) = @omtags or die;
- }
+ my @dtags = grep { m#^archive/# } keys %tags;
+ reject "need exactly one archive/* tag" if @dtags!=1;
+ my @mtags = grep { !m#^archive/# } keys %tags;
+ reject "pushing too many non-dgit tags" if @mtags>1;
+ ($tagname) = @dtags;
+ ($maint_tagname) = @mtags;
$tagval = $tags{$tagname};
$maint_tagval = $tags{$maint_tagname // ''};
printdebug " updates ok.\n";
}
-sub parsetag () {
- printdebug " parsetag...\n";
+sub readtag () {
+ printdebug " readtag...\n";
+
open PT, ">dgit-tmp/plaintext" or die $!;
open DS, ">dgit-tmp/plaintext.asc" or die $!;
open T, "-|", qw(git cat-file tag), $tagval or die $!;
}
}
$!=0; $_=<T>; defined or die $!;
- m/^($package_re) release (\S+) for \S+ \((\S+)\) \[dgit\]$/ or
- reject "tag message not in expected format";
+}
- die unless $1 eq $package;
- $version = $2;
- die "$3 != $suite " unless $3 eq $suite;
+sub parsetag_general ($$) {
+ my ($dgititemfn, $distrofn) = @_;
+ printdebug " parsetag...\n";
my $copyl = $_;
for (;;) {
if (m/^\[dgit ([^"].*)\]$/) { # [dgit "something"] is for future
$_ = $1." ";
while (length) {
- if (s/^distro\=(\S+) //) {
- die "$1 != $distro" unless $1 eq $distro;
- } elsif (s/^(--deliberately-$deliberately_re) //) {
- push @deliberatelies, $1;
- } elsif (s/^previously:(\S+)=(\w+) //) {
- die "previously $1 twice" if defined $previously{$1};
- $previously{$1} = $2;
+ if ($dgititemfn->()) {
+ } elsif (s/^distro\=(\S+) //) {
+ $distrofn->($1);
} elsif (s/^[-+.=0-9a-z]\S* //) {
} else {
die "unknown dgit info in tag ($_)";
}
last if m/^-----BEGIN PGP/;
}
+
$_ = $copyl;
for (;;) {
print DS or die $!;
printdebug " parsetag ok.\n";
}
+sub parsetag () {
+ readtag();
+ m/^($package_re) release (\S+) for \S+ \((\S+)\) \[dgit\]$/ or
+ reject "tag message not in expected format";
+ die unless $1 eq $package;
+ $version = $2;
+ die "$3 != $suite " unless $3 eq $suite;
+
+ parsetag_general sub {
+ if (s/^(--deliberately-$deliberately_re) //) {
+ push @deliberatelies, $1;
+ } elsif (s/^previously:(\S+)=(\w+) //) {
+ die "previously $1 twice" if defined $previously{$1};
+ $previously{$1} = $2;
+ } else {
+ return 0;
+ }
+ return 1;
+ }, sub {
+ my ($gotdistro) = @_;
+ die "$gotdistro != $distro" unless $gotdistro eq $distro;
+ };
+}
+
sub checksig_keyring ($) {
my ($keyringfile) = @_;
# returns primary-keyid if signed by a key in this keyring
return $vals->[0];
}
-sub checks () {
+sub basic_tag_checks() {
printdebug "checks\n";
tagh1('type') eq 'commit' or reject "tag refers to wrong kind of object";
tagh1('object') eq $commit or reject "tag refers to wrong commit";
tagh1('tag') eq $tagname or reject "tag name in tag is wrong";
+}
+
+sub checks () {
+ basic_tag_checks();
my @expecttagnames = debiantags($version, $distro);
printdebug "expected tag @expecttagnames\n";
grep { $tagname eq $_ } @expecttagnames or die;
foreach my $othertag (grep { $_ ne $tagname } @expecttagnames) {
- reject "tag $othertag (pushed with differing dgit version)".
- " already exists -".
+ reject "tag $othertag already exists -".
" not replacing previously-pushed version"
if git_get_ref "refs/tags/".$othertag;
}
@policy_args = ($package,$version,$suite,$tagname,
join(",",@deliberatelies));
- $policy = policyhook(NOFFCHECK|FRESHREPO, 'push', @policy_args);
+ $policy = policyhook(NOFFCHECK|FRESHREPO|NOCOMMITCHECK, 'push', @policy_args);
if (defined $tagexists_error) {
if ($policy & FRESHREPO) {
# defend against commits generated by #849041
if (!($policy & NOCOMMITCHECK)) {
- my @checks = qw(%an %ae %at
- %cn %ce %ct);
+ my @checks = qw(%at
+ %ct);
my @chk = qw(git log -z);
push @chk, '--pretty=tformat:%H%n'.
(join "", map { $_, '%n' } @checks);
my @cmdbase = (qw(git send-pack), $destrepo);
push @cmdbase, qw(--force) if $policy & NOFFCHECK;
+ if ($ENV{GIT_QUARANTINE_PATH}) {
+ my $recv_wrapper = "$ENV{GIT_QUARANTINE_PATH}/dgit-recv-wrapper";
+ mkscript $recv_wrapper, <<'END';
+#!/bin/sh
+set -e
+unset GIT_QUARANTINE_PATH
+exec git receive-pack "$@"
+END
+ push @cmdbase, "--receive-pack=$recv_wrapper";
+ }
+
my @cmd = @cmdbase;
push @cmd, "$commit:refs/dgit/$suite",
"$tagval:refs/tags/$tagname";
$ENV{"DGIT_DRS_\U$_"} = ${ $main::{$_} } foreach @hookenvs;
- die unless @ARGV==1;
+ die unless @ARGV>=1;
my $mode = shift @ARGV;
die unless $mode =~ m/^--(\w+)$/;
~ianmdlvl / dgit.git / blobdiff