2 # dgit repos policy hook script for Debian
5 $SIG{__WARN__} = sub { die $_[0]; };
9 use File::Temp qw(tempfile);
13 use Debian::Dgit qw(:DEFAULT :policyflags);
14 use Debian::Dgit::Policy::Debian;
16 our $distro = shift @ARGV // die "need DISTRO";
17 our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
18 our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
19 our $action = shift @ARGV // die "need ACTION";
21 our $publicmode = 02775;
22 our $new_upload_propagation_slop = 3600*4 + 100;
27 our ($pkg_exists,$pkg_secret);
31 our ($version,$suite,$tagname);
34 # We assume that it is not possible for NEW to have a version older
37 # Whenever pushing, we check for
38 # source-package-local tainted history
39 # global tainted history
40 # can be overridden by --deliberately except for an admin prohib taint
42 # ALL of the following apply only if history is secret:
44 # if NEW has no version, or a version which is not in our history[1]
47 # if any suite's version is in our history[1], publish our history
48 # otherwise discard our history,
49 # tainting --deliberately-include-questionable-history
51 # if NEW has a version which is in our history[1]
53 # require explicit specification of one of
54 # --deliberately-include-questionable-history
55 # --deliberately-not-fast-forward
56 # (latter will taint old NEW version --d-i-q-h)
60 # [1] looking for the relevant git tag for the version number and not
61 # caring what that tag refers to.
63 # A wrinkle: if we approved a push recently, we treat NEW as having
64 # a version which is in our history. This is because the package may
65 # still be being uploaded. (We record this using the timestamp of the
66 # package's git repo directory.)
68 # We aim for the following invariants and properties:
70 # - .dsc of published dgit package will have corresponding publicly
71 # visible dgit-repo (soon)
73 # - when a new package is rejected we help maintainer avoid
74 # accidentally including bad objects in published dgit history
76 # - .dsc of NEW dgit package has corresponding dgit-repo but not
82 my $cmd = "$dgitlive/dgit -d $distro ".
83 "\$DGIT_TEST_OPTS \$DGIT_TEST_DEBUG archive-api-query $subpath";
84 $!=0; $?=0; my $json = `$cmd`;
85 defined $json or die "$subpath $! $?";
86 return decode_json $json;
89 sub specific_suite_has_vsn_in_our_history ($) {
91 my $in_suite = apiquery "/dsc_in_suite/$suite/$pkg";
92 foreach my $entry (@$in_suite) {
93 my $vsn = $entry->{version};
94 die "$pkg ?" unless defined $vsn;
95 my $tag = debiantag $vsn;
96 $?=0; my $r = system qw(git show-ref --verify --quiet), $tag;
99 die "$pkg tag $tag $? $!";
104 sub new_has_vsn_in_our_history () {
105 stat $pkgdir or die "$pkgdir $!";
106 my $mtime = ((stat _)[9]);
107 my $age = time - $mtime;
108 return 1 if $age < $new_upload_propagation_slop;
109 return specific_suite_has_vsn_in_our_history('new');
112 sub good_suite_has_vsn_in_our_history () {
113 my $suites = apiquery "/suites";
114 foreach my $suitei (@$suites) {
115 my $suite = $suitei->{name};
116 die unless defined $suite;
117 next if $suite =~ m/\bnew$/;
118 return 1 if specific_suite_has_vsn_in_our_history($suite);
124 die unless @ARGV >= 1;
126 die unless $pkg =~ m/^$package_re$/;
128 $pkgdir = "$repos/$pkg";
129 if (!stat_exists $pkgdir) {
133 $pkg_secret = !!(~(stat _)[2] & 05);
138 my ($refobj, $reason);
140 my $tf = new File::Temp or die $!;
141 print $tf "$refobj^0\n" or die $!;
143 my $gcfpid = open GCF, "-|";
144 defined $gcfpid or die $!;
146 open STDIN, "<&", $tf or die $!;
147 exec 'git', 'cat-file';
153 m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
159 if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
160 $!=0; read GCF, $gitobjdata, $bytes == $bytes
161 or die "$gitobjid $bytes $!";
165 $poldbh->do("INSERT INTO taints".
166 " (package, gitobjid, gitobjtype, gitobjdata, time, comment)",
167 " VALUES (?,?,?,?,?,?)", {},
168 $pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);
170 my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
171 die unless defined $taint_id;
173 $poldbh->do("INSERT INTO taintoverrides".
174 " (taint_id, deliberately)",
175 " VALUES (?, 'include-questionable-history')", {},
179 sub add_taint_by_tag ($$) {
180 my ($tagname,$refobjid) = @_;
182 "tag $tagname referred to this object in git tree but all".
183 " previously pushed versions were found to have been".
184 " removed from NEW (ie, rejected) (or never arrived)");
187 sub action__check_package () {
189 return 0 unless $pkg_exists;
190 return 0 unless $pkg_secret;
192 chdir $pkgdir or die "$pkgdir $!";
193 return if new_has_vsn_in_our_history();
195 if (good_suite_has_vsn_in_our_history) {
196 chmod $publicmode, "." or die $!;
200 git_for_each_ref('refs/tags', sub {
201 my ($objid,$objtype,$fullrefname,$tagname) = @_;
202 add_taint_by_tag($tagname,$objid);
209 die unless @ARGV >= 4;
210 $version = shift @ARGV;
211 $suite = shift @ARGV;
212 $tagname = shift @ARGV;
213 my $delibs = shift @ARGV;
214 foreach my $delib (split /\,/, $delibs) {
215 $deliberately{$delib} = 1;
219 sub deliberately ($) { return $deliberately{$_[0]}; }
223 return 0 unless $pkg_exists;
224 return 0 unless $pkg_secret;
226 # we suppose that NEW has a version which is already in our
227 # history, as otherwise the repo would have been blown away
229 if (deliberately('not-fast-forward')) {
230 add_taint(server_ref($suite),
231 "suite $suite when --deliberately-not-fast-forward".
232 " specified in signed tag $tagname for upload of".
233 " version $version into suite $suite");
234 return NOFFCHECK|FRESHREPO;
236 if (deliberately('include-questionable-history')) {
239 die "Package is in NEW and has not been accepted or rejected yet;".
240 " use a --deliberately option to specify whether you are".
241 " keeping or discarding the previously pushed history. ".
242 " Please RTFM dgit(1).\n";
245 sub action_push_confirm () {
246 my $initq = $poldbh->prepare(<<END);
247 SELECT taint_id, gitobjid FROM taints t
248 WHERE (package = ? OR package = '')
250 $initq->execute($pkg);
253 my $chkinput = tempfile();
254 while (my $taint = $initq->fetchrow_hashref()) {
255 push @taintids, $taint->{taint_id};
256 print $chkinput $taint->{gitobjid}, "\n" or die $!;
258 flush $chkinput or die $!;
259 seek $chkinput,0,0 or die $!;
261 my $checkpid = open CHKOUT, "-|" // die $!;
263 open STDIN, "<&", $chkinput or die $!;
264 exec qw(git cat-file --batch) or die $!;
267 my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
269 my $overridesstmt = <<END;
270 SELECT deliberately FROM taintoverrides WHERE ( 1
272 my @overridesv = sort keys %deliberately;
273 $overridesstmt .= join '', (<<END x @overridesv);
276 $overridesstmt .= <<END;
278 ORDER BY deliberately ASC
283 while (my $taintid = shift @taintids) {
284 # git cat-file prints a spurious newline after it gets EOF
285 # This is not documented. I guess it might go away. So we
286 # just read what we expect and then let it get SIGPIPE.
288 die "$? $!" unless defined $_;
290 next if m/^\w+ missing$/;
291 die unless m/^(\w+) (\w+) (\d+)\s/;
292 my ($objid,$objtype,$nbytes) = ($1,$2,$3);
295 (read CHKOUT, $drop, $nbytes) == $nbytes or die;
297 $taintinfoq ||= $poldbh->prepare(<<END);
298 SELECT package, time, comment FROM taints WHERE taint_id = ?
300 $taintinfoq->execute($taintid);
302 my $ti = $taintinfoq->fetchrow_hashref();
305 my $timeshow = defined $ti->{time}
306 ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
308 my $pkgshow = length $ti->{package}
309 ? "package $ti->{package}"
314 History contains tainted $objtype $objid
315 Taint recorded$timeshow for $pkgshow
316 Reason: $ti->{comment}
319 $overridesq ||= $poldbh->prepare($overridesstmt);
320 $overridesq->execute(@overridesv, $taintid);
321 my ($ovwhy) = $overridesq->fetchrow_array();
322 if (!defined $ovwhy) {
323 $overridesanyq ||= $poldbh->prepare(<<END);
324 SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
326 $overridesanyq->execute($taintid);
327 my ($ovany) = $overridesanyq->fetchrow_array();
328 $stderr .= $ovany ? <<END : <<END;
329 Could be forced using --deliberately. Consult documentation.
331 Uncorrectable error. If confused, consult administrator.
336 Forcing due to --deliberately-$ovwhy
338 $untaintq ||= $poldbh->prepare(<<END);
339 DELETE FROM taints WHERE taint_id = ?
341 $untaintq->execute($taintid);
349 Rejecting push due to questionable history.
358 my $fn = ${*::}{"action_$action"};
367 poldb_setup(poldb_path($repos));
371 die unless defined $rcode;
373 eval { $poldbh->commit; };
374 last unless length $@;
376 die if $sleepy >= 20;
377 print STDERR "[policy database busy, retrying]\n";
383 print STDERR $stderr;