5 # dgit-repos-server DISTRO DISTRO-DIR AUTH-SPEC [<settings>] --ssh
6 # dgit-repos-server DISTRO DISTRO-DIR AUTH-SPEC [<settings>] --cron
8 # --repos=GIT-REPOS-DIR default DISTRO-DIR/repos/
9 # --suites=SUITES-FILE default DISTRO-DIR/suites
10 # --policy-hook=POLICY-HOOK default DISTRO-DIR/policy-hook
11 # --dgit-live=DGIT-LIVE-DIR default DISTRO-DIR/dgit-live
12 # (DISTRO-DIR is not used other than as default and to pass to policy hook)
14 # .../dgit-repos-server --pre-receive-hook PACKAGE
16 # Invoked as the ssh restricted command
18 # Works like git-receive-pack
20 # SUITES is the name of a file which lists the permissible suites
21 # one per line (#-comments and blank lines ignored)
23 # AUTH-SPEC is a :-separated list of
24 # KEYRING.GPG,AUTH-SPEC
25 # where AUTH-SPEC is one of
28 # (With --cron AUTH-SPEC is not used and may be the empty string.)
31 $SIG{__WARN__} = sub { die $_[0]; };
33 # DGIT-REPOS-DIR contains:
34 # git tree (or other object) lock (in acquisition order, outer first)
36 # _tmp/PACKAGE_prospective ! } SAME.lock, held during receive-pack
38 # _tmp/PACKAGE_incoming$$ ! } SAME.lock, held during receive-pack
39 # _tmp/PACKAGE_incoming$$_fresh ! }
41 # PACKAGE.git } PACKAGE.git.lock
42 # PACKAGE_garbage } (also covers executions of
43 # PACKAGE_garbage-old } policy hook script for PACKAGE)
44 # PACKAGE_garbage-tmp }
45 # policy* } (for policy hook script, covered by
46 # } lock only when invoked for a package)
48 # leaf locks, held during brief operaton only:
53 # _template } SAME.lock
55 # locks marked ! may be held during client data transfer
57 # What we do on push is this:
58 # - extract the destination repo name
59 # - make a hardlink clone of the destination repo
60 # - provide the destination with a stunt pre-receive hook
61 # - run actual git-receive-pack with that new destination
62 # as a result of this the stunt pre-receive hook runs; it does this:
63 # + understand what refs we are allegedly updating and
64 # check some correspondences:
65 # * we are updating only refs/tags/debian/* and refs/dgit/*
66 # * and only one of each
67 # * and the tag does not already exist
69 # * recover the suite name from the destination refs/dgit/ ref
70 # + disassemble the signed tag into its various fields and signature
72 # * parsing the first line of the tag message to recover
73 # the package name, version and suite
74 # * checking that the package name corresponds to the dest repo name
75 # * checking that the suite name is as recovered above
76 # + verify the signature on the signed tag
77 # and if necessary check that the keyid and package are listed in dm.txt
78 # + check various correspondences:
79 # * the signed tag must refer to a commit
80 # * the signed tag commit must be the refs/dgit value
81 # * the name in the signed tag must correspond to its ref name
82 # * the tag name must be debian/<version> (massaged as needed)
83 # * the suite is one of those permitted
84 # * the signed tag has a suitable name
85 # * run the "push" policy hook
86 # * replay prevention for --deliberately-not-fast-forward
87 # * check the commit is a fast forward
88 # * handle a request from the policy hook for a fresh repo
89 # + push the signed tag and new dgit branch to the actual repo
91 # If the destination repo does not already exist, we need to make
92 # sure that we create it reasonably atomically, and also that
93 # we don't every have a destination repo containing no refs at all
94 # (because such a thing causes git-fetch-pack to barf). So then we
95 # do as above, except:
96 # - before starting, we take out our own lock for the destination repo
97 # - we create a prospective new destination repo by making a copy
99 # - we use the prospective new destination repo instead of the
100 # actual new destination repo (since the latter doesn't exist)
101 # - after git-receive-pack exits, we
102 # + check that the prospective repo contains a tag and head
103 # + rename the prospective destination repo into place
106 # - We are crash-only
107 # - Temporary working trees and their locks are cleaned up
108 # opportunistically by a program which tries to take each lock and
109 # if successful deletes both the tree and the lockfile
110 # - Prospective working trees and their locks are cleaned up by
111 # a program which tries to take each lock and if successful
112 # deletes any prospective working tree and the lock (but not
113 # of course any actual tree)
114 # - It is forbidden to _remove_ the lockfile without removing
115 # the corresponding temporary tree, as the lockfile is also
116 # a stampfile whose presence indicates that there may be
119 # Policy hook script is invoked like this:
120 # POLICY-HOOK-SCRIPT DISTRO DGIT-REPOS-DIR DGIT-LIVE-DIR DISTRO-DIR ACTION...
122 # POLICY-HOOK-SCRIPT ... check-list [...]
123 # POLICY-HOOK-SCRIPT ... check-package PACKAGE [...]
124 # POLICY-HOOK-SCRIPT ... push PACKAGE \
125 # VERSION SUITE TAGNAME DELIBERATELIES [...]
126 # POLICY-HOOK-SCRIPT ... push-confirm PACKAGE \
127 # VERSION SUITE TAGNAME DELIBERATELIES FRESH-REPO|'' [...]
129 # Exit status is a bitmask. Bit weight constants are defined in Dgit.pm.
131 # suppress dgit-repos-server's fast-forward check ("push" only)
133 # blow away repo right away (ie, as if before push or fetch)
134 # ("check-package" and "push" only)
135 # any unexpected bits mean failure, and then known set bits are ignored
136 # if no unexpected bits set, operation continues (subject to meaning
137 # of any expected bits set). So, eg, exit 0 means "continue normally"
138 # and would be appropriate for an unknown action.
140 # cwd for push and push-confirm is a temporary repo where the incoming
141 # objects have been received; TAGNAME is the version-based tag.
143 # FRESH-REPO is '' iff the repo for this package already existed, or
144 # the pathname of the newly-created repo which will be renamed into
145 # place if everything goes well. (NB that this is generally not the
146 # same repo as the cwd, because the objects are first received into a
147 # temporary repo so they can be examined.) In this case FRESH-REPO
148 # contains exactly the objects and refs that will appear in the
149 # destination if push-confirm approves.
151 # if push requested FRESHREPO, push-confirm happens in the old working
152 # repo and FRESH-REPO is guaranteed not to be ''.
154 # policy hook for a particular package will be invoked only once at
155 # a time - (see comments about DGIT-REPOS-DIR, above)
157 # check-list and check-package are invoked via the --cron option.
158 # First, without any locking, check-list is called. It should produce
159 # a list of package names (one per line). Then check-package will be
160 # invoked for each named package, in each case after taking an
163 # If policy hook wants to run dgit (or something else in the dgit
164 # package), it should use DGIT-LIVE-DIR/dgit (etc.)
168 use Fcntl qw(:flock);
169 use File::Path qw(rmtree);
170 use File::Temp qw(tempfile);
172 use Debian::Dgit qw(:DEFAULT :policyflags);
194 #----- utilities -----
196 sub realdestrepo () { "$dgitrepos/$package.git"; }
198 sub acquirelock ($$) {
199 my ($lock, $must) = @_;
201 printdebug sprintf "locking %s %d\n", $lock, $must;
204 $fh = new IO::File $lock, ">" or die "open $lock: $!";
205 my $ok = flock $fh, $must ? LOCK_EX : (LOCK_EX|LOCK_NB);
207 die "flock $lock: $!" if $must;
208 printdebug " locking $lock failed\n";
211 next unless stat_exists $lock;
212 my $want = (stat _)[1];
214 my $got = (stat _)[1];
215 last if $got == $want;
220 sub acquirermtree ($$) {
221 my ($tree, $must) = @_;
222 my $fh = acquirelock("$tree.lock", $must);
230 sub locksometree ($) {
232 acquirelock("$tree.lock", 1);
235 sub lockrealtree () {
236 locksometree(realdestrepo);
239 sub mkrepotmp () { ensuredir "$dgitrepos/_tmp" };
241 sub removedtagsfile () { "$dgitrepos/_removed-tags/$package"; }
243 sub recorderror ($) {
245 my $w = $ENV{'DGIT_DRS_WORK'}; # we are in stunthook
248 open ERR, ">", "$w/drs-error" or die $!;
249 print ERR $why, "\n" or die $!;
258 recorderror "reject: $why";
259 die "dgit-repos-server: reject: $why\n";
266 die (shellquote @_)." $? $!" if $r;
270 my ($policyallowbits, @polargs) = @_;
271 # => ($exitstatuspolicybitmap);
272 die if $policyallowbits & ~0x3e;
273 my @cmd = ($policyhook,$distro,$dgitrepos,$dgitlive,$distrodir,@polargs);
276 die "system: $!" if $r < 0;
277 die "dgit-repos-server: policy hook failed (or rejected) ($?)\n"
278 if $r & ~($policyallowbits << 8);
279 printdebug sprintf "hook => %#x\n", $r;
283 sub mkemptyrepo ($$) {
284 my ($dir,$sharedperm) = @_;
285 runcmd qw(git init --bare --quiet), "--shared=$sharedperm", $dir;
288 sub mkrepo_fromtemplate ($) {
290 my $template = "$dgitrepos/_template";
291 locksometree($template);
292 printdebug "copy template $template -> $dir\n";
293 my $r = system qw(cp -a --), $template, $dir;
294 !$r or die "create new repo $dir failed: $r $!";
297 sub movetogarbage () {
298 # realdestrepo must have been locked
300 my $real = realdestrepo;
301 return unless stat_exists $real;
303 my $garbagerepo = "$dgitrepos/${package}_garbage";
304 # We arrange to always keep at least one old tree, for recovery
305 # from mistakes. This is either $garbage or $garbage-old.
306 if (stat_exists "$garbagerepo") {
307 printdebug "movetogarbage: rmtree $garbagerepo-tmp\n";
308 rmtree "$garbagerepo-tmp";
309 if (rename "$garbagerepo-old", "$garbagerepo-tmp") {
310 printdebug "movetogarbage: $garbagerepo-old -> -tmp, rmtree\n";
311 rmtree "$garbagerepo-tmp";
313 die "$garbagerepo $!" unless $!==ENOENT;
314 printdebug "movetogarbage: $garbagerepo-old -> -tmp\n";
316 printdebug "movetogarbage: $garbagerepo -> -old\n";
317 rename "$garbagerepo", "$garbagerepo-old" or die "$garbagerepo $!";
320 ensuredir "$dgitrepos/_removed-tags";
321 open PREVIOUS, ">>", removedtagsfile or die removedtagsfile." $!";
322 git_for_each_ref(debiantag('*'), sub {
323 my ($objid,$objtype,$fullrefname,$reftail) = @_;
324 print PREVIOUS "\n$objid $reftail .\n" or die $!;
326 close PREVIOUS or die $!;
328 printdebug "movetogarbage: $real -> $garbagerepo\n";
329 rename $real, $garbagerepo
331 or die "$garbagerepo $!";
334 sub policy_checkpackage () {
335 my $lfh = lockrealtree();
337 $policy = policyhook(FRESHREPO,'check-package',$package);
338 if ($policy & FRESHREPO) {
345 #----- git-receive-pack -----
347 sub fixmissing__git_receive_pack () {
349 $destrepo = "$dgitrepos/_tmp/${package}_prospective";
350 acquirermtree($destrepo, 1);
351 mkrepo_fromtemplate($destrepo);
354 sub makeworkingclone () {
356 $workrepo = "$dgitrepos/_tmp/${package}_incoming$$";
357 acquirermtree($workrepo, 1);
358 my $lfh = lockrealtree();
359 runcmd qw(git clone -l -q --mirror), $destrepo, $workrepo;
361 rmtree "${workrepo}_fresh";
364 sub setupstunthook () {
365 my $prerecv = "$workrepo/hooks/pre-receive";
366 my $fh = new IO::File $prerecv, O_WRONLY|O_CREAT|O_TRUNC, 0777
367 or die "$prerecv: $!";
368 print $fh <<END or die "$prerecv: $!";
371 exec $0 --pre-receive-hook $package
373 close $fh or die "$prerecv: $!";
374 $ENV{'DGIT_DRS_WORK'}= $workrepo;
375 $ENV{'DGIT_DRS_DEST'}= $destrepo;
376 printdebug " stunt hook set up $prerecv\n";
379 sub dealwithfreshrepo () {
380 my $freshrepo = "${workrepo}_fresh";
381 return unless stat_exists $freshrepo;
382 $destrepo = $freshrepo;
385 sub maybeinstallprospective () {
386 return if $destrepo eq realdestrepo;
388 if (open REJ, "<", "$workrepo/drs-error") {
391 REJ->error and die $!;
395 $!==&ENOENT or die $!;
398 printdebug " show-ref ($destrepo) ...\n";
400 my $child = open SR, "-|";
401 defined $child or die $!;
403 chdir $destrepo or die $!;
404 exec qw(git show-ref);
407 my %got = qw(tag 0 head 0);
410 printdebug " show-refs| $_\n";
411 s/^\S*[1-9a-f]\S* (\S+)$/$1/ or die;
413 m{^refs/tags/} ? 'tag' :
414 m{^refs/dgit/} ? 'head' :
418 $!=0; $?=0; close SR or $?==256 or die "$? $!";
420 printdebug "installprospective ?\n";
421 die Dumper(\%got)." -- missing refs in new repo"
422 if grep { !$_ } values %got;
426 if ($destrepo eq "${workrepo}_fresh") {
430 printdebug "install $destrepo => ".realdestrepo."\n";
431 rename $destrepo, realdestrepo or die $!;
432 remove realdestrepo.".lock" or die $!;
435 sub main__git_receive_pack () {
438 runcmd qw(git receive-pack), $workrepo;
440 maybeinstallprospective();
443 #----- stunt post-receive hook -----
445 our ($tagname, $tagval, $suite, $oldcommit, $commit);
446 our ($version, %tagh);
449 printdebug " updates ...\n";
452 printdebug " upd.| $_\n";
453 m/^(\S+) (\S+) (\S+)$/ or die "$_ ?";
454 my ($old, $sha1, $refname) = ($1, $2, $3);
455 if ($refname =~ m{^refs/tags/(?=debian/)}) {
456 reject "pushing multiple tags!" if defined $tagname;
459 reject "tag $tagname already exists -".
460 " not replacing previously-pushed version"
462 } elsif ($refname =~ m{^refs/dgit/}) {
463 reject "pushing multiple heads!" if defined $suite;
468 reject "pushing unexpected ref!";
471 STDIN->error and die $!;
473 reject "push is missing tag ref update" unless defined $tagname;
474 reject "push is missing head ref update" unless defined $suite;
475 printdebug " updates ok.\n";
479 printdebug " parsetag...\n";
480 open PT, ">dgit-tmp/plaintext" or die $!;
481 open DS, ">dgit-tmp/plaintext.asc" or die $!;
482 open T, "-|", qw(git cat-file tag), $tagval or die $!;
484 $!=0; $_=<T>; defined or die $!;
486 if (m/^(\S+) (.*)/) {
487 push @{ $tagh{$1} }, $2;
494 $!=0; $_=<T>; defined or die $!;
495 m/^($package_re) release (\S+) for \S+ \((\S+)\) \[dgit\]$/ or
496 reject "tag message not in expected format";
498 die unless $1 eq $package;
500 die "$3 != $suite " unless $3 eq $suite;
504 print PT $copyl or die $!;
505 $!=0; $_=<T>; defined or die "missing signature? $!";
507 if (m/^\[dgit ([^"].*)\]$/) { # [dgit "something"] is for future
510 if (s/^distro\=(\S+) //) {
511 die "$1 != $distro" unless $1 eq $distro;
512 } elsif (s/^(--deliberately-$deliberately_re) //) {
513 push @deliberatelies, $1;
514 } elsif (s/^supersede:(\S+)=(\w+) //) {
515 die "supersede $1 twice" if defined $supersedes{$1};
516 $supersedes{$1} = $2;
517 } elsif (s/^[-+.=0-9a-z]\S* //) {
519 die "unknown dgit info in tag ($_)";
524 last if m/^-----BEGIN PGP/;
535 printdebug " parsetag ok.\n";
538 sub checksig_keyring ($) {
539 my ($keyringfile) = @_;
540 # returns primary-keyid if signed by a key in this keyring
542 # or dies on other errors
546 printdebug " checksig keyring $keyringfile...\n";
548 our @cmd = (qw(gpgv --status-fd=1 --keyring),
550 qw(dgit-tmp/plaintext.asc dgit-tmp/plaintext));
557 next unless s/^\[GNUPG:\] //;
559 printdebug " checksig| $_\n";
560 my @l = split / /, $_;
561 if ($l[0] eq 'NO_PUBKEY') {
563 } elsif ($l[0] eq 'VALIDSIG') {
565 $sigtype eq '00' or reject "signature is not of type 00!";
567 die unless defined $ok;
573 printdebug sprintf " checksig ok=%d\n", !!$ok;
578 sub dm_txt_check ($$) {
579 my ($keyid, $dmtxtfn) = @_;
580 printdebug " dm_txt_check $keyid $dmtxtfn\n";
581 open DT, '<', $dmtxtfn or die "$dmtxtfn $!";
583 m/^fingerprint:\s+$keyid$/oi
585 if (s/^allow:/ /i..0) {
588 or reject "key $keyid missing Allow section in permissions!";
593 or reject "package $package not allowed for key $keyid";
598 printdebug " dm_txt_check allow| $_\n";
599 foreach my $p (split /\s+/) {
600 if ($p eq $package) {
602 printdebug " dm_txt_check ok\n";
607 DT->error and die $!;
609 reject "key $keyid not in permissions list although in keyring!";
613 foreach my $kas (split /:/, $keyrings) {
614 printdebug "verifytag $kas...\n";
615 $kas =~ s/^([^,]+),// or die;
616 my $keyid = checksig_keyring $1;
617 if (defined $keyid) {
618 if ($kas =~ m/^a$/) {
619 printdebug "verifytag a ok\n";
621 } elsif ($kas =~ m/^m([^,]+)$/) {
622 dm_txt_check($keyid, $1);
623 printdebug "verifytag m ok\n";
630 reject "key not found in keyrings";
634 printdebug "checksuite ($suitesfile)\n";
635 open SUITES, "<", $suitesfile or die $!;
641 return if $_ eq $suite;
643 die $! if SUITES->error;
644 reject "unknown suite";
647 sub checktagnoreplay () {
648 # We need to prevent a replay attack using an earlier signed tag.
649 # We also want to archive in the history the object ids of
650 # anything we remove, even if we get rid of the actual objects.
652 # So, we check that the signed tag mentions the name and tag
655 # (a) In the case of FRESHREPO: all tags and refs/heads/* in
656 # the repo. That is, effectively, all the things we are
659 # This prevents any tag implying a FRESHREPO push
660 # being replayed into a different state of the repo.
662 # There is still the folowing risk: If a non-ff push is of a
663 # head which is an ancestor of a previous ff-only push, the
664 # previous push can be replayed.
666 # So we keep a separate list, as a file in the repo, of all
667 # the tag object ids we have ever seen and removed. Any such
668 # tag object id will be rejected even for ff-only pushes.
670 # (b) In the case of just NOFFCHECK: all tags referring to the
671 # current head for the suite (there must be at least one).
673 # This prevents any tag implying a NOFFCHECK push being
674 # replayed to rewind from a different head.
676 # The possibility of an earlier ff-only push being replayed is
677 # eliminated as follows: the tag from such a push would still
678 # be in our repo, and therefore the replayed push would be
679 # rejected because the set of refs being updated would be
682 if (!open PREVIOUS, "<", removedtagsfile) {
683 die removedtagsfile." $!" unless $!==ENOENT;
685 # Protocol for updating this file is to append to it, not
686 # write-new-and-rename. So all updates are prefixed with \n
687 # and suffixed with " .\n" so that partial writes can be
690 next unless m/^(\w+) (.*) \.\n/;
691 next unless $1 eq $tagval;
692 reject "Replay of previously-rewound upload ($tagval $2)";
694 die removedtagsfile." $!" if PREVIOUS->error;
698 return unless $policy & (FRESHREPO|NOFFCHECK);
700 my $garbagerepo = "$dgitrepos/${package}_garbage";
706 my $check_ref_superseded= sub {
707 my ($objid,$objtype,$fullrefname,$reftail) = @_;
708 my $supkey = $fullrefname;
709 $supkey =~ s{^refs/}{} or die "$supkey $objid ?";
710 my $supobjid = $supersedes{$supkey};
711 if (!defined $supobjid) {
712 printdebug "checktagnoreply - missing\n";
713 push @problems, "does not supersede $supkey";
714 } elsif ($supobjid ne $objid) {
715 push @problems, "supersedes $supkey=$supobjid".
716 " but previously $supkey=$objid";
722 if ($policy & FRESHREPO) {
723 foreach my $kind (qw(tags heads)) {
724 git_for_each_ref("refs/$kind", $check_ref_superseded);
727 my $branch= server_branch($suite);
728 my $branchhead= git_get_ref($branch);
729 if (!length $branchhead) {
730 # No such branch - NOFFCHECK was unnecessary. Oh well.
731 printdebug "checktagnoreplay - not FRESHREPO, new branch, ok\n";
733 printdebug "checktagnoreplay - not FRESHREPO,".
734 " checking for overwriting refs/$branch=$branchhead\n";
735 git_for_each_tag_referring($branchhead, sub {
736 my ($tagobjid,$refobjid,$fullrefname,$tagname) = @_;
737 $check_ref_superseded->($tagobjid,undef,$fullrefname,undef);
739 printdebug "checktagnoreply - not FRESHREPO, nchecked=$nchecked";
740 push @problems, "does not supersede any tag".
741 " referring to branch head $branch=$branchhead"
747 reject "replay attack prevention check failed:".
748 " signed tag for $version: ".
749 join("; ", @problems).
752 printdebug "checktagnoreply - all ok\n"
757 my $vals = $tagh{$tag};
758 reject "missing header $tag in signed tag object" unless $vals;
759 reject "multiple headers $tag in signed tag object" unless @$vals == 1;
764 printdebug "checks\n";
766 tagh1('type') eq 'commit' or reject "tag refers to wrong kind of object";
767 tagh1('object') eq $commit or reject "tag refers to wrong commit";
768 tagh1('tag') eq $tagname or reject "tag name in tag is wrong";
773 printdebug "translated version $v\n";
774 $tagname eq "debian/$v" or die;
778 @policy_args = ($package,$version,$suite,$tagname,
779 join(",",@deliberatelies));
780 $policy = policyhook(NOFFCHECK|FRESHREPO, 'push', @policy_args);
785 # check that our ref is being fast-forwarded
786 printdebug "oldcommit $oldcommit\n";
787 if (!($policy & NOFFCHECK) && $oldcommit =~ m/[^0]/) {
788 $?=0; $!=0; my $mb = `git merge-base $commit $oldcommit`;
790 $mb eq $oldcommit or reject "not fast forward on dgit branch";
792 if ($policy & FRESHREPO) {
793 # It's a bit late to be discovering this here, isn't it ?
795 # What we do is: Generate a fresh destination repo right now,
796 # and arrange to treat it from now on as if it were a
799 # The presence of this fresh destination repo is detected by
800 # the parent, which responds by making a fresh master repo
801 # from the template. (If the repo didn't already exist then
802 # $destrepo was _prospective, and we change it here. This is
803 # OK because the parent's check for _fresh persuades it not to
806 $destrepo = "${workrepo}_fresh"; # workrepo lock covers
807 mkrepo_fromtemplate $destrepo;
812 my @cmd = (qw(git send-pack), $destrepo);
813 push @cmd, qw(--force) if $policy & NOFFCHECK;
814 push @cmd, "$commit:refs/dgit/$suite",
815 "$tagval:refs/tags/$tagname";
819 !$r or die "onward push to $destrepo failed: $r $!";
822 sub finalisepush () {
823 if ($destrepo eq realdestrepo) {
824 policyhook(0, 'push-confirm', @policy_args, '');
827 # We are to receive the push into a new repo (perhaps
828 # because the policy push hook asked us to with FRESHREPO, or
829 # perhaps because the repo didn't exist before).
831 # We want to provide the policy push-confirm hook with a repo
832 # which looks like the one which is going to be installed.
833 # The working repo is no good because it might contain
836 # So we push the objects into the prospective new repo right
837 # away. If the hook declines, we decline, and the prospective
838 # repo is never installed.
840 policyhook(0, 'push-confirm', @policy_args, $destrepo);
845 printdebug "stunthook in $workrepo\n";
846 chdir $workrepo or die "chdir $workrepo: $!";
847 mkdir "dgit-tmp" or $!==EEXIST or die $!;
853 printdebug "stunthook done.\n";
856 #----- git-upload-pack -----
858 sub fixmissing__git_upload_pack () {
859 $destrepo = "$dgitrepos/_empty";
860 my $lfh = locksometree($destrepo);
861 return if stat_exists $destrepo;
862 rmtree "$destrepo.new";
863 mkemptyrepo "$destrepo.new", "0644";
864 rename "$destrepo.new", $destrepo or die $!;
865 unlink "$destrepo.lock" or die $!;
869 sub main__git_upload_pack () {
870 my $lfh = locksometree($destrepo);
871 printdebug "git-upload-pack in $destrepo\n";
872 chdir $destrepo or die "$destrepo: $!";
874 runcmd qw(git upload-pack), ".";
877 #----- arg parsing and main program -----
887 # keys are used for DGIT_DRS_XXX too
888 'repos' => \$dgitrepos,
889 'suites' => \$suitesfile,
890 'policy-hook' => \$policyhook,
891 'dgit-live' => \$dgitlive,
894 our @hookenvs = qw(distro suitesfile policyhook
895 dgitlive keyrings dgitrepos distrodir);
897 # workrepo and destrepo handled ad-hoc
902 my $cmd = $ENV{'SSH_ORIGINAL_COMMAND'};
912 or reject "command string not understood";
918 my $mainfunc = $main::{"main__$funcn"};
920 reject "unknown method" unless $mainfunc;
922 policy_checkpackage();
924 if (stat_exists realdestrepo) {
925 $destrepo = realdestrepo;
927 printdebug " fixmissing $funcn\n";
928 my $fixfunc = $main::{"fixmissing__$funcn"};
932 printdebug " running main $funcn\n";
939 my $listfh = tempfile();
940 open STDOUT, ">&", $listfh or die $!;
941 policyhook(0,'check-list');
942 open STDOUT, ">&STDERR" or die $!;
944 seek $listfh, 0, 0 or die $!;
949 die unless m/^($package_re)$/;
952 policy_checkpackage();
954 die $! if $listfh->error;
957 sub parseargsdispatch () {
960 delete $ENV{'GIT_DIR'}; # if not run via ssh, our parent git process
961 delete $ENV{'GIT_PREFIX'}; # sets these and they mess things up
963 if ($ENV{'DGIT_DRS_DEBUG'}) {
967 if ($ARGV[0] eq '--pre-receive-hook') {
970 printdebug "in stunthook ".(shellquote @ARGV)."\n";
971 foreach my $k (sort keys %ENV) {
972 printdebug "$k=$ENV{$k}\n" if $k =~ m/^DGIT/;
977 $package = shift @ARGV;
978 ${ $main::{$_} } = $ENV{"DGIT_DRS_\U$_"} foreach @hookenvs;
979 defined($workrepo = $ENV{'DGIT_DRS_WORK'}) or die;
980 defined($destrepo = $ENV{'DGIT_DRS_DEST'}) or die;
981 open STDOUT, ">&STDERR" or die $!;
986 recorderror "$@" or die;
993 $distrodir = argval();
994 $keyrings = argval();
996 foreach my $dk (keys %indistrodir) {
997 ${ $indistrodir{$dk} } = "$distrodir/$dk";
1000 while (@ARGV && $ARGV[0] =~ m/^--([-0-9a-z]+)=/ && $indistrodir{$1}) {
1001 ${ $indistrodir{$1} } = $'; #';
1005 $ENV{"DGIT_DRS_\U$_"} = ${ $main::{$_} } foreach @hookenvs;
1007 die unless @ARGV==1;
1009 my $mode = shift @ARGV;
1010 die unless $mode =~ m/^--(\w+)$/;
1011 my $fn = ${*::}{"mode_$1"};
1017 while (my $fh = pop @lockfhs) { close $fh; }
1022 if (!chdir "$dgitrepos/_tmp") {
1023 $!==ENOENT or die $!;
1026 foreach my $lf (<*.lock>) {
1028 $tree =~ s/\.lock$//;
1029 next unless acquirermtree($tree, 0);
1030 remove $lf or warn $!;
1035 parseargsdispatch();