# where AUTH-SPEC is one of
# a
# mDM.TXT
+# (With --cron AUTH-SPEC is not used and may be the empty string.)
use strict;
$SIG{__WARN__} = sub { die $_[0]; };
#
# check-list and check-package are invoked via the --cron option.
# First, without any locking, check-list is called. It should produce
-# a list of package names. Then check-package will be invoked for
-# each named package, in each case after taking an appropriate lock.
+# a list of package names (one per line). Then check-package will be
+# invoked for each named package, in each case after taking an
+# appropriate lock.
#
# If policy hook wants to run dgit (or something else in the dgit
# package), it should use DGIT-LIVE-DIR/dgit (etc.)
use POSIX;
use Fcntl qw(:flock);
use File::Path qw(rmtree);
+use File::Temp qw(tempfile);
use Debian::Dgit qw(:DEFAULT :policyflags);
-open DEBUG, ">/dev/null" or die $!;
+initdebug('');
our $func;
our $dgitrepos;
our $workrepo;
our $keyrings;
our @lockfhs;
-our $debug='';
+
our @deliberatelies;
our %supersedes;
our $policy;
#----- utilities -----
-sub debug {
- print DEBUG "$debug @_\n";
-}
-
sub realdestrepo () { "$dgitrepos/$package.git"; }
sub acquirelock ($$) {
my ($lock, $must) = @_;
my $fh;
- printf DEBUG "$debug locking %s %d\n", $lock, $must;
+ printdebug sprintf "locking %s %d\n", $lock, $must;
for (;;) {
close $fh if $fh;
$fh = new IO::File $lock, ">" or die "open $lock: $!";
my $ok = flock $fh, $must ? LOCK_EX : (LOCK_EX|LOCK_NB);
if (!$ok) {
die "flock $lock: $!" if $must;
- debug " locking $lock failed";
+ printdebug " locking $lock failed\n";
return undef;
}
next unless stat_exists $lock;
die "dgit-repos-server: reject: $why\n";
}
-sub debugcmd {
- if ($debug) {
- use Data::Dumper;
- local $Data::Dumper::Indent = 0;
- local $Data::Dumper::Terse = 1;
- debug "|".Dumper(\@_);
- }
-}
-
sub runcmd {
- debugcmd @_;
+ debugcmd '+',@_;
$!=0; $?=0;
my $r = system @_;
- die "@_ $? $!" if $r;
+ die (shellquote @_)." $? $!" if $r;
}
sub policyhook {
# => ($exitstatuspolicybitmap);
die if $policyallowbits & ~0x3e;
my @cmd = ($policyhook,$distro,$dgitrepos,$dgitlive,@polargs);
- debugcmd @cmd;
+ debugcmd '+',@cmd;
my $r = system @cmd;
die "system: $!" if $r < 0;
- die "hook (@cmd) failed ($?)" if $r & ~($policyallowbits << 8);
- debug sprintf "hook (%s) => %#x", "@polargs", $r;
+ die "hook (".(shellquote @cmd).") failed ($?)"
+ if $r & ~($policyallowbits << 8);
+ printdebug sprintf "hook => %#x\n", $r;
return $r >> 8;
}
my ($dir) = @_;
my $template = "$dgitrepos/_template";
locksometree($template);
- debug "copy template $template -> $dir";
+ printdebug "copy template $template -> $dir\n";
my $r = system qw(cp -a --), $template, $dir;
!$r or die "create new repo $dir failed: $r $!";
}
close $fh or die "$prerecv: $!";
$ENV{'DGIT_DRS_WORK'}= $workrepo;
$ENV{'DGIT_DRS_DEST'}= $destrepo;
- debug " stunt hook set up $prerecv";
+ printdebug " stunt hook set up $prerecv\n";
}
sub dealwithfreshrepo () {
$!==&ENOENT or die $!;
}
- debug " show-ref ($destrepo) ...";
+ printdebug " show-ref ($destrepo) ...\n";
my $child = open SR, "-|";
defined $child or die $!;
my %got = qw(tag 0 head 0);
while (<SR>) {
chomp or die;
- debug " show-refs| $_";
+ printdebug " show-refs| $_\n";
s/^\S*[1-9a-f]\S* (\S+)$/$1/ or die;
my $wh =
m{^refs/tags/} ? 'tag' :
}
$!=0; $?=0; close SR or $?==256 or die "$? $!";
- debug "installprospective ?";
+ printdebug "installprospective ?\n";
die Dumper(\%got)." -- missing refs in new repo"
if grep { !$_ } values %got;
movetogarbage;
}
- debug "install $destrepo => ".realdestrepo;
+ printdebug "install $destrepo => ".realdestrepo."\n";
rename $destrepo, realdestrepo or die $!;
remove "$destrepo.lock" or die $!;
}
our ($version, %tagh);
sub readupdates () {
- debug " updates ...";
+ printdebug " updates ...\n";
while (<STDIN>) {
chomp or die;
- debug " upd.| $_";
+ printdebug " upd.| $_\n";
m/^(\S+) (\S+) (\S+)$/ or die "$_ ?";
my ($old, $sha1, $refname) = ($1, $2, $3);
if ($refname =~ m{^refs/tags/(?=debian/)}) {
reject "push is missing tag ref update" unless defined $tagname;
reject "push is missing head ref update" unless defined $suite;
- debug " updates ok.";
+ printdebug " updates ok.\n";
}
sub parsetag () {
- debug " parsetag...";
+ printdebug " parsetag...\n";
open PT, ">dgit-tmp/plaintext" or die $!;
open DS, ">dgit-tmp/plaintext.asc" or die $!;
open T, "-|", qw(git cat-file tag), $tagval or die $!;
T->error and die $!;
close PT or die $!;
close DS or die $!;
- debug " parsetag ok.";
+ printdebug " parsetag ok.\n";
}
sub checksig_keyring ($) {
my $ok = undef;
- debug " checksig keyring $keyringfile...";
+ printdebug " checksig keyring $keyringfile...\n";
our @cmd = (qw(gpgv --status-fd=1 --keyring),
$keyringfile,
qw(dgit-tmp/plaintext.asc dgit-tmp/plaintext));
- debugcmd @cmd;
+ debugcmd '|',@cmd;
open P, "-|", @cmd
or die $!;
while (<P>) {
next unless s/^\[GNUPG:\] //;
chomp or die;
- debug " checksig| $_";
+ printdebug " checksig| $_\n";
my @l = split / /, $_;
if ($l[0] eq 'NO_PUBKEY') {
last;
}
close P;
- debug sprintf " checksig ok=%d", !!$ok;
+ printdebug sprintf " checksig ok=%d\n", !!$ok;
return $ok;
}
sub dm_txt_check ($$) {
my ($keyid, $dmtxtfn) = @_;
- debug " dm_txt_check $keyid $dmtxtfn";
+ printdebug " dm_txt_check $keyid $dmtxtfn\n";
open DT, '<', $dmtxtfn or die "$dmtxtfn $!";
while (<DT>) {
m/^fingerprint:\s+$keyid$/oi
s/\([^()]+\)//;
s/\,//;
chomp or die;
- debug " dm_txt_check allow| $_";
+ printdebug " dm_txt_check allow| $_\n";
foreach my $p (split /\s+/) {
if ($p eq $package) {
# yay!
- debug " dm_txt_check ok";
+ printdebug " dm_txt_check ok\n";
return;
}
}
sub verifytag () {
foreach my $kas (split /:/, $keyrings) {
- debug "verifytag $kas...";
+ printdebug "verifytag $kas...\n";
$kas =~ s/^([^,]+),// or die;
my $keyid = checksig_keyring $1;
if (defined $keyid) {
if ($kas =~ m/^a$/) {
- debug "verifytag a ok";
+ printdebug "verifytag a ok\n";
return; # yay
} elsif ($kas =~ m/^m([^,]+)$/) {
dm_txt_check($keyid, $1);
- debug "verifytag m ok";
+ printdebug "verifytag m ok\n";
return;
} else {
die;
}
sub checksuite () {
- debug "checksuite ($suitesfile)";
+ printdebug "checksuite ($suitesfile)\n";
open SUITES, "<", $suitesfile or die $!;
while (<SUITES>) {
chomp;
if (!defined $ENV{GIT_DIR}) {
# Nothing to overwrite so the FRESHREPO and NOFFCHECK were
# pointless. Oh well.
- debug "checktagnoreplay - no garbage, ok";
+ printdebug "checktagnoreplay - no garbage, ok\n";
return;
}
$? and die "$branch $?";
if (!length) {
# No such branch - NOFFCHECK was unnecessary. Oh well.
- debug "checktagnoreplay - not FRESHREPO, new branch, ok";
+ printdebug "checktagnoreplay - not FRESHREPO, new branch, ok\n";
return;
}
m/^(\w+)\n$/ or die "$branch $_ ?";
$onlyreferring = $1;
- debug "checktagnoreplay - not FRESHREPO,".
- " checking for overwriting refs/$branch=$onlyreferring";
+ printdebug "checktagnoreplay - not FRESHREPO,".
+ " checking for overwriting refs/$branch=$onlyreferring\n";
}
my @problems;
git_for_each_tag_referring($onlyreferring, sub {
my ($objid,$fullrefname,$tagname) = @_;
- debug "checktagnoreplay - overwriting $fullrefname=$objid";
+ printdebug "checktagnoreplay - overwriting $fullrefname=$objid\n";
my $supers = $supersedes{$fullrefname};
if (!defined $supers) {
push @problems, "does not supersede $fullrefname";
join("; ", @problems).
"\n";
}
- debug "checktagnoreply - all ok"
+ printdebug "checktagnoreply - all ok\n"
}
sub tagh1 ($) {
}
sub checks () {
- debug "checks";
+ printdebug "checks\n";
tagh1('type') eq 'commit' or reject "tag refers to wrong kind of object";
tagh1('object') eq $commit or reject "tag refers to wrong commit";
my $v = $version;
$v =~ y/~:/_%/;
- debug "translated version $v";
+ printdebug "translated version $v\n";
$tagname eq "debian/$v" or die;
lockrealtree();
checksuite();
# check that our ref is being fast-forwarded
- debug "oldcommit $oldcommit";
+ printdebug "oldcommit $oldcommit\n";
if (!($policy & NOFFCHECK) && $oldcommit =~ m/[^0]/) {
$?=0; $!=0; my $mb = `git merge-base $commit $oldcommit`;
chomp $mb;
push @cmd, qw(--force) if $policy & NOFFCHECK;
push @cmd, "$commit:refs/dgit/$suite",
"$tagval:refs/tags/$tagname";
- debugcmd @cmd;
+ debugcmd '+',@cmd;
$!=0;
my $r = system @cmd;
!$r or die "onward push to $destrepo failed: $r $!";
}
sub stunthook () {
- debug "stunthook";
+ printdebug "stunthook in $workrepo\n";
chdir $workrepo or die "chdir $workrepo: $!";
mkdir "dgit-tmp" or $!==EEXIST or die $!;
readupdates();
verifytag();
checks();
onwardpush();
- debug "stunthook done.";
+ printdebug "stunthook done.\n";
}
#----- git-upload-pack -----
sub main__git_upload_pack () {
my $lfh = locksometree($destrepo);
+ printdebug "git-upload-pack in $destrepo\n";
chdir $destrepo or die "$destrepo: $!";
close $lfh;
runcmd qw(git upload-pack), ".";
if (stat_exists realdestrepo) {
$destrepo = realdestrepo;
} else {
- debug " fixmissing $funcn";
+ printdebug " fixmissing $funcn\n";
my $fixfunc = $main::{"fixmissing__$funcn"};
&$fixfunc;
}
- debug " running main $funcn";
+ printdebug " running main $funcn\n";
&$mainfunc;
}
+sub mode_cron () {
+ die if @ARGV;
+
+ my $listfh = tempfile();
+ open STDOUT, ">&", $listfh or die $!;
+ policyhook(0,'check-list');
+ open STDOUT, ">&STDERR" or die $!;
+
+ seek $listfh, 0, 0 or die $!;
+ while (<$listfh>) {
+ chomp or die;
+ next if m/^\s*\#/;
+ next unless m/\S/;
+ die unless m/^($package_re)$/;
+
+ $package = $1;
+ policy_checkpackage();
+ }
+ die $! if $listfh->error;
+}
+
sub parseargsdispatch () {
die unless @ARGV;
delete $ENV{'GIT_PREFIX'}; # sets these and they mess things up
if ($ENV{'DGIT_DRS_DEBUG'}) {
- $debug='=';
- open DEBUG, ">&STDERR" or die $!;
+ enabledebug();
}
if ($ARGV[0] eq '--pre-receive-hook') {
- if ($debug) { $debug.="="; }
+ if ($debuglevel) {
+ $debugprefix.="=";
+ printdebug "in stunthook ".(shellquote @ARGV)."\n";
+ foreach my $k (sort keys %ENV) {
+ printdebug "$k=$ENV{$k}\n" if $k =~ m/^DGIT/;
+ }
+ }
shift @ARGV;
@ARGV == 1 or die;
$package = shift @ARGV;
~ianmdlvl / dgit.git / blobdiff