[Git][ftp-team/dak][master] 3 commits: Allow overriding of NEW requirement by key

[Joerg Jaspert <joerg@debian.org>]

Title: GitLab

Joerg Jaspert pushed to branch master at Debian FTP Team / dak

Commits:

• dc82728e
  by Bastian Blank at 2018-06-27T21:52:06+00:00

  Allow overriding of NEW requirement by key
  

• 9ed8622f
  by Bastian Blank at 2018-06-27T21:52:06+00:00

  Allow accepting sources with untrusted sigs by key
  

• eb3cff21
  by Joerg Jaspert at 2018-06-27T21:52:22+00:00

  Merge branch 'overrides-for-security' into 'master'
  
  Allow some check overrides for security sync
  
  See merge request ftp-team/dak!29

2 changed files:

• daklib/archive.py
• daklib/checks.py

Changes:

daklib/archive.py

---

...	...	@@ -1022,6 +1022,7 @@ class ArchiveUpload(object):
1022	1022	for chk in (
1023	1023	checks.TransitionCheck,
1024	1024	checks.ACLCheck,
	1025	+ checks.NewOverrideCheck,
1025	1026	checks.NoSourceOnlyCheck,
1026	1027	checks.LintianCheck,
1027	1028	):

daklib/checks.py

---

...	...	@@ -137,6 +137,8 @@ class SignatureAndHashesCheck(Check):
137	137	"""
138	138
139	139	def check(self, upload):
	140	+ allow_source_untrusted_sig_keys = Config().value_list('Dinstall::AllowSourceUntrustedSigKeys')
	141	+
140	142	changes = upload.changes
141	143	if not changes.valid_signature:
142	144	raise Reject("Signature for .changes not valid.")
...	...	@@ -149,10 +151,11 @@ class SignatureAndHashesCheck(Check):
149	151	except Exception as e:
150	152	raise Reject("Invalid dsc file: {0}".format(e))
151	153	if source is not None:
152		- if not source.valid_signature:
153		- raise Reject("Signature for .dsc not valid.")
154		- if source.primary_fingerprint != changes.primary_fingerprint:
155		- raise Reject(".changes and .dsc not signed by the same key.")
	154	+ if changes.primary_fingerprint not in allow_source_untrusted_sig_keys:
	155	+ if not source.valid_signature:
	156	+ raise Reject("Signature for .dsc not valid.")
	157	+ if source.primary_fingerprint != changes.primary_fingerprint:
	158	+ raise Reject(".changes and .dsc not signed by the same key.")
156	159	self._check_hashes(upload, source.filename, source.files.itervalues())
157	160
158	161	if upload.fingerprint is None or upload.fingerprint.uid is None:
...	...	@@ -833,6 +836,22 @@ class NoSourceOnlyCheck(Check):
833	836	return True
834	837
835	838
	839	+class NewOverrideCheck(Check):
	840	+ """Override NEW requirement
	841	+ """
	842	+ def check(self, upload):
	843	+ if not upload.new:
	844	+ return True
	845	+
	846	+ new_override_keys = Config().value_list('Dinstall::NewOverrideKeys')
	847	+ changes = upload.changes
	848	+
	849	+ if changes.primary_fingerprint in new_override_keys:
	850	+ upload.new = False
	851	+
	852	+ return True
	853	+
	854	+
836	855	class ArchAllBinNMUCheck(Check):
837	856	"""Check for arch:all binNMUs"""
838	857

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.