Commits:
-
6e5fbcd0
by Ansgar at 2023-07-23T14:35:19+02:00
checks: add check for members of binary packages
Debian's infrastucture currently cannot deal with "control.tar.zst" or
"data.tar.zst" in uploaded files as dpkg only handles these in Debian
12 or later.
-
48e29c0d
by Jonathan McDowell at 2023-11-10T09:33:35+00:00
Update DM admin ACL to my current key
See:
https://www.earth.li/~noodles/blog/2023/09/dc23-ksp-new-key.html
+
https://www.earth.li/~noodles/blog/2023/10/debian-key-updated.html
-
5f744c70
by Ansgar at 2023-11-12T12:24:54+01:00
Merge remote-tracking branch 'origin/merge-requests/279'
-
2e1625cf
by Ansgar at 2023-11-12T12:25:38+01:00
daklib/command.py: open newly created file in exclusive mode
It should be an error if the file already exists.
-
febf39e0
by Ansgar at 2023-11-12T12:29:14+01:00
Merge remote-tracking branch 'origin/merge-requests/277'
-
da2e365e
by Ansgar at 2023-11-12T12:52:04+01:00
daklib/command.py: correctly open newly created file in exclusive mode
Fixes error introduced in 2e1625cfbc931bb4ce8c0930050cb0a411a7aa99
-
69b06465
by Ansgar at 2023-11-12T13:14:52+01:00
Merge branch 'master' into deploy
4 changed files:
Changes:
config/debian/dak.conf
... |
... |
@@ -288,7 +288,7 @@ Command::DM-Admin { |
288
|
288
|
AdminFingerprints {
|
289
|
289
|
"4D14050653A402D73687049D2404C9546E145360"; // gwolf
|
290
|
290
|
"A4626CBAFF376039D2D7554497BA9CE761A0963B"; // johns
|
291
|
|
- "0E3A94C3E83002DAB88CCA1694FA372B2DA8B985"; // noodles
|
|
291
|
+ "419FB4B6567E6EF7DEAF80A09026108FB942BEA4"; // noodles
|
292
|
292
|
|
293
|
293
|
"80E976F14A508A48E9CA3FE9BC372252CA1CF964"; // ansgar
|
294
|
294
|
"FBFABDB541B5DC955BD9BA6EDB16CF5BB12525C4"; // joerg
|
daklib/archive.py
... |
... |
@@ -881,6 +881,7 @@ class ArchiveUpload: |
881
|
881
|
checks.ExternalHashesCheck,
|
882
|
882
|
checks.SourceCheck,
|
883
|
883
|
checks.BinaryCheck,
|
|
884
|
+ checks.BinaryMembersCheck,
|
884
|
885
|
checks.BinaryTimestampCheck,
|
885
|
886
|
checks.SingleDistributionCheck,
|
886
|
887
|
checks.ArchAllBinNMUCheck,
|
daklib/checks.py
... |
... |
@@ -458,6 +458,30 @@ class BinaryCheck(Check): |
458
|
458
|
allow_relations=('=',))
|
459
|
459
|
|
460
|
460
|
|
|
461
|
+_DEB_ALLOWED_MEMBERS = {
|
|
462
|
+ "debian-binary",
|
|
463
|
+ *(f"control.tar.{comp}" for comp in ("gz", "xz")),
|
|
464
|
+ *(f"data.tar.{comp}" for comp in ("gz", "bz2", "xz")),
|
|
465
|
+}
|
|
466
|
+
|
|
467
|
+
|
|
468
|
+class BinaryMembersCheck(Check):
|
|
469
|
+ """check members of .deb file"""
|
|
470
|
+
|
|
471
|
+ def check(self, upload):
|
|
472
|
+ for binary in upload.changes.binaries:
|
|
473
|
+ filename = binary.hashed_file.filename
|
|
474
|
+ path = os.path.join(upload.directory, filename)
|
|
475
|
+ self._check_binary(filename, path)
|
|
476
|
+ return True
|
|
477
|
+
|
|
478
|
+ def _check_binary(self, filename: str, path: str) -> None:
|
|
479
|
+ deb = apt_inst.DebFile(path)
|
|
480
|
+ members = set(member.name for member in deb.getmembers())
|
|
481
|
+ if blocked_members := members - _DEB_ALLOWED_MEMBERS:
|
|
482
|
+ raise Reject(f"{filename}: Contains blocked members {', '.join(blocked_members)}")
|
|
483
|
+
|
|
484
|
+
|
461
|
485
|
class BinaryTimestampCheck(Check):
|
462
|
486
|
"""check timestamps of files in binary packages
|
463
|
487
|
|
daklib/command.py
... |
... |
@@ -354,7 +354,7 @@ class CommandFile: |
354
|
354
|
filename = f"{command}.{source}_{upload.changes.version}"
|
355
|
355
|
content = "OK" if command == "ACCEPT" else "NOTOK"
|
356
|
356
|
|
357
|
|
- with open(os.path.join(upload.policy_queue.path, "COMMENTS", filename), "w") as f:
|
|
357
|
+ with open(os.path.join(upload.policy_queue.path, "COMMENTS", filename), "x") as f:
|
358
|
358
|
f.write(content + "\n")
|
359
|
359
|
|
360
|
360
|
def _action_process_upload_common(self, fingerprint, section, session) -> None:
|
|