]> err.no Git - dak/commitdiff
initial import
authorJames Troup <james@nocrew.org>
Tue, 14 May 2002 15:24:45 +0000 (15:24 +0000)
committerJames Troup <james@nocrew.org>
Tue, 14 May 2002 15:24:45 +0000 (15:24 +0000)
amber [new file with mode: 0755]
apt.conf-security [new file with mode: 0644]
cron.daily-security [new file with mode: 0644]
katie.conf-security [new file with mode: 0644]
templates/amber.advisory [new file with mode: 0644]
vars-security [new file with mode: 0644]

diff --git a/amber b/amber
new file mode 100755 (executable)
index 0000000..d2f5d56
--- /dev/null
+++ b/amber
@@ -0,0 +1,283 @@
+#!/usr/bin/env python
+
+# Wrapper for Debian Security team
+# Copyright (C) 2002  James Troup <james@nocrew.org>
+# $Id: amber,v 1.1 2002-05-14 15:24:45 troup Exp $
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+
+################################################################################
+
+# <aj> neuro: <usual question>?
+# <neuro> aj: PPG: the movie!  july 3!
+# <aj> _PHWOAR_!!!!!
+# <aj> (you think you can distract me, and you're right)
+# <aj> urls?!
+# <aj> promo videos?!
+# <aj> where, where!?
+
+################################################################################
+
+import commands, pwd, os, string, sys, time;
+import apt_pkg;
+import katie, utils;
+
+################################################################################
+
+Cnf = None;
+Katie = None;
+
+################################################################################
+
+def usage (exit_code=0):
+    print """Usage: amber ADV_NUMBER CHANGES_FILE[...]
+Install CHANGES_FILE(s) as security advisory ADV_NUMBER
+
+  -h, --help                 show this help and exit
+
+"""
+    sys.exit(exit_code)
+
+################################################################################
+
+def get_file_list(arguments):
+    file_list = "";
+    for arg in arguments:
+        arg = utils.validate_changes_file_arg(arg);
+        Katie.pkg.changes_file = arg;
+       Katie.init_vars();
+        Katie.update_vars();
+        files = Katie.pkg.files;
+        changes = Katie.pkg.changes;
+        for file in files.keys():
+            poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"],
+                                    utils.poolify(changes["source"], files[file]["component"]),
+                                    file);
+            file_list = "%s %s" % (file_list, poolname);
+    file_list = "%s %s" % (file_list, string.join(map(os.path.abspath, arguments)));
+    return file_list;
+
+################################################################################
+
+def join_with_commas_and(list):
+       if len(list) == 0: return "nothing";
+       if len(list) == 1: return list[0];
+       return string.join(list[:-1], ", ") + " and " + list[-1];
+
+######################################################################
+
+# Originally written by aj, nih-ishly merged into amber by me.
+
+def make_advisory(advisory_nr, changes_files):
+    adv_packages = [];
+    updated_pkgs = {};  # updated_pkgs[distro][arch][file] = {path,md5,size}
+
+    for arg in changes_files:
+        arg = utils.validate_changes_file_arg(arg);
+       Katie.pkg.changes_file = arg;
+       Katie.init_vars();
+       Katie.update_vars();
+
+       src = Katie.pkg.changes["source"];
+       if src not in adv_packages:
+           adv_packages = adv_packages + [src];
+
+       suites = Katie.pkg.changes["distribution"].keys();
+       for suite in suites:
+           if not updated_pkgs.has_key(suite):
+                updated_pkgs[suite] = {};
+
+       files = Katie.pkg.files;
+       for file in files.keys():
+           arch = files[file]["architecture"];
+           md5 = files[file]["md5sum"];
+           size = files[file]["size"];
+           poolname = Cnf["Dir::PoolRoot"] + \
+               utils.poolify(src, files[file]["component"]);
+           if arch == "source" and file[-4:] == ".dsc":
+               dscpoolname = poolname;
+           for suite in suites:
+               if not updated_pkgs[suite].has_key(arch):
+                   updated_pkgs[suite][arch] = {}
+               updated_pkgs[suite][arch][file] = {
+                    "md5": md5, "size": size,
+                    "poolname": poolname };
+
+       dsc_files = Katie.pkg.dsc_files;
+       for file in dsc_files.keys():
+           arch = "source"
+           if not dsc_files[file].has_key("files id"):
+                continue;
+
+           # otherwise, it's already in the pool and needs to be
+           # listed specially
+           md5 = dsc_files[file]["md5sum"];
+           size = dsc_files[file]["size"];
+           for suite in suites:
+               if not updated_pkgs[suite].has_key(arch):
+                   updated_pkgs[suite][arch] = {};
+               updated_pkgs[suite][arch][file] = {
+                    "md5": md5, "size": size,
+                    "poolname": dscpoolname };
+
+    if os.environ.has_key("SUDO_UID"):
+        whoami = string.atol(os.environ["SUDO_UID"]);
+    else:
+        whoami = os.getuid();
+    whoamifull = pwd.getpwuid(whoami);
+    username = string.split(whoamifull[4], ",")[0];
+
+    Subst = {
+       "__ADVISORY__": advisory_nr,
+       "__WHOAMI__": username,
+       "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())),
+       "__PACKAGE__": string.join(adv_packages,", ")
+    };
+
+    adv = "";
+    archive = Cnf["Archive::%s::PrimaryMirror" % (utils.where_am_i())];
+    for suite in updated_pkgs.keys():
+        suite_header = "%s %s (%s)" % (Cnf["Dinstall::MyDistribution"],
+                                       Cnf["Suite::%s::Version" % suite], suite);
+        adv = adv + "%s\n%s\n\n" % (suite_header, "-"*len(suite_header));
+
+       arches = Cnf.ValueList("Suite::%s::Architectures" % suite);
+       if "source" in arches:
+            arches.remove("source");
+       if "all" in arches:
+            arches.remove("all");
+       arches.sort();
+
+       adv = adv + "  %s was released for %s.\n\n" % (
+               string.capitalize(suite), join_with_commas_and(arches));
+
+       for a in ["source", "all"] + arches:
+           if not updated_pkgs[suite].has_key(a):
+                continue;
+
+           if a == "source":
+               adv = adv + "  Source archives:\n\n";
+           elif a == "all":
+               adv = adv + "  Architecture independent packages:\n\n";
+           else:
+               adv = adv + "  %s architecture (%s)\n\n" % (a,
+                       Cnf["Architectures::%s" % a]);
+
+           for file in updated_pkgs[suite][a].keys():
+               adv = adv + "    http://%s/%s%s\n" % (
+                               archive, updated_pkgs[suite][a][file]["poolname"], file);
+               adv = adv + "      Size/MD5 checksum: %8s %s\n" % (
+                       updated_pkgs[suite][a][file]["size"],
+                       updated_pkgs[suite][a][file]["md5"]);
+           adv = adv + "\n";
+    adv = string.rstrip(adv);
+
+    Subst["__ADVISORY_TEXT__"] = adv;
+
+    adv = utils.TemplateSubst(Subst, Cnf["Dir::Templates"]+"/amber.advisory");
+    utils.send_mail (adv, "");
+
+######################################################################
+
+def init():
+    global Cnf, Katie;
+
+    apt_pkg.init();
+    Cnf = utils.get_conf();
+
+    Arguments = [('h',"help","Amber::Options::Help")];
+
+    for i in [ "help" ]:
+        Cnf["Amber::Options::%s" % (i)] = "";
+
+    arguments = apt_pkg.ParseCommandLine(Cnf,Arguments,sys.argv);
+    Katie = katie.Katie(Cnf);
+
+    if Cnf["Amber::Options::Help"]:
+        usage(0);
+
+    if not arguments:
+        usage(1);
+
+    advisory_number = arguments[0];
+    changes_files = sys.argv[2:];
+    if advisory_number[-8:] == ".changes":
+        utils.warn("first argument must be the advisory number.");
+        usage(1);
+    for file in changes_files:
+        file = utils.validate_changes_file_arg(file);
+    return (advisory_number, changes_files);
+
+######################################################################
+
+def yes_no(prompt):
+    while 1:
+        answer = string.lower(utils.our_raw_input(prompt+" "));
+        if answer == "y" or answer == "n":
+            break;
+        else:
+            print "Invalid answer; please try again.";
+    return answer;
+
+######################################################################
+
+def spawn(command):
+    (result, output) = commands.getstatusoutput(command);
+    if (result != 0):
+        utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result);
+
+######################################################################
+
+
+def main():
+    (advisory_number, changes_files) = init();
+
+    print "About to install the following files: "
+    for file in changes_files:
+        print "  %s" % (file);
+    answer = yes_no("Continue (Y/n)?");
+    if answer == "n":
+        sys.exit(0);
+
+    os.chdir(Cnf["Dir::Queue::Accepted"]);
+    print "Installing packages into the archive...";
+    spawn("%s/katie -pa %s" % (Cnf["Dir::Katie"], string.join(changes_files)));
+    os.chdir(Cnf["Dir::Katie"]);
+    print "Updating file lists for apt-ftparchive...";
+    spawn("./jenna");
+    print "Updating Packages and Sources files...";
+    spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()));
+    print "Updating Release files...";
+    spawn("./ziyi");
+
+    os.chdir(Cnf["Dir::Queue::Done"]);
+    print "Generating template advisory...";
+    make_advisory(advisory_number, changes_files);
+
+    answer = yes_no("Upload to ftp-master (Y/n)? ");
+    if answer == "y":
+        upload_files = get_file_list(changes_files);
+        print "Uploading files...";
+        spawn("lftp -c 'open %s; cd %s; put %s'" % (Cnf["Amber::UploadHost"],
+                                                    Cnf["Amber::UploadDir"],
+                                                    upload_files));
+
+################################################################################
+
+if __name__ == '__main__':
+    main();
+
+################################################################################
diff --git a/apt.conf-security b/apt.conf-security
new file mode 100644 (file)
index 0000000..44a175a
--- /dev/null
@@ -0,0 +1,36 @@
+Dir 
+{
+   ArchiveDir "/org/security.debian.org/ftp/";
+   OverrideDir "/org/security.debian.org/override/";
+   CacheDir "/org/security.debian.org/katie-database/";
+};
+
+Default
+{
+   Packages::Compress ". gzip";
+   Sources::Compress "gzip";
+   DeLinkLimit 0;
+   FileMode 0664;
+}
+
+tree "dists/potato/updates"
+{
+   FileList "/org/security.debian.org/katie-database/dists/potato_$(SECTION)_binary-$(ARCH).list";
+   SourceFileList "/org/security.debian.org/katie-database/dists/potato_$(SECTION)_source.list";
+   Sections "main contrib non-free";
+   Architectures "alpha arm i386 m68k powerpc sparc source";
+   BinOverride "override.potato.$(SECTION)";
+   SrcOverride "override.potato.$(SECTION).src";
+   Contents " ";
+};
+
+tree "dists/woody/updates"
+{
+   FileList "/org/security.debian.org/katie-database/dists/woody_$(SECTION)_binary-$(ARCH).list";
+   SourceFileList "/org/security.debian.org/katie-database/dists/woody_$(SECTION)_source.list";
+   Sections "main contrib non-free";
+   Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
+   BinOverride "override.woody.$(SECTION)";
+   SrcOverride "override.woody.$(SECTION).src";
+   Contents " ";
+};
diff --git a/cron.daily-security b/cron.daily-security
new file mode 100644 (file)
index 0000000..131f22b
--- /dev/null
@@ -0,0 +1,60 @@
+#! /bin/sh
+#
+# Executed daily via cron, out of katie's crontab.
+
+set -e
+export SCRIPTVARS=/org/security.debian.org/katie/vars-security
+. $SCRIPTVARS
+
+################################################################################
+
+rsync -ql ftp-master::indices/override\* $overridedir
+
+cd $overridedir
+find . -name override\*.gz -type f -maxdepth 1 -mindepth 1 | xargs gunzip -f
+find . -type l -maxdepth 1 -mindepth 1 | xargs rm
+
+rm -fr non-US
+mkdir non-US
+cd non-US
+rsync -ql non-us::indices/override\* .
+find . -name override\*.gz -type f -maxdepth 1 -mindepth 1 | xargs gunzip
+find . -type l -maxdepth 1 -mindepth 1 | xargs rm
+for i in *; do
+    if [ -f ../$i ]; then
+       cat $i >> ../$i;
+    fi;
+done
+cd ..
+rm -fr non-US
+
+for suite in $suites; do
+    for component in $components; do
+       for override_type in $override_types; do
+           case $override_type in
+              deb) type="" ;;
+              dsc) type=".src" ;;
+              udeb) type="skip" ;;
+           esac
+           if [ ! "$type" = "skip" ]; then
+               $masterdir/natalie -q -S -t $override_type -s $suite -c $component < override.$suite.$component$type
+           fi
+       done
+    done
+done
+
+################################################################################
+
+cd $masterdir
+shania
+rhona
+apt-ftparchive -q clean apt.conf-security
+
+pg_dump obscurity > /org/security.debian.org/katie-backup/dump_$(date +%Y.%m.%d-%H:%M:%S)
+
+# Vacuum the database
+set +e
+echo "VACUUM; VACUUM ANALYZE;" | psql obscurity 2>&1 | egrep -v "^NOTICE:  Skipping \"pg_.*only table or database owner can VACUUM it$|^VACUUM$"
+set -e
+
+################################################################################
diff --git a/katie.conf-security b/katie.conf-security
new file mode 100644 (file)
index 0000000..b6ecef6
--- /dev/null
@@ -0,0 +1,332 @@
+Dinstall
+{
+   PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+   SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
+   SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
+   SigningKeyIds "722F1AED";
+   SendmailCommand "/usr/sbin/sendmail -odq -oi -t";
+   MyEmailAddress "Debian Installer <installer@ftp-master.debian.org>";
+   MyAdminAddress "ftpmaster@debian.org";
+   MyHost "debian.org";  // used for generating user@my_host addresses in e.g. manual_reject()
+   MyDistribution "Debian"; // Used in emails
+   BugServer "bugs.debian.org";
+   PackagesServer "packages.debian.org";
+   LockFile "/org/security.debian.org/katie/lock";
+   Bcc "archive@ftp-master.debian.org";
+   // GroupOverrideFilename "override.group-maint";
+   FutureTimeTravelGrace 28800; // 6 hours
+   PastCutoffYear "1984";
+   SkipTime 300;
+   CloseBugs "false";
+   OverrideDisparityCheck "false";
+   BXANotify "false";
+   SpecialAcceptedAutoBuild "true";
+   DefaultSuite "Woody";
+   OverrideMaintainer "katie@security.debian.org";
+};
+
+Julia
+{
+  ValidGID "800";
+  // Comma seperated list of users who are in Postgres but not the passwd file
+  KnownPostgres "postgres,katie";
+};
+
+Shania
+{
+  Options
+  {
+    Days 14;
+   };
+ MorgueSubDir "shania";
+};
+
+Natalie
+{
+  Options
+  {
+    Component "main";
+    Suite "unstable";
+    Type "deb";
+   };
+
+ ComponentPosition "prefix"; // Whether the component is prepended or appended to the section name
+};
+
+Melanie
+{
+  Options
+  {
+    Suite "unstable";
+   };
+
+   MyEmailAddress "Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>";
+   LogFile "/org/security.debian.org/web/removals.txt";
+};
+
+Neve
+{
+  ExportDir "/org/security.debian.org/katie/neve-files/";
+};
+
+Rhona
+{
+  // How long (in seconds) dead packages are left before being killed
+  StayOfExecution 129600; // 1.5 days
+  AcceptedAutoBuildStayOfExecution 86400; // 24 hours
+  MorgueSubDir "rhona";
+  OverrideFilename "override.source-only";
+};
+
+Amber
+{
+  UploadHost "ftp-master.debian.org";
+  UploadDir "/pub/UploadQueue";
+};
+
+Suite
+{
+  // Priority determines which suite is used for the Maintainers file
+  // as generated by charisma (highest wins).
+
+  Potato
+  {
+       Components 
+       {
+         main;
+         contrib;
+         non-free;
+       };
+       Architectures 
+       {
+         source;  
+         all;
+         alpha; 
+         arm;
+         i386;
+         m68k;
+         powerpc;
+         sparc;
+       };
+       Announce "katie@security.debian.org";
+       Version "2.2";
+       Origin "Debian";
+       Label "Debian-Security";
+       Description "Debian 2.2 Security Updates";
+       CodeName "potato/updates";
+       OverrideCodeName "potato";
+       CopyKatie "/org/security.debian.org/queue/done/";
+  };
+
+  Woody
+  {
+       Components 
+       {
+         main;
+         contrib;
+         non-free;
+       };
+       Architectures 
+       {
+         source;  
+         all;
+         alpha; 
+         arm;
+         hppa;
+         i386;
+         ia64;
+         m68k;
+         mips;
+         mipsel;
+         powerpc;
+         s390;
+         sparc;
+       };
+       Announce "katie@security.debian.org";
+       Version "3.0";
+       Origin "Debian";
+       Label "Debian-Security";
+       Description "Debian 3.0 Security Updates";
+       CodeName "woody/updates";
+       OverrideCodeName "woody";
+       CopyKatie "/org/security.debian.org/queue/done/";
+  };
+
+};
+
+SuiteMappings
+{
+ "map stable-sec potato";
+ "map testing-sec woody";
+};
+
+Dir
+{
+  Root "/org/security.debian.org/ftp/";
+  Pool "/org/security.debian.org/ftp/pool/";
+  Katie "/org/security.debian.org/katie/";
+  Templates "/org/security.debian.org/katie/templates/";
+  PoolRoot "pool/";
+  Override "/org/security.debian.org/override/";
+  Lists "/org/security.debian.org/katie-database/dists/";
+  Log "/org/security.debian.org/katie-log/";
+  Morgue "/org/security.debian.org/morgue/";
+  MorgueReject "reject";
+  Override "/org/security.debian.org/scripts/override/";
+  Queue
+  {
+    Root "/org/security.debian.org/queue/";
+    Accepted "/org/security.debian.org/queue/accepted/";
+    Byhand "/org/security.debian.org/queue/byhand/";
+    Done "/org/security.debian.org/queue/done/";
+    Holding "/org/security.debian.org/queue/holding/";
+    New "/org/security.debian.org/queue/new/";
+    Reject "/org/security.debian.org/queue/reject/";
+    Unchecked "/org/security.debian.org/queue/unchecked/";
+  };
+};
+
+DB
+{
+  Name "obscurity";
+  Host ""; 
+  Port -1;
+
+};
+
+Architectures
+{
+
+  source "Source";
+  all "Architecture Independent";
+  alpha "DEC Alpha";
+  hppa "HP PA RISC";
+  arm "Arm";
+  i386 "Intel ia32";
+  ia64 "Intel ia64";
+  m68k "Motorola Mc680x0";
+  mips "SGI MIPS";
+  mipsel "SGI MIPS (Little Endian)";
+  powerpc "PowerPC";
+  s390 "IBM S/390";
+  sparc "Sun SPARC/UltraSPARC";
+
+};
+
+Archive
+{
+
+  security
+  {
+    OriginServer "security.debian.org";
+    PrimaryMirror "security.debian.org";
+    Description "Security Updates for the Debian project";
+  };
+
+};
+
+Component
+{
+
+  main
+  {
+       Description "Main";
+       MeetsDFSG "true";
+  };
+
+  contrib
+  {
+       Description "Contrib";
+       MeetsDFSG "true";
+  };
+
+  non-free
+  {
+       Description "Software that fails to meet the DFSG";
+       MeetsDFSG "false";
+  };
+
+};
+
+Section
+{
+  admin;
+  base;
+  comm;
+  debian-installer;
+  devel;
+  doc;
+  editors;
+  electronics;
+  games;
+  graphics;
+  hamradio;
+  interpreters;
+  libs;
+  mail;
+  math;
+  misc;
+  net;
+  news;
+  oldlibs;
+  otherosfs;
+  science;
+  shells;
+  sound;
+  tex;
+  text;
+  utils;
+  web;
+  x11;
+  non-US;
+};
+
+Priority
+{
+  required 1;
+  important 2;
+  standard 3;
+  optional 4;
+  extra 5;
+  source 0; // i.e. unused
+};
+
+OverrideType
+{
+  deb;
+  udeb;
+  dsc;
+};
+
+Location
+{
+  /org/security.debian.org/ftp/dists/
+    {
+      Archive "security";
+      Suites 
+       {
+         Potato;
+        };
+      Type "legacy";
+    };
+
+  /org/security.debian.org/ftp/pool/
+    {
+      Archive "security";
+      Type "pool";
+    };
+};
+
+Urgency
+{
+  Default "low";
+  Valid
+  {
+    low;
+    medium;
+    high;
+    emergency;
+    critical;
+  };
+};
diff --git a/templates/amber.advisory b/templates/amber.advisory
new file mode 100644 (file)
index 0000000..de6459d
--- /dev/null
@@ -0,0 +1,34 @@
+------------------------------------------------------------------------
+Debian Security Advisory __ADVISORY__
+http://www.debian.org/security/
+
+Issued by __WHOAMI__ <security@debian.org>
+__DATE__
+------------------------------------------------------------------------
+
+Package        : __PACKAGE__
+Problem type   : 
+Debian-specific: 
+
+...
+
+__ADVISORY_TEXT__
+
+------------------------------------------------------------------------
+
+Obtaining updates:
+
+  By hand:
+
+    wget URL
+        will fetch the file for you.
+    dpkg -i FILENAME.deb
+        will install the fetched file.
+
+  With apt:
+
+    deb http://security.debian.org/ potato/updates main
+        added to /etc/apt/sources.list will give you access to potato updates.
+    deb http://security.debian.org/ woody/updates main
+        added to /etc/apt/sources.list will give you access to woody updates.
+
diff --git a/vars-security b/vars-security
new file mode 100644 (file)
index 0000000..4ce34ab
--- /dev/null
@@ -0,0 +1,19 @@
+# locations used by many scripts
+
+base=/org/security.debian.org
+masterdir=$base/katie/
+overridedir=$base/override
+queuedir=$base/queue/
+accepted=$queuedir/accepted/
+done=$queuedir/done/
+
+uploadhost=ftp-master.debian.org
+uploaddir=/pub/UploadQueue/
+
+components="main non-free contrib"
+suites="potato woody"
+override_types="deb dsc udeb"
+
+PATH=$masterdir:$PATH
+umask 022
+