]> err.no Git - dak/commitdiff
Merge of changes from klecker, by various peopleamber: special casing for not passing...
authorAnthony Towns <aj@azure.humbug.org.au>
Sat, 26 Nov 2005 07:52:06 +0000 (07:52 +0000)
committerAnthony Towns <aj@azure.humbug.org.au>
Sat, 26 Nov 2005 07:52:06 +0000 (07:52 +0000)
ChangeLog
amber
apt.conf-security
apt.conf.buildd-security
cron.buildd-security
cron.daily-security
docs/README.names
docs/README.quotes
katie.conf-security
templates/amber.advisory
vars-security

index 9f4cc11e972e4affb18916ba207843273b23998a..89cbd8ca04808573dc5fa9d882d8861f9f47646d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2005-11-26  Anthony Towns  <aj@erisian.com.au>
+
+       * Merge of changes from klecker, by various people
+
+       * amber: special casing for not passing on amd64 and oldstable updates
+       * amber: security mirror triggering
+       * templates/amber.advisory: updated advisory structure
+       * apt.conf.buildd-security: update for sarge's release
+       * apt.conf-security: update for sarge's release
+       * cron.buildd-security: generalise suite support, update for sarge's release
+       * cron.daily-security: update for sarge's release, add udeb support
+       * vars-security: update for sarge's release
+       * katie.conf-security: update for sarge's release, add amd64 support,
+       update signing key
+
+       * docs/README.names, docs/README.quotes: include the additions
+
 2005-11-25  Anthony Towns  <aj@erisian.com.au>
 
        * Changed accepted_autobuild to queue_build everywhere.
diff --git a/amber b/amber
index 8e2469d640fccbe6ea0fb2bbe7b3b2cd5880eba5..4f1832adee18e517459ecc154182c4a19e0a8828 100755 (executable)
--- a/amber
+++ b/amber
@@ -2,7 +2,7 @@
 
 # Wrapper for Debian Security team
 # Copyright (C) 2002, 2003, 2004  James Troup <james@nocrew.org>
-# $Id: amber,v 1.10 2004-11-27 19:23:40 troup Exp $
+# $Id: amber,v 1.11 2005-11-26 07:52:06 ajt Exp $
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -64,6 +64,7 @@ def do_upload(changes_files):
     for component in Cnf.SubTree("Amber::ComponentMappings").List():
         component_mapping[component] = Cnf["Amber::ComponentMappings::%s" % (component)];
     uploads = {}; # uploads[uri] = file_list;
+    changesfiles = {}; # changesfiles[uri] = file_list;
     package_list = {} # package_list[source_name][version];
     changes_files.sort(utils.changes_compare);
     for changes_file in changes_files:
@@ -79,6 +80,13 @@ def do_upload(changes_files):
         files = Katie.pkg.files;
         changes = Katie.pkg.changes;
         dsc = Katie.pkg.dsc;
+        # We have the changes, now return if its amd64, to not upload them to ftp-master
+        if changes["architecture"].has_key("amd64"):
+            print "Not uploading amd64 part to ftp-master\n";
+            continue
+        if changes["distribution"].has_key("oldstable-security"):
+            print "Not uploading oldstable-security changes to ftp-master\n";
+            continue
         # Build the file list for this .changes file
         for file in files.keys():
             poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"],
@@ -87,7 +95,6 @@ def do_upload(changes_files):
             file_list.append(poolname);
             orig_component = files[file].get("original component", files[file]["component"]);
             components[orig_component] = "";
-        file_list.append(changes_file);
         # Determine the upload uri for this .changes file
         for component in components.keys():
             upload_uri = component_mapping.get(component);
@@ -106,6 +113,10 @@ def do_upload(changes_files):
         if not uploads.has_key(upload_uri):
             uploads[upload_uri] = [];
         uploads[upload_uri].extend(file_list);
+        # Update the changes list for the upload uri
+        if not changes.has_key(upload_uri):
+            changesfiles[upload_uri] = [];
+        changesfiles[upload_uri].append(changes_file);
         # Remember the suites and source name/version
         for suite in changes["distribution"].keys():
             suites[suite] = "";
@@ -116,16 +127,13 @@ def do_upload(changes_files):
                 package_list[dsc["source"]] = {};
             package_list[dsc["source"]][dsc["version"]] = "";
 
-    if len(suites.keys()) == 1 and suites.has_key("oldstable"):
-        print "Advisory only for 'oldstable'; not uploading elsewhere.";
-        return;
-
     if not Options["No-Action"]:
         answer = yes_no("Upload to files to main archive (Y/n)?");
         if answer != "y":
             return;
 
     for uri in uploads.keys():
+        uploads[uri].extend(changesfiles[uri]);
         (host, path) = uri.split(":");
         file_list = " ".join(uploads[uri]);
         print "Uploading files to %s..." % (host);
@@ -348,6 +356,9 @@ def main():
     print "Generating template advisory...";
     make_advisory(advisory_number, changes_files);
 
+    # Trigger security mirrors
+    spawn("sudo -u archvsync /home/archvsync/signal_security");
+
     do_upload(changes_files);
 
 ################################################################################
index 60428a00cafcb009120493ab49320ad7058e7de3..f792f23d00c73973c8cf90b840d31eb0cbb10454 100644 (file)
@@ -13,10 +13,10 @@ Default
    FileMode 0664;
 }
 
-tree "dists/stable/updates"
+tree "dists/oldstable/updates"
 {
-   FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list";
-   SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list";
+   FileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_binary-$(ARCH).list";
+   SourceFileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_source.list";
    Sections "main contrib non-free";
    Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
    BinOverride "override.woody.$(SECTION)";
@@ -25,14 +25,26 @@ tree "dists/stable/updates"
    Contents " ";
 };
 
+tree "dists/stable/updates"
+{
+   FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list";
+   SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list";
+   Sections "main contrib non-free";
+   Architectures "alpha amd64 arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
+   BinOverride "override.sarge.$(SECTION)";
+   ExtraOverride "override.sarge.extra.$(SECTION)";
+   SrcOverride "override.sarge.$(SECTION).src";
+   Contents " ";
+};
+
 tree "dists/testing/updates"
 {
    FileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_binary-$(ARCH).list";
    SourceFileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_source.list";
    Sections "main contrib non-free";
    Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source";
-   BinOverride "override.sarge.$(SECTION)";
-   ExtraOverride "override.sarge.extra.$(SECTION)";
-   SrcOverride "override.sarge.$(SECTION).src";
+   BinOverride "override.etch.$(SECTION)";
+   ExtraOverride "override.etch.extra.$(SECTION)";
+   SrcOverride "override.etch.$(SECTION).src";
    Contents " ";
 };
index 81a6b6ddb8f3ec25291c469144bc6bb272d17d73..463887403d723ed8cd296d900d03b914f8957468 100644 (file)
@@ -13,14 +13,14 @@ Default
    FileMode 0664;
 }
 
-bindirectory "potato"
+bindirectory "etch"
 {
-   Packages "potato/Packages";
-   Sources "potato/Sources";
+   Packages "etch/Packages";
+   Sources "etch/Sources";
    Contents " ";
 
-   BinOverride "override.potato.all3";
-   BinCacheDB "packages-accepted-potato.db";
+   BinOverride "override.etch.all3";
+   BinCacheDB "packages-accepted-etch.db";
    PathPrefix "";
    Packages::Extensions ".deb .udeb";
 };
index 5d22dc5c1b4dc383824e06eec2984cfb40eb547d..05f2d1385a06e03d618885e1e2aae718c9507329 100755 (executable)
@@ -1,11 +1,12 @@
-#! /bin/sh
+#! /bin/bash
 #
 # Executed after jennifer (merge there??)
 
-ARCHS_stable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
-ARCHS_testing="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
-#DISTS="stable testing"
-DISTS="stable"
+ARCHS_oldstable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390"
+ARCHS_stable="$ARCHS_oldstable"
+ARCHS_testing="$ARCHS_stable"
+DISTS="oldstable stable testing"
+SSH_SOCKET=~/.ssh/buildd.debian.org.socket
 
 set -e
 export SCRIPTVARS=/org/security.debian.org/katie/vars-security
@@ -13,24 +14,54 @@ export SCRIPTVARS=/org/security.debian.org/katie/vars-security
 
 if [ ! -e $ftpdir/Archive_Maintenance_In_Progress ]; then
        cd $masterdir
+       for d in $DISTS; do
+               eval SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz`
+               eval PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz`
+       done
        apt-ftparchive -qq generate apt.conf.buildd-security
+       dists=
        for d in $DISTS; do
-               case "$d" in
-                       stable)
-                               ARCHS="$ARCHS_stable"
-                               ;;
-                       testing)
-                               ARCHS="$ARCHS_testing"
-                               ;;
-                       *)
-                               echo "unknown value in dists: $d"
-                               exit 1
-                               ;;
-               esac
-               cd /org/security.debian.org/buildd/$d
-               for a in $ARCHS; do
-                       quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd wanna-build -d $d-security -b $a/build-db --merge-partial-quinn
-                       ssh buildd@buildd wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages
-               done
+               eval NEW_SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz`
+               eval NEW_PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz`
+               old=SOURCES_$d
+                new=NEW_$old
+                if [ ${!new} -gt ${!old} ]; then
+                       if [ -z "$dists" ]; then
+                               dists="$d"
+                       else
+                               dists="$dists $d"
+                       fi
+                       continue
+               fi
+               old=PACKAGES_$d
+               new=NEW_$old
+                if [ ${!new} -gt ${!old} ]; then
+                       if [ -z "$dists" ]; then
+                               dists="$d"
+                       else
+                               dists="$dists $d"
+                       fi
+                       continue
+               fi
        done
+       if [ ! -z "$dists" ]; then
+               # setup ssh master process
+               ssh buildd@buildd -S $SSH_SOCKET -MN 2> /dev/null &
+               SSH_PID=$!
+               while [ ! -S $SSH_SOCKET ]; do
+                       sleep 1
+               done
+               trap 'kill -TERM $SSH_PID' 0
+               for d in $dists; do
+                       archs=ARCHS_$d
+                       ARCHS=${!archs}
+                       cd /org/security.debian.org/buildd/$d
+                       for a in $ARCHS; do
+                               quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -b $a/build-db --merge-partial-quinn
+                               ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages
+                       done
+               done
+       fi
 fi
+
+ssh buildd@bester.farm.ftbfs.de -i ~/.ssh/id_bester sleep 1
index 405b292411a7748fe70489307c39fae71e83d64c..32a459567c411906c92a6136ddb8a5dbbb7b94db 100644 (file)
@@ -32,8 +32,9 @@ rm -fr non-US
 
 for suite in $suites; do
     case $suite in
-       stable) override_suite=woody;;
-       testing) override_suite=sarge;;
+       oldstable) override_suite=woody;;
+       stable) override_suite=sarge;;
+       testing) override_suite=etch;;
        *) echo "Unknown suite type ($suite)"; exit 1;;
     esac
     for component in $components; do
@@ -41,27 +42,40 @@ for suite in $suites; do
            case $override_type in
               deb) type="" ;;
               dsc) type=".src" ;;
-              udeb) type="skip" ;;
+              udeb) type=".debian-installer" ;;
            esac
-           if [ ! "$type" = "skip" ]; then
-               $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
-               case $suite in
-                   stable)
-                       $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type
-                       $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
-                       ;;
-                   testing)
-                       $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
-                       ;;
-                   *) echo "Unknown suite type ($suite)"; exit 1;;
-               esac
+           # XXX RUN AFUCKINGAWAY
+           if [ "$override_type" = "udeb" ]; then
+               if [ ! "$component" = "main" ]; then
+                continue;
+              fi
+              if [ "$suite" = "unstable" ]; then
+                $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
+              fi
+           else
+              $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type
            fi
+           case $suite in
+             oldstable)
+               if [ ! "$override_type" = "udeb" ]; then
+                  $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type
+                fi
+               $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+               ;;
+             stable)
+               $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+               ;;
+             testing)
+               $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type
+               ;;
+             *) echo "Unknown suite type ($suite)"; exit 1;;
+           esac
        done
     done
 done
 
 # Generate .all3 overides for the buildd support
-for dist in potato woody sarge; do
+for dist in woody sarge etch; do
     rm -f override.$dist.all3
     components="main contrib non-free";
     if [ -f override.$dist.main.debian-installer ]; then
index 4a949d43f9c8366bbaf7ac8bcf4d42a4101779a3..3c773bc52dcf87152f411dd3b63846ffb4ed098e 100644 (file)
@@ -123,6 +123,7 @@ Kylie (Minogue)
 Laetitia (Casta)
 Lana (Parrilla)
 Liv (Tyler)
+Marcia (Cross)
 Mariska (Hargitay)
 Michelle (Hunziker)
 Mira (Sorvino)
index 413cf6258f5129da9093505eb429771213d7df6d..a188d59e71c314448c4c8ff7b0e83df250f911ad 100644 (file)
@@ -313,3 +313,15 @@ Canadians: This is a lighthouse. Your call.
 <elmo>   File "/org/ftp.debian.org/katie/kelly", line 608, in main
 <elmo>     sys.stderr.write("Installed %d package %s, %s.\n" % (install_count, sets, utils.size_type(int(install_bytes))));
 <elmo> OverflowError: float too large to convert
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+"The Hurd's design is so secure that it makes firewalls immoral IMHO." -- Jeroen Dekkers
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+<helix> I bought some foam soap for kids the other day and only
+        realized it had an elmo picture on it when I got home
+<helix> now I can't use it because I feel perverted
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
index 3d6e6198f3324552085f27cc146b1a635ed6aa52..fe6cf1e4cad36bc3dce19a57ea5cde0a1ff15a13 100644 (file)
@@ -4,7 +4,7 @@ Dinstall
    GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
    SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
    SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
-   SigningKeyIds "1DB114E0";
+   SigningKeyIds "4F368D5D";
    SendmailCommand "/usr/sbin/sendmail -odq -oi -t";
    MyEmailAddress "Debian Installer <installer@ftp-master.debian.org>";
    MyAdminAddress "ftpmaster@debian.org";
@@ -23,6 +23,7 @@ Dinstall
    BXANotify "false";
    QueueBuildSuites
    {
+     oldstable;
      stable;
      testing;
    };
@@ -103,7 +104,7 @@ Suite
   // Priority determines which suite is used for the Maintainers file
   // as generated by charisma (highest wins).
 
-  Stable
+  Oldstable
   {
        Components 
        {
@@ -137,6 +138,41 @@ Suite
        CopyKatie "/org/security.debian.org/queue/done/";
   };
 
+  Stable
+  {
+       Components 
+       {
+         updates/main;
+         updates/contrib;
+         updates/non-free;
+       };
+       Architectures 
+       {
+         source;  
+         all;
+         alpha;
+         amd64; 
+         arm;
+         hppa;
+         i386;
+         ia64;
+         m68k;
+         mips;
+         mipsel;
+         powerpc;
+         s390;
+         sparc;
+       };
+       Announce "katie@security.debian.org";
+       Version "3.1";
+       Origin "Debian";
+       Label "Debian-Security";
+       Description "Debian 3.1 Security Updates";
+       CodeName "sarge";
+       OverrideCodeName "sarge";
+       CopyKatie "/org/security.debian.org/queue/done/";
+  };
+
   Testing
   {
        Components 
@@ -149,6 +185,7 @@ Suite
        {
          source;  
          all;
+         amd64; 
          alpha; 
          arm;
          hppa;
@@ -166,8 +203,8 @@ Suite
        Origin "Debian";
        Label "Debian-Security";
        Description "Debian x.y Security Updates";
-       CodeName "sarge";
-       OverrideCodeName "sarge";
+       CodeName "etch";
+       OverrideCodeName "etch";
        CopyKatie "/org/security.debian.org/queue/done/";
   };
 
@@ -175,10 +212,11 @@ Suite
 
 SuiteMappings
 {
+  "silent-map oldstable-security oldstable";
  "silent-map stable-security stable";
  // JT - FIXME, hackorama
- "silent-map testing-security stable";
//"silent-map testing-security testing";
// "silent-map testing-security stable";
 "silent-map testing-security testing";
 };
 
 Dir
@@ -231,6 +269,7 @@ Architectures
   powerpc "PowerPC";
   s390 "IBM S/390";
   sparc "Sun SPARC/UltraSPARC";
+  amd64 "AMD x86_64 (AMD64)";
 
 };
 
@@ -348,6 +387,7 @@ Location
       Archive "security";
       Suites 
        {
+         Oldstable;
          Stable;
          Testing;
         };
index 0b6f26bd09d80b6fbe8bd4756fc95381553dd4a7..50d59e94006c58705cfeda0f07bb3353eeb76f34 100644 (file)
@@ -11,9 +11,12 @@ __DATE__
 
 Package        : __PACKAGE__
 Vulnerability  : XXX
-Problem type   : XXX
+Problem type   : local/remote XXX
 Debian-specific: XXX
 CVE Id(s)      : XXX
+CERT advisory  : XXX
+BugTraq ID     : XXX
+Debian Bug     : XXX
 
 ...
 
@@ -36,31 +39,30 @@ We recommend that you upgrade your __PACKAGE__ package.
 Upgrade instructions
 --------------------
 
-  To perform automated upgrades using apt:
+wget url
+        will fetch the file for you
+dpkg -i file.deb
+        will install the referenced file.
 
-    deb http://security.debian.org/ woody/updates main
-        added to /etc/apt/sources.list will give you access to woody updates.
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
 
-    deb http://security.debian.org/ potato/updates main
-        added to /etc/apt/sources.list will give you access to potato updates.
-
-    apt-get update
-        will update apt's package database of packages and versions
-
-    apt-get upgrade
+apt-get update
+        will update the internal database
+apt-get upgrade
         will install corrected packages
 
-  Alternatively, to obtain and install packages by hand:
-
-    wget URL
-        will fetch the file for you.
-    dpkg -i FILENAME.deb
-        will install the fetched file.
-
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
 
 __ADVISORY_TEXT__
 
--------------------------------------------------------------------------------
-Mailing list: http://lists.debian.org/debian-security-announce/
-Package info: 'apt-cache show <pkg>' and http://packages.debian.org/<pkg>
 
+  These files will probably be moved into the stable distribution on
+  its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ stable/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
+Mailing list: debian-security-announce@lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
index f042e2ef448f911797fee2a615d701131c3205d2..05ccc8c1b3190a1f7da7adc91cc8b9958ed568b8 100644 (file)
@@ -13,7 +13,7 @@ uploadhost=ftp-master.debian.org
 uploaddir=/pub/UploadQueue/
 
 components="main non-free contrib"
-suites="stable testing"
+suites="oldstable stable testing"
 override_types="deb dsc udeb"
 
 PATH=$masterdir:$PATH