From dd866b48805fee669a51b57dd9434b4251cb81e3 Mon Sep 17 00:00:00 2001 From: Anthony Towns Date: Sat, 26 Nov 2005 07:52:06 +0000 Subject: [PATCH] Merge of changes from klecker, by various peopleamber: special casing for not passing on amd64 and oldstable updatesamber: security mirror triggeringtemplates/amber.advisory: updated advisory structureapt.conf.buildd-security: update for sarge's releaseapt.conf-security: update for sarge's releasecron.buildd-security: generalise suite support, update for sarge's releasecron.daily-security: update for sarge's release, add udeb supportvars-security: update for sarge's releasekatie.conf-security: update for sarge's release, add amd64 support,update signing keydocs/README.names, docs/README.quotes: include the additions --- ChangeLog | 17 +++++++++ amber | 23 ++++++++---- apt.conf-security | 24 +++++++++---- apt.conf.buildd-security | 10 +++--- cron.buildd-security | 75 ++++++++++++++++++++++++++++------------ cron.daily-security | 46 +++++++++++++++--------- docs/README.names | 1 + docs/README.quotes | 12 +++++++ katie.conf-security | 52 ++++++++++++++++++++++++---- templates/amber.advisory | 44 ++++++++++++----------- vars-security | 2 +- 11 files changed, 223 insertions(+), 83 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f4cc11e..89cbd8ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,20 @@ +2005-11-26 Anthony Towns + + * Merge of changes from klecker, by various people + + * amber: special casing for not passing on amd64 and oldstable updates + * amber: security mirror triggering + * templates/amber.advisory: updated advisory structure + * apt.conf.buildd-security: update for sarge's release + * apt.conf-security: update for sarge's release + * cron.buildd-security: generalise suite support, update for sarge's release + * cron.daily-security: update for sarge's release, add udeb support + * vars-security: update for sarge's release + * katie.conf-security: update for sarge's release, add amd64 support, + update signing key + + * docs/README.names, docs/README.quotes: include the additions + 2005-11-25 Anthony Towns * Changed accepted_autobuild to queue_build everywhere. diff --git a/amber b/amber index 8e2469d6..4f1832ad 100755 --- a/amber +++ b/amber @@ -2,7 +2,7 @@ # Wrapper for Debian Security team # Copyright (C) 2002, 2003, 2004 James Troup -# $Id: amber,v 1.10 2004-11-27 19:23:40 troup Exp $ +# $Id: amber,v 1.11 2005-11-26 07:52:06 ajt Exp $ # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -64,6 +64,7 @@ def do_upload(changes_files): for component in Cnf.SubTree("Amber::ComponentMappings").List(): component_mapping[component] = Cnf["Amber::ComponentMappings::%s" % (component)]; uploads = {}; # uploads[uri] = file_list; + changesfiles = {}; # changesfiles[uri] = file_list; package_list = {} # package_list[source_name][version]; changes_files.sort(utils.changes_compare); for changes_file in changes_files: @@ -79,6 +80,13 @@ def do_upload(changes_files): files = Katie.pkg.files; changes = Katie.pkg.changes; dsc = Katie.pkg.dsc; + # We have the changes, now return if its amd64, to not upload them to ftp-master + if changes["architecture"].has_key("amd64"): + print "Not uploading amd64 part to ftp-master\n"; + continue + if changes["distribution"].has_key("oldstable-security"): + print "Not uploading oldstable-security changes to ftp-master\n"; + continue # Build the file list for this .changes file for file in files.keys(): poolname = os.path.join(Cnf["Dir::Root"], Cnf["Dir::PoolRoot"], @@ -87,7 +95,6 @@ def do_upload(changes_files): file_list.append(poolname); orig_component = files[file].get("original component", files[file]["component"]); components[orig_component] = ""; - file_list.append(changes_file); # Determine the upload uri for this .changes file for component in components.keys(): upload_uri = component_mapping.get(component); @@ -106,6 +113,10 @@ def do_upload(changes_files): if not uploads.has_key(upload_uri): uploads[upload_uri] = []; uploads[upload_uri].extend(file_list); + # Update the changes list for the upload uri + if not changes.has_key(upload_uri): + changesfiles[upload_uri] = []; + changesfiles[upload_uri].append(changes_file); # Remember the suites and source name/version for suite in changes["distribution"].keys(): suites[suite] = ""; @@ -116,16 +127,13 @@ def do_upload(changes_files): package_list[dsc["source"]] = {}; package_list[dsc["source"]][dsc["version"]] = ""; - if len(suites.keys()) == 1 and suites.has_key("oldstable"): - print "Advisory only for 'oldstable'; not uploading elsewhere."; - return; - if not Options["No-Action"]: answer = yes_no("Upload to files to main archive (Y/n)?"); if answer != "y": return; for uri in uploads.keys(): + uploads[uri].extend(changesfiles[uri]); (host, path) = uri.split(":"); file_list = " ".join(uploads[uri]); print "Uploading files to %s..." % (host); @@ -348,6 +356,9 @@ def main(): print "Generating template advisory..."; make_advisory(advisory_number, changes_files); + # Trigger security mirrors + spawn("sudo -u archvsync /home/archvsync/signal_security"); + do_upload(changes_files); ################################################################################ diff --git a/apt.conf-security b/apt.conf-security index 60428a00..f792f23d 100644 --- a/apt.conf-security +++ b/apt.conf-security @@ -13,10 +13,10 @@ Default FileMode 0664; } -tree "dists/stable/updates" +tree "dists/oldstable/updates" { - FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list"; - SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list"; + FileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_binary-$(ARCH).list"; + SourceFileList "/org/security.debian.org/katie-database/dists/oldstable_updates/$(SECTION)_source.list"; Sections "main contrib non-free"; Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source"; BinOverride "override.woody.$(SECTION)"; @@ -25,14 +25,26 @@ tree "dists/stable/updates" Contents " "; }; +tree "dists/stable/updates" +{ + FileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_binary-$(ARCH).list"; + SourceFileList "/org/security.debian.org/katie-database/dists/stable_updates/$(SECTION)_source.list"; + Sections "main contrib non-free"; + Architectures "alpha amd64 arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source"; + BinOverride "override.sarge.$(SECTION)"; + ExtraOverride "override.sarge.extra.$(SECTION)"; + SrcOverride "override.sarge.$(SECTION).src"; + Contents " "; +}; + tree "dists/testing/updates" { FileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_binary-$(ARCH).list"; SourceFileList "/org/security.debian.org/katie-database/dists/testing_updates/$(SECTION)_source.list"; Sections "main contrib non-free"; Architectures "alpha arm hppa i386 ia64 mips mipsel m68k powerpc s390 sparc source"; - BinOverride "override.sarge.$(SECTION)"; - ExtraOverride "override.sarge.extra.$(SECTION)"; - SrcOverride "override.sarge.$(SECTION).src"; + BinOverride "override.etch.$(SECTION)"; + ExtraOverride "override.etch.extra.$(SECTION)"; + SrcOverride "override.etch.$(SECTION).src"; Contents " "; }; diff --git a/apt.conf.buildd-security b/apt.conf.buildd-security index 81a6b6dd..46388740 100644 --- a/apt.conf.buildd-security +++ b/apt.conf.buildd-security @@ -13,14 +13,14 @@ Default FileMode 0664; } -bindirectory "potato" +bindirectory "etch" { - Packages "potato/Packages"; - Sources "potato/Sources"; + Packages "etch/Packages"; + Sources "etch/Sources"; Contents " "; - BinOverride "override.potato.all3"; - BinCacheDB "packages-accepted-potato.db"; + BinOverride "override.etch.all3"; + BinCacheDB "packages-accepted-etch.db"; PathPrefix ""; Packages::Extensions ".deb .udeb"; }; diff --git a/cron.buildd-security b/cron.buildd-security index 5d22dc5c..05f2d138 100755 --- a/cron.buildd-security +++ b/cron.buildd-security @@ -1,11 +1,12 @@ -#! /bin/sh +#! /bin/bash # # Executed after jennifer (merge there??) -ARCHS_stable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390" -ARCHS_testing="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390" -#DISTS="stable testing" -DISTS="stable" +ARCHS_oldstable="alpha arm hppa i386 ia64 m68k mips mipsel powerpc sparc s390" +ARCHS_stable="$ARCHS_oldstable" +ARCHS_testing="$ARCHS_stable" +DISTS="oldstable stable testing" +SSH_SOCKET=~/.ssh/buildd.debian.org.socket set -e export SCRIPTVARS=/org/security.debian.org/katie/vars-security @@ -13,24 +14,54 @@ export SCRIPTVARS=/org/security.debian.org/katie/vars-security if [ ! -e $ftpdir/Archive_Maintenance_In_Progress ]; then cd $masterdir + for d in $DISTS; do + eval SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz` + eval PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz` + done apt-ftparchive -qq generate apt.conf.buildd-security + dists= for d in $DISTS; do - case "$d" in - stable) - ARCHS="$ARCHS_stable" - ;; - testing) - ARCHS="$ARCHS_testing" - ;; - *) - echo "unknown value in dists: $d" - exit 1 - ;; - esac - cd /org/security.debian.org/buildd/$d - for a in $ARCHS; do - quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd wanna-build -d $d-security -b $a/build-db --merge-partial-quinn - ssh buildd@buildd wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages - done + eval NEW_SOURCES_$d=`stat -c "%Y" $base/buildd/$d/Sources.gz` + eval NEW_PACKAGES_$d=`stat -c "%Y" $base/buildd/$d/Packages.gz` + old=SOURCES_$d + new=NEW_$old + if [ ${!new} -gt ${!old} ]; then + if [ -z "$dists" ]; then + dists="$d" + else + dists="$dists $d" + fi + continue + fi + old=PACKAGES_$d + new=NEW_$old + if [ ${!new} -gt ${!old} ]; then + if [ -z "$dists" ]; then + dists="$d" + else + dists="$dists $d" + fi + continue + fi done + if [ ! -z "$dists" ]; then + # setup ssh master process + ssh buildd@buildd -S $SSH_SOCKET -MN 2> /dev/null & + SSH_PID=$! + while [ ! -S $SSH_SOCKET ]; do + sleep 1 + done + trap 'kill -TERM $SSH_PID' 0 + for d in $dists; do + archs=ARCHS_$d + ARCHS=${!archs} + cd /org/security.debian.org/buildd/$d + for a in $ARCHS; do + quinn-diff -a /org/security.debian.org/buildd/Packages-arch-specific -A $a 2>/dev/null | ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -b $a/build-db --merge-partial-quinn + ssh buildd@buildd -S $SSH_SOCKET wanna-build -d $d-security -A $a -b $a/build-db --merge-packages < Packages + done + done + fi fi + +ssh buildd@bester.farm.ftbfs.de -i ~/.ssh/id_bester sleep 1 diff --git a/cron.daily-security b/cron.daily-security index 405b2924..32a45956 100644 --- a/cron.daily-security +++ b/cron.daily-security @@ -32,8 +32,9 @@ rm -fr non-US for suite in $suites; do case $suite in - stable) override_suite=woody;; - testing) override_suite=sarge;; + oldstable) override_suite=woody;; + stable) override_suite=sarge;; + testing) override_suite=etch;; *) echo "Unknown suite type ($suite)"; exit 1;; esac for component in $components; do @@ -41,27 +42,40 @@ for suite in $suites; do case $override_type in deb) type="" ;; dsc) type=".src" ;; - udeb) type="skip" ;; + udeb) type=".debian-installer" ;; esac - if [ ! "$type" = "skip" ]; then - $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type - case $suite in - stable) - $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type - $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type - ;; - testing) - $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type - ;; - *) echo "Unknown suite type ($suite)"; exit 1;; - esac + # XXX RUN AFUCKINGAWAY + if [ "$override_type" = "udeb" ]; then + if [ ! "$component" = "main" ]; then + continue; + fi + if [ "$suite" = "unstable" ]; then + $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type + fi + else + $masterdir/natalie -q -S -t $override_type -s $suite -c updates/$component < override.$override_suite.$component$type fi + case $suite in + oldstable) + if [ ! "$override_type" = "udeb" ]; then + $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sarge.$component$type + fi + $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type + ;; + stable) + $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type + ;; + testing) + $masterdir/natalie -q -a -t $override_type -s $suite -c updates/$component < override.sid.$component$type + ;; + *) echo "Unknown suite type ($suite)"; exit 1;; + esac done done done # Generate .all3 overides for the buildd support -for dist in potato woody sarge; do +for dist in woody sarge etch; do rm -f override.$dist.all3 components="main contrib non-free"; if [ -f override.$dist.main.debian-installer ]; then diff --git a/docs/README.names b/docs/README.names index 4a949d43..3c773bc5 100644 --- a/docs/README.names +++ b/docs/README.names @@ -123,6 +123,7 @@ Kylie (Minogue) Laetitia (Casta) Lana (Parrilla) Liv (Tyler) +Marcia (Cross) Mariska (Hargitay) Michelle (Hunziker) Mira (Sorvino) diff --git a/docs/README.quotes b/docs/README.quotes index 413cf625..a188d59e 100644 --- a/docs/README.quotes +++ b/docs/README.quotes @@ -313,3 +313,15 @@ Canadians: This is a lighthouse. Your call. File "/org/ftp.debian.org/katie/kelly", line 608, in main sys.stderr.write("Installed %d package %s, %s.\n" % (install_count, sets, utils.size_type(int(install_bytes)))); OverflowError: float too large to convert + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +"The Hurd's design is so secure that it makes firewalls immoral IMHO." -- Jeroen Dekkers + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + I bought some foam soap for kids the other day and only + realized it had an elmo picture on it when I got home + now I can't use it because I feel perverted + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff --git a/katie.conf-security b/katie.conf-security index 3d6e6198..fe6cf1e4 100644 --- a/katie.conf-security +++ b/katie.conf-security @@ -4,7 +4,7 @@ Dinstall GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg"; SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg"; - SigningKeyIds "1DB114E0"; + SigningKeyIds "4F368D5D"; SendmailCommand "/usr/sbin/sendmail -odq -oi -t"; MyEmailAddress "Debian Installer "; MyAdminAddress "ftpmaster@debian.org"; @@ -23,6 +23,7 @@ Dinstall BXANotify "false"; QueueBuildSuites { + oldstable; stable; testing; }; @@ -103,7 +104,7 @@ Suite // Priority determines which suite is used for the Maintainers file // as generated by charisma (highest wins). - Stable + Oldstable { Components { @@ -137,6 +138,41 @@ Suite CopyKatie "/org/security.debian.org/queue/done/"; }; + Stable + { + Components + { + updates/main; + updates/contrib; + updates/non-free; + }; + Architectures + { + source; + all; + alpha; + amd64; + arm; + hppa; + i386; + ia64; + m68k; + mips; + mipsel; + powerpc; + s390; + sparc; + }; + Announce "katie@security.debian.org"; + Version "3.1"; + Origin "Debian"; + Label "Debian-Security"; + Description "Debian 3.1 Security Updates"; + CodeName "sarge"; + OverrideCodeName "sarge"; + CopyKatie "/org/security.debian.org/queue/done/"; + }; + Testing { Components @@ -149,6 +185,7 @@ Suite { source; all; + amd64; alpha; arm; hppa; @@ -166,8 +203,8 @@ Suite Origin "Debian"; Label "Debian-Security"; Description "Debian x.y Security Updates"; - CodeName "sarge"; - OverrideCodeName "sarge"; + CodeName "etch"; + OverrideCodeName "etch"; CopyKatie "/org/security.debian.org/queue/done/"; }; @@ -175,10 +212,11 @@ Suite SuiteMappings { + "silent-map oldstable-security oldstable"; "silent-map stable-security stable"; // JT - FIXME, hackorama - "silent-map testing-security stable"; - //"silent-map testing-security testing"; + // "silent-map testing-security stable"; + "silent-map testing-security testing"; }; Dir @@ -231,6 +269,7 @@ Architectures powerpc "PowerPC"; s390 "IBM S/390"; sparc "Sun SPARC/UltraSPARC"; + amd64 "AMD x86_64 (AMD64)"; }; @@ -348,6 +387,7 @@ Location Archive "security"; Suites { + Oldstable; Stable; Testing; }; diff --git a/templates/amber.advisory b/templates/amber.advisory index 0b6f26bd..50d59e94 100644 --- a/templates/amber.advisory +++ b/templates/amber.advisory @@ -11,9 +11,12 @@ __DATE__ Package : __PACKAGE__ Vulnerability : XXX -Problem type : XXX +Problem type : local/remote XXX Debian-specific: XXX CVE Id(s) : XXX +CERT advisory : XXX +BugTraq ID : XXX +Debian Bug : XXX ... @@ -36,31 +39,30 @@ We recommend that you upgrade your __PACKAGE__ package. Upgrade instructions -------------------- - To perform automated upgrades using apt: +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. - deb http://security.debian.org/ woody/updates main - added to /etc/apt/sources.list will give you access to woody updates. +If you are using the apt-get package manager, use the line for +sources.list as given below: - deb http://security.debian.org/ potato/updates main - added to /etc/apt/sources.list will give you access to potato updates. - - apt-get update - will update apt's package database of packages and versions - - apt-get upgrade +apt-get update + will update the internal database +apt-get upgrade will install corrected packages - Alternatively, to obtain and install packages by hand: - - wget URL - will fetch the file for you. - dpkg -i FILENAME.deb - will install the fetched file. - +You may use an automated update by adding the resources from the +footer to the proper configuration. __ADVISORY_TEXT__ -------------------------------------------------------------------------------- -Mailing list: http://lists.debian.org/debian-security-announce/ -Package info: 'apt-cache show ' and http://packages.debian.org/ + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show ' and http://packages.debian.org/ diff --git a/vars-security b/vars-security index f042e2ef..05ccc8c1 100644 --- a/vars-security +++ b/vars-security @@ -13,7 +13,7 @@ uploadhost=ftp-master.debian.org uploaddir=/pub/UploadQueue/ components="main non-free contrib" -suites="stable testing" +suites="oldstable stable testing" override_types="deb dsc udeb" PATH=$masterdir:$PATH -- 2.39.5