summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean Whitton <spwhitton@spwhitton.name>2019-07-27 07:37:46 +0100
committerSean Whitton <spwhitton@spwhitton.name>2019-07-27 07:37:46 +0100
commit52a1202279ebb2bbeb8f69e11e9f5cb0c92830d8 (patch)
tree46a344c36e51604dfefc66219312aebc06bd8039
parent8ed77cb09dc854ac3de831b3e64776f6f6528211 (diff)
parent54f54996175734cf141d4568b16fa0d06a63580f (diff)
Merge tag 'debian/9.6' into buster-bpo
dgit release 9.6 for unstable (sid) [dgit] [dgit distro=debian no-split] # gpg: Signature made Thu 25 Jul 2019 01:13:52 PM BST # gpg: using RSA key 559AE46C2D6B6D3265E7CBA1E3E3392348B50D39 # gpg: Can't check signature: No public key
-rw-r--r--debian/changelog20
-rw-r--r--debian/control6
-rwxr-xr-xdgit148
-rw-r--r--dgit.18
-rwxr-xr-xgit-playtree-setup2
-rwxr-xr-xinfra/dgit-repos-server2
6 files changed, 102 insertions, 84 deletions
diff --git a/debian/changelog b/debian/changelog
index 6d7fd07..68dbd53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+dgit (9.6) unstable; urgency=medium
+
+ * git-playtree-setup had a spurious set -x so many programs spewed
+ debugging output. This is now fixed. Closes:#932959.
+
+ dgit:
+ * Drop support for configuring old, not currently enabled, methods
+ of TLS key/cert pinning. We are going to revisit this soon.
+ * Provide a --for-push option (useful in for certain special users).
+ * Reduce variety in HTTP clients we use. Specificalloy, use WWW::Curl
+ for accessing (i) the ftpmaster API, (ii) the http dgit git server
+ mirror (iii) downloading the .dsc.
+
+ Administrivia:
+ * Add missing Closes of #932476 to changelog entry for 9.5
+
+ -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 25 Jul 2019 13:12:08 +0100
+
dgit (9.5~bpo10+1) buster-backports; urgency=medium
* Rebuild for buster-backports.
@@ -8,7 +26,7 @@ dgit (9.5) unstable; urgency=medium
git-debpush [Sean Whitton]:
* Support ignoring individual checks with --force=check. Closes:#932459.
- * Check upstream source is identical in the upstream tag.
+ * Check upstream source is identical in the upstream tag. Closes:#932476.
* Check that patches are (un)applicable. Closes:#932477.
* Check for an unstitched git-debrebase branch. Closes:#932612.
* Check for explicitly pushing detached HEAD.
diff --git a/debian/control b/debian/control
index 3395984..3e82d8d 100644
--- a/debian/control
+++ b/debian/control
@@ -9,13 +9,13 @@ Vcs-Git: https://salsa.debian.org/dgit-team/dgit
Vcs-Browser: https://salsa.debian.org/dgit-team/dgit
Package: dgit
-Depends: perl, libwww-perl, libdpkg-perl, git-core, devscripts, dpkg-dev,
+Depends: perl, libdpkg-perl, git-core, devscripts, dpkg-dev,
${misc:Depends}, git-buildpackage, liblist-moreutils-perl,
liblocale-gettext-perl,
coreutils (>= 8.23-1~),
libdigest-sha-perl, dput, curl, apt,
libjson-perl, ca-certificates,
- libtext-iconv-perl, libtext-glob-perl
+ libtext-iconv-perl, libtext-glob-perl, libwww-curl-perl
Recommends: ssh-client
Suggests: sbuild | pbuilder | cowbuilder
Architecture: all
@@ -53,7 +53,7 @@ Description: client script for git pushing to Debian-style archives
Package: dgit-infrastructure
Depends: ${misc:Depends}, perl, git-core, gpgv, chiark-utils-bin,
libjson-perl, libdigest-sha-perl, libdbd-sqlite3-perl, sqlite3,
- libwww-perl, libdpkg-perl,
+ libdpkg-perl,
liblocale-gettext-perl
Recommends: dgit
Architecture: all
diff --git a/dgit b/dgit
index cde8546..6401524 100755
--- a/dgit
+++ b/dgit
@@ -30,7 +30,7 @@ setup_sigwarn();
use IO::Handle;
use Data::Dumper;
-use LWP::UserAgent;
+use WWW::Curl::Easy;
use Dpkg::Control::Hash;
use File::Path;
use File::Spec;
@@ -54,6 +54,8 @@ use Debian::Dgit;
our $our_version = 'UNRELEASED'; ###substituted###
our $absurdity = undef; ###substituted###
+$SIG{INT} = 'DEFAULT'; # work around #932841
+
our @rpushprotovsn_support = qw(6 5 4); # Reverse order!
our $protovsn;
@@ -637,20 +639,6 @@ sub progress {
our $ua;
-sub url_get {
- if (!$ua) {
- $ua = LWP::UserAgent->new();
- $ua->env_proxy;
- }
- my $what = $_[$#_];
- progress "downloading $what...";
- my $r = $ua->get(@_) or confess "$!";
- return undef if $r->code == 404;
- $r->is_success or fail f_ "failed to fetch %s: %s",
- $what, $r->status_line;
- return $r->decoded_content(charset => 'none');
-}
-
our ($dscdata,$dscurl,$dsc,$dsc_checked,$skew_warning_vsn);
sub act_local () { return $dryrun_level <= 1; }
@@ -1190,56 +1178,72 @@ sub cfg_apply_map ($$$) {
$$varref = $_;
}
-#---------- `ftpmasterapi' archive query method (nascent) ----------
+sub url_fetch ($;@) {
+ my ($url, %xopts) = @_;
+ # Ok404 => 1 means give undef for 404
+ # AccessBase => 'archive-query' (eg)
+ # CurlOpts => { key => value }
-sub archive_api_query_cmd ($) {
- my ($subpath) = @_;
- my @cmd = (@curl, qw(-sS));
- my $url = access_cfg('archive-query-url');
- if ($url =~ m#^https://([-.0-9a-z]+)/#) {
- my $host = $1;
- my $keys = access_cfg('archive-query-tls-key','RETURN-UNDEF') //'';
- foreach my $key (split /\:/, $keys) {
- $key =~ s/\%HOST\%/$host/g;
- if (!stat $key) {
- fail "for $url: stat $key: $!" unless $!==ENOENT;
- next;
- }
- fail f_ "config requested specific TLS key but do not know".
- " how to get curl to use exactly that EE key (%s)",
- $key;
-# push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
-# # Sadly the above line does not work because of changes
-# # to gnutls. The real fix for #790093 may involve
-# # new curl options.
- last;
+ my $curl = WWW::Curl::Easy->new;
+ my $setopt = sub {
+ my ($k,$v) = @_;
+ my $x = $curl->setopt($k, $v);
+ confess "$k $v ".$curl->strerror($x)." ?" if $x;
+ };
+
+ my $response_body;
+ $setopt->(CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP);
+ $setopt->(CURLOPT_URL, $url);
+ $setopt->(CURLOPT_NOSIGNAL, 1);
+ $setopt->(CURLOPT_WRITEDATA, \$response_body);
+
+ my $xcurlopts = $xopts{CurlOpts} // { };
+ keys %$xcurlopts;
+ while (my ($k,$v) = each %$xcurlopts) { $setopt->($k,$v); }
+
+ if ($xopts{AccessBase} && $url =~ m#^https://([-.0-9a-z]+)/#) {
+ foreach my $k ("$xopts{AccessBase}-tls-key",
+ "$xopts{AccessBase}-tls-curl-ca-args") {
+ fail "config option $k is obsolete and no longer supported"
+ if defined access_cfg($k, 'RETURN-UNDEF');
}
- # Fixing #790093 properly will involve providing a value
- # for this on clients.
- my $kargs = access_cfg('archive-query-tls-curl-ca-args','RETURN-UNDEF');
- push @cmd, split / /, $kargs if defined $kargs;
}
- push @cmd, $url.$subpath;
- return @cmd;
+
+ printdebug "query: fetching $url...\n";
+
+ local $SIG{PIPE} = 'IGNORE';
+
+ my $x = $curl->perform();
+ fail f_ "fetch of %s failed (%s): %s",
+ $url, $curl->strerror($x), $curl->errbuf
+ if $x;
+
+ my $code = $curl->getinfo(CURLINFO_HTTP_CODE);
+ if ($code eq '404' && $xopts{Ok404}) { return undef; }
+
+ fail f_ "fetch of %s gave HTTP code %s", $url, $code
+ unless $url =~ m#^file://# or $code =~ m/^2/;
+ return $response_body;
+}
+
+#---------- `ftpmasterapi' archive query method (nascent) ----------
+
+sub api_query_raw ($;$) {
+ my ($subpath, $ok404) = @_;
+ my $url = access_cfg('archive-query-url');
+ $url .= $subpath;
+ return url_fetch $url,
+ Ok404 => $ok404,
+ AccessBase => 'archive-query';
}
sub api_query ($$;$) {
- use JSON;
my ($data, $subpath, $ok404) = @_;
+ use JSON;
badcfg __ "ftpmasterapi archive query method takes no data part"
if length $data;
- my @cmd = archive_api_query_cmd($subpath);
- my $url = $cmd[$#cmd];
- push @cmd, qw(-w %{http_code});
- my $json = cmdoutput @cmd;
- unless ($json =~ s/\d+\d+\d$//) {
- failedcmd_report_cmd undef, @cmd;
- fail __ "curl failed to print 3-digit HTTP code";
- }
- my $code = $&;
- return undef if $code eq '404' && $ok404;
- fail f_ "fetch of %s gave HTTP code %s", $url, $code
- unless $url =~ m#^file://# or $code =~ m/^2/;
+ my $json = api_query_raw $subpath, $ok404;
+ return undef unless defined $json;
return decode_json($json);
}
@@ -1730,7 +1734,7 @@ sub get_archive_dsc () {
foreach my $vinfo (@vsns) {
my ($vsn,$vsn_dscurl,$digester,$digest) = @$vinfo;
$dscurl = $vsn_dscurl;
- $dscdata = url_get($dscurl);
+ $dscdata = url_fetch($dscurl);
if (!$dscdata) {
$skew_warning_vsn = $vsn if !defined $skew_warning_vsn;
next;
@@ -1784,22 +1788,11 @@ sub check_for_git () {
my $suffix = access_cfg('git-check-suffix','git-suffix',
'RETURN-UNDEF') // '.git';
my $url = "$prefix/$package$suffix";
- my @cmd = (@curl, qw(-sS -I), $url);
- my $result = cmdoutput @cmd;
- $result =~ s/^\S+ 200 .*\n\r?\n//;
- # curl -sS -I with https_proxy prints
- # HTTP/1.0 200 Connection established
- $result =~ m/^\S+ (404|200) /s or
- fail +(__ "unexpected results from git check query - ").
- Dumper($prefix, $result);
- my $code = $1;
- if ($code eq '404') {
- return 0;
- } elsif ($code eq '200') {
- return 1;
- } else {
- die;
- }
+ my $result = url_fetch $url,
+ CurlOpts => { CURLOPT_NOBODY() => 1 },
+ Ok404 => 1,
+ AccessBase => 'git-check';
+ return defined $result;
} elsif ($how eq 'true') {
return 1;
} elsif ($how eq 'false') {
@@ -7340,10 +7333,8 @@ sub cmd_archive_api_query {
badusage __ "need only 1 subpath argument" unless @ARGV==1;
my ($subpath) = @ARGV;
local $isuite = 'DGIT-API-QUERY-CMD';
- my @cmd = archive_api_query_cmd($subpath);
- push @cmd, qw(-f);
- debugcmd ">",@cmd;
- exec @cmd or fail f_ "exec curl: %s\n", $!;
+ my $json = api_query_raw $subpath;
+ print $json or die "$!";
}
sub repos_server_url () {
@@ -7599,6 +7590,9 @@ sub parseopts () {
f_ "%s: warning: ignoring unknown force option %s\n",
$us, $_;
$_='';
+ } elsif (m/^--for-push$/s) {
+ push @ropts, $_;
+ $access_forpush = 1;
} elsif (m/^--config-lookup-explode=(.+)$/s) {
# undocumented, for testing
push @ropts, $_;
diff --git a/dgit.1 b/dgit.1
index f099ed0..a7346e5 100644
--- a/dgit.1
+++ b/dgit.1
@@ -1327,6 +1327,12 @@ Force on or off the use of the absurd git-apply emulation
when running gbp pq import
when importing a package from a .dsc.
See Debian bug #841867.
+.TP
+.BR \-\-for\-push
+Override the dgit-distro.distro.readonly configuration setting,
+to specify that we have read/write access
+and should use the corresponding git and achive access approach
+even if the operation is a read-only one.
.SH CONFIGURATION
dgit can be configured via the git config system.
You may set keys with git-config (either in system-global or per-tree
@@ -1519,7 +1525,7 @@ also the \-\-ssh= and \-\-ssh: options.
Default git user.email and user.name for new trees. See
.BR "dgit setup-new-tree" .
.TP
-.BR gpg ", " dpkg- "..., " debsign ", " git ", " curl ", " dput ", " LWP::UserAgent
+.BR gpg ", " dpkg- "..., " debsign ", " git ", [" lib ] curl ", " dput
and other subprograms and modules used by dgit are affected by various
environment variables. Consult the documentation for those programs
for details.
diff --git a/git-playtree-setup b/git-playtree-setup
index 5d890a0..184de4d 100755
--- a/git-playtree-setup
+++ b/git-playtree-setup
@@ -8,7 +8,7 @@
# cd .git/some/play/thing
# git-playtree-setup .
-set -ex
+set -e${GIT_PLAYTREE_SETUP_DEBUG}
target=$1; shift
diff --git a/infra/dgit-repos-server b/infra/dgit-repos-server
index 4c7e031..f94315a 100755
--- a/infra/dgit-repos-server
+++ b/infra/dgit-repos-server
@@ -1263,7 +1263,7 @@ END
$clogf->('Version', $version);
$clogf->('Source', $package);
- @fetch = (@dgit, qw(fetch), $suite);
+ @fetch = (@dgit, qw(--for-push fetch), $suite);
debugcmd "+",@_;
$!=0; $?=-1;
if (system @fetch) {