security

change it to use a local queued for uploads to ftpmaster.
long term wish from security team to get rid of the old and unreliable
direct ftp.
Signed-off-by: NJoerg Jaspert <joerg@debian.org>

config/debian-security/dak.conf

@@ -205,6 +205,7 @@ Dir
   MorgueReject "reject";
   Override "/org/security.debian.org/scripts/override/";
   QueueBuild "/org/security.debian.org/buildd/";
+  Upload "/srv/queued/UploadQueue/";
   Queue
   {
     Accepted "/org/security.debian.org/queue/accepted/";

dak/new_security_install.py

@@ -278,9 +278,11 @@ def actually_upload(changes_files):
     for uri in uploads.keys():
         uploads[uri].extend(changesfiles[uri])
         (host, path) = uri.split(":")
-        file_list = " ".join(uploads[uri])
-        print "Uploading files to %s..." % (host)
-        spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
+        #        file_list = " ".join(uploads[uri])
+        print "Moving files to UploadQueue"
+        for filename in uploads[uri]:
+            utils.copy(filename, Cnf["Dir::Upload"])
+        #spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
 
     if not Options["No-Action"]:
         filename = "%s/testing-processed" % (Cnf["Dir::Log"])

dak/security_install.py

@@ -132,9 +132,11 @@ def do_upload(changes_files):
     for uri in uploads.keys():
         uploads[uri].extend(changesfiles[uri])
         (host, path) = uri.split(":")
-        file_list = " ".join(uploads[uri])
-        print "Uploading files to %s..." % (host)
-        spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
+        #file_list = " ".join(uploads[uri])
+        print "Moving files to UploadQueue"
+        for filename in uploads[uri]:
+            utils.copy(filename, Cnf["Dir::Upload"])
+        #spawn("lftp -c 'open %s; cd %s; put %s'" % (host, path, file_list))
 
     if not Options["No-Action"]:
         filename = "%s/testing-processed" % (Cnf["Dir::Log"])

tools/debianqueued-0.9/config-security

+#
+# example configuration file for debianqueued
+#
+
+# set to != 0 for debugging output (to log file)
+$debug = 0;
+
+# various programs:
+# -----------------
+$gpg       = "/usr/bin/gpg";
+$ssh       = "/usr/bin/ssh";
+$scp       = "/usr/bin/scp";
+$ssh_agent = "/usr/bin/ssh-agent";
+$ssh_add   = "/usr/bin/ssh-add";
+$md5sum    = "/usr/bin/md5sum";
+$mail      = "/usr/sbin/sendmail";
+$mkfifo    = "/usr/bin/mkfifo";
+$tar       = "/bin/tar"; # must be GNU tar!
+$gzip      = "/bin/gzip";
+$ar        = "/usr/bin/ar"; # must support p option, optional
+$ls        = "/bin/ls";
+$cp        = "/bin/cp";
+$chmod     = "/bin/chmod";
+
+# binaries which existance should be tested before each queue run
+#@test_binaries = ();
+
+# general options to ssh/scp
+$ssh_options = "-o'BatchMode yes' -o'FallBackToRsh no' ".
+               "-o'ForwardAgent no' -o'ForwardX11 no' ".
+               "-o'PasswordAuthentication no' -o'StrictHostKeyChecking yes'";
+
+# ssh key file to use for connects to master (empty: default ~/.ssh/identity)
+$ssh_key_file = "";
+
+# the incoming dir we live in
+$incoming = "/srv/queued/UploadQueue";
+
+# the delayed incoming directories
+$incoming_delayed = "/srv/queued/UploadQueue/DELAYED/%d-day";
+
+# maximum delay directory, -1 for no delayed directory,
+# incoming_delayed and target_delayed need to exist.
+$max_delayed = -1;
+
+# files not to delete in $incoming (regexp)
+$keep_files = '(status|\.message|README)$';
+
+# file patterns that aren't deleted right away
+$valid_files = '(\.changes|\.tar\.gz|\.dsc|\.u?deb|diff\.gz|\.sh)$';
+
+# Change files to mode 644 locally (after md5 check) or only on master?
+$chmod_on_target = 0;
+
+# Do an md5sum check?
+$check_md5sum = 0;
+
+# name of the status file or named pipe in the incoming dir
+$statusfile = "$incoming/status";
+
+# if 0, status file implemented as FIFO; if > 0, status file is plain
+# file and updated with a delay of this many seconds
+$statusdelay = 30;
+
+# names of the keyring files
+@keyrings = ( "/srv/keyring.debian.org/keyrings/debian-keyring.gpg",
+              "/srv/keyring.debian.org/keyrings/debian-keyring.pgp");
+
+# our log file
+$logfile = "$queued_dir/log";
+
+# our pid file
+$pidfile = "$queued_dir/pid";
+
+# upload method (ssh, copy, ftp)
+$upload_method = "ftp";
+
+# name of target host (ignored on copy method)
+$target = "ftp.upload.debian.org";
+
+# login name on target host (for ssh, always 'ftp' for ftp, ignored for copy)
+$targetlogin = "ftp";
+
+# incoming on target host
+$targetdir = "/pub/UploadQueue/";
+
+# incoming/delayed on target host
+$targetdir_delayed = "/srv/queued/DEFERRED/%d-day";
+
+# select FTP debugging
+$ftpdebug = 0;
+
+# FTP timeout
+$ftptimeout = 900;
+
+# max. number of tries to upload
+$max_upload_retries = 8;
+
+# delay after first failed upload
+$upload_delay_1 = 30*60; # 30 min.
+
+# delay between successive failed uploads
+$upload_delay_2 = 4*60*60; # 4 hours
+
+# packages that must go to nonus.debian.org and thus are rejected here
+#@nonus_packages = qw(gpg-rsaidea);
+
+# timings:
+# --------
+#   time between two queue checks
+$queue_delay = 5*60; # 5 min.
+#   when are stray files deleted?
+$stray_remove_timeout = 24*60*60; # 1 day
+#   delay before reporting problems with a .changes file (not
+#   immediately for to-be-continued uploads)
+$problem_report_timeout = 30*60; # 30 min.
+#   delay before reporting that a .changes file is missing (not
+#   immediately for to-be-continued uploads)
+$no_changes_timeout = 30*60; # 30 min.
+#   when are .changes with persistent problems removed?
+$bad_changes_timeout = 2*24*60*60; # 2 days
+#   how long may a remote operation (ssh/scp) take?
+$remote_timeout = 3*60*60; # 3 hours
+
+# mail address of maintainer
+$maintainer_mail = "ftpmaster\@debian.org";
+
+
+# logfile rotating:
+# -----------------
+#    how often to rotate (in days)
+$log_age = 7;
+#    how much old logs to keep
+$log_keep = 4;
+#    send summary mail when rotating logs?
+$mail_summary = 1;
+#    write summary to file when rotating logs? (no if name empty)
+$summary_file = "$queued_dir/summary";
+
+# don't remove this, Perl needs it!
+1;