diff options
Diffstat (limited to 'doc/wydawca.texi')
-rw-r--r-- | doc/wydawca.texi | 151 |
1 files changed, 138 insertions, 13 deletions
diff --git a/doc/wydawca.texi b/doc/wydawca.texi index 41307fb..88c2e6c 100644 --- a/doc/wydawca.texi +++ b/doc/wydawca.texi @@ -490,6 +490,7 @@ directives any time by running @command{wydawca --config-help}. * dictionaries:: * archivation:: * spool:: +* verification:: * statistics:: * notification:: @end menu @@ -1831,6 +1832,113 @@ spool ftp @{ @end group @end smallexample +@node verification +@section Distribution Verification +@cindex verification +@cindex distribution verification + +After the submission has been verified, @command{wydawca} may also run +an additional check to verify whether the main file (normally, +a tarball) is OK to be distributed. To set up such @dfn{distribution +verification}, add the following statement either in the global scope, +or within a @samp{spool} declaration: + +@deffn {Config} check-script @var{text} +@deffnx {Config:spool} check-script @var{text} +Define the distribution verification script. The @var{text} must +be a valid @file{sh} program. It is executed without arguments, +in a temporary directory which contains a copy of the main +distribution file. The script can refer to the following environment +variables: + +@defvr {Check Environment} WYDAWCA_SPOOL +Spool tag. +@end defvr + +@defvr {Check Environment} WYDAWCA_SOURCE +Spool source directory, as set by the @code{source} statement +(@pxref{spool,,tag}). +@end defvr + +@defvr {Check Environment} WYDAWCA_DEST +Spool destination directory (@pxref{spool,,destination}). +@end defvr + +@defvr {Check Environment} WYDAWCA_URL +Spool @acronym{URL} (@pxref{spool,,url}). +@end defvr + +@defvr {Check Environment} WYDAWCA_TRIPLET_BASE +Base name of the triplet. +@end defvr + +@defvr {Check Environment} WYDAWCA_DIST_FILE +File name of the main distribution file. +@end defvr + +Apart from these, the script inherits @command{wydawca} environment. + +The submission is accepted only if the script returns 0. Otherwise, +it is rejected and the @samp{check-failure} event (@pxref{event +notification}) is generated. + +In case of non-zero return, the script may return additional +diagnostics on the standard output. This diagnostics will be +available for use in notification messages via the @samp{check:diagn} +meta-variable. + +Additionally, the actual return code of the script, in decimal, is +available in the @samp{check:result} meta-variable. If the script +terminates on a signal, the value of this variable is +@samp{SIG+@var{n}}, where @var{n} is the signal number. +@end deffn + + If both global and spool @samp{check-script}s are defined, +@command{wydawca} executes both scripts as if they were connected +by a logical @samp{&&}, i.e. per-spool script is executed only if +the global one returned success (@samp{0}). The submission is accepted +only if both scripts returned @samp{0}. + + Since the script usually contains several lines, the +@samp{config-script} value is usually supplied using a here-document +construct (@pxref{here-document}). + + The following example illustrates the use of @samp{config-script} to +catch possible security holes in the distributed @file{Makefile.in} +files@footnote{See +@uref{http://article.gmane.org/gmane.comp.sysutils.autotools.announce/131}.} + +@smallexample + check-script <<EOT +case $@{WYDAWCA_DIST_FILE@} in +*.tar|*.tar.*) + if tar -xOf $@{WYDAWCA_DIST_FILE@} --occurrence=1 \ + --wildcards --no-wildcards-match-slash '*/Makefile.in' | \ + grep -q 'perm -777'; then + fmt <<_EOF_ +The top-level Makefile.in in $@{WYDAWCA_DIST_FILE@} changes mode of +all the directories below the build tree to 777 before creating +the tarball. This constitutes a security hole (see CVE-2009-4029[1], +for more details). + +Please, rebuild the package using a newer Automake (v. 1.11.2 or newer) +and resubmit. +_EOF_ + cat <<_EOF_ +-- +[1] http://article.gmane.org/gmane.comp.sysutils.autotools.announce/131 +_EOF_ + exit 1 + fi + ;; +*) + ;; +esac + +exit 0 +EOT; +@end smallexample + @node statistics @section Statistics @cindex statistics @@ -2363,6 +2471,11 @@ uploader. @item bad-detached-signature The detached signature does not match the public key of the uploader. + +@kwindex check-failure +@item check-failure + Distribution verification failed. @xref{verification}, for a +detailed description. @end table @end deffn @@ -2444,25 +2557,31 @@ root) where the files where uploaded. @item dest-dir @tab Value of the @code{destination} keyword. @kwindex source-dir @item source-dir @tab Value of the @code{source} keyword. -@kwindex triplet:full -@item triplet:full @tab A full listing of the uploaded +@kwindex triplet:dist +@item triplet:dist @tab File name of the main distribution file. +@kwindex triplet:sig +@item triplet:sig @tab File name of the detached signature file. +@kwindex triplet:dir +@item triplet:dir @tab File name of the directive file. +@kwindex triplet:ls:full +@item triplet:ls:full @tab A full listing of the uploaded triplet@footnote{It is equivalent to: @smallexample @group -$@{triplet:dist@} -$@{triplet:sig@} -$@{triplet:dir@} +$@{triplet:ls:dist@} +$@{triplet:ls:sig@} +$@{triplet:ls:dir@} @end group @end smallexample }. -@kwindex triplet:upload +@kwindex triplet:ls:upload @item triplet:upload @tab Listing of the uploaded files (see below). @kwindex triplet:dist -@item triplet:dist @tab Listing of the main distribution file (see below). -@kwindex triplet:sig -@item triplet:sig @tab Listing of the detached signature file (see below). -@kwindex triplet:dir -@item triplet:dir @tab Listing of the directive file (see below). +@item triplet:ls:dist @tab Listing of the main distribution file (see below). +@kwindex triplet:ls:sig +@item triplet:ls:sig @tab Listing of the detached signature file (see below). +@kwindex triplet:ls:dir +@item triplet:ls:dir @tab Listing of the directive file (see below). @kwindex user @item user @tab System name of the user who uploaded the triplet. @kwindex user:name @@ -2471,6 +2590,12 @@ $@{triplet:dir@} @item user:real-name @tab Real name of the user who uploaded the triplet. @kwindex user:email @item user:email @tab Email of the user who uploaded the triplet. +@kwindex check:result +@item check:result @tab Code returned by external checker, in +decimal. @xref{verification,,check:result}, for a detailed description. +@kwindex check:diagn +@item check:diagn @tab Diagnostics text returned by external +checker. @xref{verification}, for a detailed description. @end multitable @cindex timers @@ -2509,7 +2634,7 @@ processing this spool. @dfn{Listings} referred to in the table above, are similar to those produced by @code{ls} command, and include information on file permissions, ownership, size and modification date. For -example, here is a possible @code{$@{triplet:full@}} listing: +example, here is a possible @code{$@{triplet:ls:full@}} listing: @smallexample -rw-r--r-- gray users 2707278 2007-09-06 22:14:35 tar-1.18.tar.gz @@ -2531,7 +2656,7 @@ Subject: Upload of $@{project@} successful Upload of $@{project@} to $@{url@}/$@{dir@} finished successfully. Files uploaded: -$@{triplet:upload@} +$@{triplet:ls:upload@} Resource usage: $@{timer:triplet:real@}/$@{timer:wydawca:real@}r \ $@{timer:triplet:user@}/$@{timer:wydawca:user@}u \ |