e86bd09e3c
vulnerable packages are uploaded directly into the vulnerable subdir. While here: quote variables better handling of the temporary directory remove some backwards compatibility code that's been here long enough opsys-specific package handling was doing the same as non-opsys specific, so fold them together. Written together with dillo.
204 lines
4.8 KiB
Bash
204 lines
4.8 KiB
Bash
#!/bin/sh
|
|
# $NetBSD: upload,v 1.26 2005/05/08 13:29:09 wiz Exp $
|
|
|
|
#
|
|
# Upload non-restricted binary pkgs to ftp server
|
|
#
|
|
|
|
MD5="digest md5";
|
|
SHA1="digest sha1";
|
|
|
|
opsys=`uname -s`
|
|
case "$opsys" in
|
|
NetBSD) BMAKE=make;
|
|
BSDSUM="sum -o 1";
|
|
CKSUM="cksum";
|
|
SYSVSUM="sum -o 2";
|
|
;;
|
|
IRIX*) BMAKE=bmake;
|
|
BSDSUM="sum -r";
|
|
CKSUM="cksum";
|
|
SYSVSUM="sum";
|
|
;;
|
|
*) BMAKE=bmake ;;
|
|
esac
|
|
|
|
export BMAKE
|
|
|
|
# Bring in variables for bulk-install
|
|
BATCH=1
|
|
DEPENDS_TARGET=bulk-install
|
|
export BATCH DEPENDS_TARGET
|
|
|
|
# Pull in RSYNC_DST, RSYNC_OPTS:
|
|
if [ -f "$BULK_BUILD_CONF" ]; then
|
|
. $BULK_BUILD_CONF
|
|
else
|
|
. `dirname $0`/build.conf
|
|
fi
|
|
|
|
cd $USR_PKGSRC
|
|
|
|
if [ -z "$RSYNC_DST" ]; then
|
|
echo "You must set the variable RSYNC_DST, see build.conf-example."
|
|
exit 1
|
|
fi
|
|
|
|
#
|
|
# Some temp files
|
|
#
|
|
|
|
umask 022
|
|
TMPDIR="${TMPDIR:-/tmp}"
|
|
TMP="${TMPDIR}"/pkg_upload.$$
|
|
(umask 077 && mkdir "${TMP}")
|
|
if [ $? -ne 0 ]
|
|
then
|
|
echo $0: cannot create temporary directory \""${TMP}"\" >&2
|
|
exit 1
|
|
fi
|
|
|
|
exf="$TMP"/exclude
|
|
vf="$TMP"/vulnerable
|
|
upload="$TMP"/upload
|
|
upload_general="$TMP"/upload_general
|
|
upload_vulnerable="$TMP"/upload_vulnerable
|
|
|
|
# May be different than $USR_PKGSRC:
|
|
pkgsrcdir=`cd pkgtools/pkglint ; ${BMAKE} show-var VARNAME=_PKGSRCDIR`
|
|
packages=`cd pkgtools/pkglint ; ${BMAKE} show-var VARNAME=PACKAGES`
|
|
distdir=`cd pkgtools/pkglint ; ${BMAKE} show-var VARNAME=DISTDIR`
|
|
|
|
# Pull in some pkgs needed
|
|
( cd pkgtools/pkglint ; ${BMAKE} bulk-install )
|
|
( cd net/rsync ; ${BMAKE} bulk-install )
|
|
( cd security/audit-packages ; ${BMAKE} bulk-install )
|
|
|
|
echo "Making sure vulnerability-list is up-to-date:"
|
|
if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = "yes" ]
|
|
then
|
|
env PKGVULNDIR=${distdir} download-vulnerability-list
|
|
else
|
|
echo '(skipped)'
|
|
fi
|
|
|
|
case $LINTPKGSRC_CACHE in
|
|
yes|YES)
|
|
lintpkgsrc_cache="-I `cd pkgtools/pkglint ; ${BMAKE} show-var VARNAME=LINTPKGSRC_DB`"
|
|
;;
|
|
*)
|
|
lintpkgsrc_cache=''
|
|
;;
|
|
esac
|
|
|
|
echo "Checking for restricted and out of date packages:"
|
|
# -p = report old versions of packages
|
|
# -R = report restricted packages
|
|
lintpkgsrc $lintpkgsrc_cache -K $packages -P $pkgsrcdir -pR | sed 's@'$packages'/@@' > "$exf"
|
|
|
|
echo "Checking for vulnerable packages:"
|
|
lintpkgsrc $lintpkgsrc_cache -K $packages -P $pkgsrcdir -V | sed 's@'$packages'/@@' > "$vf"
|
|
|
|
RSFLAGS="-vap --progress $RSYNC_OPTS"
|
|
|
|
failed=no
|
|
cd $packages
|
|
|
|
if [ "${MKSUMS}" = "yes" -o "${MKSUMS}" = "YES" ]; then
|
|
|
|
echo "Calculating checksum files..."
|
|
|
|
SUMFILES="BSDSUM CKSUM MD5 SHA1 SYSVSUM"
|
|
|
|
rm -f ${SUMFILES}
|
|
|
|
if [ x"${SIGN_AS}" != x"" ]; then
|
|
( cd ${pkgsrcdir}/security/gnupg; ${BMAKE} bulk-install )
|
|
for i in ${SUMFILES}; do
|
|
echo > $i
|
|
echo "This file is signed with ${SIGN_AS}'s PGP key." >> $i
|
|
echo >> $i
|
|
done
|
|
fi
|
|
|
|
( cd ${pkgsrcdir}/pkgtools/digest; ${BMAKE} bulk-install )
|
|
|
|
[ -z "${BSDSUM}" ] && BSDSUM="echo"
|
|
[ -z "${CKSUM}" ] && CKSUM="echo"
|
|
[ -z "${SYSVSUM}" ] && SYSVSUM="echo"
|
|
|
|
for i in All/*; do
|
|
if ! grep -q $i $exf; then
|
|
${BSDSUM} $i >> BSDSUM
|
|
${CKSUM} $i >> CKSUM
|
|
${MD5} $i >> MD5
|
|
${SHA1} $i >> SHA1
|
|
${SYSVSUM} $i >> SYSVSUM
|
|
fi
|
|
done
|
|
|
|
[ "${BSDSUM}" = "echo" ] && rm BSDSUM
|
|
[ "${CKSUM}" = "echo" ] && rm CKSUM
|
|
[ "${SYSVSUM}" = "echo" ] && rm SYSVSUM
|
|
|
|
if [ x"${SIGN_AS}" != x"" ]; then
|
|
for i in ${SUMFILES}; do
|
|
if [ -s $i ]; then
|
|
echo "Signing $i"
|
|
gpg --clearsign $i && rm $i
|
|
fi
|
|
done
|
|
else
|
|
echo "Checksum files not PGP-signed. Please do so manually!"
|
|
echo "(Run 'gpg --clearsign' on all of them)"
|
|
fi
|
|
fi
|
|
|
|
|
|
echo "#!/bin/sh" > "$upload"
|
|
echo "packages=$packages" >> "$upload"
|
|
echo "if ! cd $packages ; then" >> "$upload"
|
|
echo " echo \"could not cd to $packages\"" >> "$upload"
|
|
echo " exit 1" >> "$upload"
|
|
echo "fi" >> "$upload"
|
|
|
|
echo "Uploading non-vulnerable pkgs"
|
|
cmd="rsync $RSFLAGS --exclude-from=\"$exf\" --exclude-from=\"$vf\" . \"$RSYNC_DST\""
|
|
cp -f "$upload" "$upload_general"
|
|
echo "$cmd" >> "$upload_general"
|
|
chmod 755 "$upload_general"
|
|
echo "$cmd"
|
|
sh "$upload_general"
|
|
if [ $? != 0 ]; then
|
|
echo "--------------------------------------------------"
|
|
echo " "
|
|
echo "WARNING: rsync failed. To retry later, you can run"
|
|
echo " $upload_general"
|
|
echo " "
|
|
echo "--------------------------------------------------"
|
|
failed=yes
|
|
fi
|
|
|
|
echo "Uploading vulnerable pkgs"
|
|
sed -n "s@All/@@p" "$exf" > "$exf.new"
|
|
sed -n "s@All/@@p" "$vf" > "$vf.new"
|
|
cmd="rsync $RSFLAGS --exclude-from=\"$exf.new\" --include-from=\"$vf.new\" --exclude='*' All/ \"$RSYNC_DST/vulnerable/\""
|
|
cp -f "$upload" "$upload_vulnerable"
|
|
echo "$cmd" >> "$upload_vulnerable"
|
|
chmod 755 "$upload_vulnerable"
|
|
echo "$cmd"
|
|
sh "$upload_vulnerable"
|
|
if [ $? != 0 ]; then
|
|
echo "--------------------------------------------------"
|
|
echo " "
|
|
echo "WARNING: rsync failed. To retry later, you can run"
|
|
echo " $upload_vulnerable"
|
|
echo " "
|
|
echo "--------------------------------------------------"
|
|
failed=yes
|
|
fi
|
|
|
|
# clean up temp files
|
|
if [ "$failed" = "no" ]; then
|
|
rm -fr "$TMP"
|
|
fi
|