summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--mk/bulk/sort-packages24
-rw-r--r--mk/bulk/upload49
2 files changed, 64 insertions, 9 deletions
diff --git a/mk/bulk/sort-packages b/mk/bulk/sort-packages
index 2c5768fa028..881c994ca10 100644
--- a/mk/bulk/sort-packages
+++ b/mk/bulk/sort-packages
@@ -1,13 +1,16 @@
#! /bin/sh
-# $NetBSD: sort-packages,v 1.13 2010/03/21 10:52:29 wiz Exp $
+# $NetBSD: sort-packages,v 1.14 2010/03/21 15:31:41 wiz Exp $
# This program scans all binary packages in the current directory and
-# creates two lists of files in OUTDIR:
+# creates three lists of files in OUTDIR:
#
# restricted_packages
# contains all packages that must not be published on the FTP
# server, for whatever reason
#
+# vulnerable_packages
+# contains all packages that are not restricted, but vulnerable
+#
# regular_packages
# contains all the other ("good") packages.
#
@@ -16,16 +19,19 @@ set -eu
: ${OUTDIR="/tmp"}
: ${PKG_SUFX=".tgz"}
+: ${AUDIT_PACKAGES="audit-packages"}
: ${PKG_ADMIN="pkg_admin"}
: ${PKG_INFO="pkg_info"}
regular_packages="${OUTDIR}/regular_packages"
restricted_packages="${OUTDIR}/restricted_packages"
+vulnerable_packages="${OUTDIR}/vulnerable_packages"
newline="
"
: > "${regular_packages}"
: > "${restricted_packages}"
+: > "${vulnerable_packages}"
for pkg in *${PKG_SUFX}; do
build_info=`${PKG_INFO} -B "${pkg}"`
@@ -58,7 +64,16 @@ for pkg in *${PKG_SUFX}; do
;;
esac
- if [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then
+ if [ "${restricted}" = "no" ] && [ "${no_bin_on_ftp}" = "no" ]; then
+ # Check whether the package is vulnerable or not.
+ pkg_prefix="${pkg%%-*}"
+ category="regular"
+ _INFO_VER=`${PKG_INFO} -V`;
+ vuln=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -p "${pkg}"`
+ if [ -n "${vuln}" ]; then
+ category="vulnerable"
+ fi
+ elif [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then
category="restricted"
else
category="unknown"
@@ -70,6 +85,9 @@ for pkg in *${PKG_SUFX}; do
"regular")
echo "${pkg}" >> "${regular_packages}"
;;
+ "vulnerable")
+ echo "${pkg}" >> "${vulnerable_packages}"
+ ;;
"restricted")
echo "${pkg}" >> "${restricted_packages}"
;;
diff --git a/mk/bulk/upload b/mk/bulk/upload
index b682ef8fa69..1d1e867916d 100644
--- a/mk/bulk/upload
+++ b/mk/bulk/upload
@@ -1,5 +1,5 @@
#!/bin/sh
-# $NetBSD: upload,v 1.46 2010/03/21 10:52:29 wiz Exp $
+# $NetBSD: upload,v 1.47 2010/03/21 15:31:42 wiz Exp $
#
# Upload non-restricted binary pkgs to ftp server
@@ -218,12 +218,14 @@ TMP="${TMPDIR}"/pkg_upload.$$
exit 1
}
+vulnerable_packages="$TMP/vulnerable_packages"
restricted_packages="$TMP/restricted_packages"
old_packages="$TMP/old_packages"
good_packages="$TMP/regular_packages"
all_good_packages="$TMP/all_regular_packages"
upload_general="$TMP"/upload_general
+upload_vulnerable="$TMP"/upload_vulnerable
# May be different than $USR_PKGSRC:
echo "upload> Running ${BMAKE} to get the pkgsrc variables"
@@ -239,6 +241,19 @@ for pkg in ${REQUIRED_PACKAGES}; do
install_required $pkg
done
+echo "upload> Making sure vulnerability-list is up-to-date:"
+if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = "yes" ]
+then
+ _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR`
+ download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS}
+ if [ "x${_PKGVULNDIR}" != "x${distdir}" ]; then
+ cp ${_PKGVULNDIR}/pkg-vulnerabilities ${distdir}
+ fi
+ echo " done."
+else
+ echo " (skipped)"
+fi
+
case $LINTPKGSRC_CACHE in
yes|YES)
lintpkgsrc_cache="-I `cd pkgtools/lintpkgsrc ; ${BMAKE} show-var VARNAME=LINTPKGSRC_DB`"
@@ -258,8 +273,10 @@ RSFLAGS="-vap --progress $RSYNC_OPTS"
failed=no
cd $packages
-echo "upload> Checking for restricted packages"
-(cd All && env PKG_INFO="${pkg_info}" OUTDIR="${TMP}" \
+echo "upload> Checking for restricted and vulnerable packages"
+(cd All && env PKG_INFO="${pkg_info}" OUTDIR="${TMP}" PKGVULNDIR="${distdir}" \
+ AUDIT_PACKAGES_FLAGS="${AUDIT_PACKAGES_FLAGS}" \
+ DOWNLOAD_VULNERABILITY_LIST_FLAGS="${DOWNLOAD_VULNERABILITY_LIST_FLAGS}" \
${shell} "${pkgsrcdir}/mk/bulk/sort-packages")
# Add the name of the package file, including all its symlinks to the
@@ -291,7 +308,7 @@ if [ "${MKSUMS}" = "yes" -o "${MKSUMS}" = "YES" ]; then
[ -z "${CKSUM}" ] && CKSUM="echo"
[ -z "${SYSVSUM}" ] && SYSVSUM="echo"
- for pkg in `cat "${good_packages}"`; do
+ for pkg in `cat "${good_packages}" "${vulnerable_packages}"`; do
pkg="All/$pkg"
${BSDSUM} "$pkg" >> BSDSUM
${CKSUM} "$pkg" >> CKSUM
@@ -333,17 +350,37 @@ EOF
chmod +x "$upload_general"
if [ "$do_upload" = "yes" ]; then
- echo "upload> Uploading packages"
+ echo "upload> Uploading non-vulnerable packages"
${shell} "$upload_general" \
|| {
echo "upload> ERROR: rsync failed. To retry later, you can run $upload_general" 1>&2
failed=yes
}
else
- echo "upload> Skipping upload of packages."
+ echo "upload> Skipping upload of non-vulnerable packages."
echo " Run \"$upload_general\" to upload them later."
fi
+cat <<EOF > "$upload_vulnerable"
+#! /bin/sh
+set -e
+cd "$packages/All"
+rsync $RSFLAGS --files-from="${vulnerable_packages}" --exclude-from="${old_packages}" . "$RSYNC_DST/All/"
+EOF
+chmod +x "$upload_vulnerable"
+
+if [ "$do_upload" = "yes" ]; then
+ echo "upload> Uploading vulnerable packages"
+ ${shell} "$upload_vulnerable" \
+ || {
+ echo "upload> ERROR: rsync failed. To retry later, you can run $upload_vulnerable" 1>&2
+ failed=yes
+ }
+else
+ echo "upload> Skipping upload of vulnerable packages."
+ echo " Run \"$upload_vulnerable\" to upload them later."
+fi
+
# clean up temp files
if [ "$failed,$debug,$do_upload" = "no,no,yes" ]; then
rm -fr "$TMP"