diff options
-rw-r--r-- | mk/bulk/sort-packages | 24 | ||||
-rw-r--r-- | mk/bulk/upload | 49 |
2 files changed, 64 insertions, 9 deletions
diff --git a/mk/bulk/sort-packages b/mk/bulk/sort-packages index 2c5768fa028..881c994ca10 100644 --- a/mk/bulk/sort-packages +++ b/mk/bulk/sort-packages @@ -1,13 +1,16 @@ #! /bin/sh -# $NetBSD: sort-packages,v 1.13 2010/03/21 10:52:29 wiz Exp $ +# $NetBSD: sort-packages,v 1.14 2010/03/21 15:31:41 wiz Exp $ # This program scans all binary packages in the current directory and -# creates two lists of files in OUTDIR: +# creates three lists of files in OUTDIR: # # restricted_packages # contains all packages that must not be published on the FTP # server, for whatever reason # +# vulnerable_packages +# contains all packages that are not restricted, but vulnerable +# # regular_packages # contains all the other ("good") packages. # @@ -16,16 +19,19 @@ set -eu : ${OUTDIR="/tmp"} : ${PKG_SUFX=".tgz"} +: ${AUDIT_PACKAGES="audit-packages"} : ${PKG_ADMIN="pkg_admin"} : ${PKG_INFO="pkg_info"} regular_packages="${OUTDIR}/regular_packages" restricted_packages="${OUTDIR}/restricted_packages" +vulnerable_packages="${OUTDIR}/vulnerable_packages" newline=" " : > "${regular_packages}" : > "${restricted_packages}" +: > "${vulnerable_packages}" for pkg in *${PKG_SUFX}; do build_info=`${PKG_INFO} -B "${pkg}"` @@ -58,7 +64,16 @@ for pkg in *${PKG_SUFX}; do ;; esac - if [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then + if [ "${restricted}" = "no" ] && [ "${no_bin_on_ftp}" = "no" ]; then + # Check whether the package is vulnerable or not. + pkg_prefix="${pkg%%-*}" + category="regular" + _INFO_VER=`${PKG_INFO} -V`; + vuln=`${AUDIT_PACKAGES} ${AUDIT_PACKAGES_FLAGS} -p "${pkg}"` + if [ -n "${vuln}" ]; then + category="vulnerable" + fi + elif [ "${restricted}" != "unknown" ] && [ "${no_bin_on_ftp}" != "unknown" ]; then category="restricted" else category="unknown" @@ -70,6 +85,9 @@ for pkg in *${PKG_SUFX}; do "regular") echo "${pkg}" >> "${regular_packages}" ;; + "vulnerable") + echo "${pkg}" >> "${vulnerable_packages}" + ;; "restricted") echo "${pkg}" >> "${restricted_packages}" ;; diff --git a/mk/bulk/upload b/mk/bulk/upload index b682ef8fa69..1d1e867916d 100644 --- a/mk/bulk/upload +++ b/mk/bulk/upload @@ -1,5 +1,5 @@ #!/bin/sh -# $NetBSD: upload,v 1.46 2010/03/21 10:52:29 wiz Exp $ +# $NetBSD: upload,v 1.47 2010/03/21 15:31:42 wiz Exp $ # # Upload non-restricted binary pkgs to ftp server @@ -218,12 +218,14 @@ TMP="${TMPDIR}"/pkg_upload.$$ exit 1 } +vulnerable_packages="$TMP/vulnerable_packages" restricted_packages="$TMP/restricted_packages" old_packages="$TMP/old_packages" good_packages="$TMP/regular_packages" all_good_packages="$TMP/all_regular_packages" upload_general="$TMP"/upload_general +upload_vulnerable="$TMP"/upload_vulnerable # May be different than $USR_PKGSRC: echo "upload> Running ${BMAKE} to get the pkgsrc variables" @@ -239,6 +241,19 @@ for pkg in ${REQUIRED_PACKAGES}; do install_required $pkg done +echo "upload> Making sure vulnerability-list is up-to-date:" +if [ -z "$UPDATE_VULNERABILITY_LIST" -o "$UPDATE_VULNERABILITY_LIST" = "yes" ] +then + _PKGVULNDIR=`audit-packages ${AUDIT_PACKAGES_FLAGS} -Q PKGVULNDIR` + download-vulnerability-list ${DOWNLOAD_VULNERABILITY_LIST_FLAGS} + if [ "x${_PKGVULNDIR}" != "x${distdir}" ]; then + cp ${_PKGVULNDIR}/pkg-vulnerabilities ${distdir} + fi + echo " done." +else + echo " (skipped)" +fi + case $LINTPKGSRC_CACHE in yes|YES) lintpkgsrc_cache="-I `cd pkgtools/lintpkgsrc ; ${BMAKE} show-var VARNAME=LINTPKGSRC_DB`" @@ -258,8 +273,10 @@ RSFLAGS="-vap --progress $RSYNC_OPTS" failed=no cd $packages -echo "upload> Checking for restricted packages" -(cd All && env PKG_INFO="${pkg_info}" OUTDIR="${TMP}" \ +echo "upload> Checking for restricted and vulnerable packages" +(cd All && env PKG_INFO="${pkg_info}" OUTDIR="${TMP}" PKGVULNDIR="${distdir}" \ + AUDIT_PACKAGES_FLAGS="${AUDIT_PACKAGES_FLAGS}" \ + DOWNLOAD_VULNERABILITY_LIST_FLAGS="${DOWNLOAD_VULNERABILITY_LIST_FLAGS}" \ ${shell} "${pkgsrcdir}/mk/bulk/sort-packages") # Add the name of the package file, including all its symlinks to the @@ -291,7 +308,7 @@ if [ "${MKSUMS}" = "yes" -o "${MKSUMS}" = "YES" ]; then [ -z "${CKSUM}" ] && CKSUM="echo" [ -z "${SYSVSUM}" ] && SYSVSUM="echo" - for pkg in `cat "${good_packages}"`; do + for pkg in `cat "${good_packages}" "${vulnerable_packages}"`; do pkg="All/$pkg" ${BSDSUM} "$pkg" >> BSDSUM ${CKSUM} "$pkg" >> CKSUM @@ -333,17 +350,37 @@ EOF chmod +x "$upload_general" if [ "$do_upload" = "yes" ]; then - echo "upload> Uploading packages" + echo "upload> Uploading non-vulnerable packages" ${shell} "$upload_general" \ || { echo "upload> ERROR: rsync failed. To retry later, you can run $upload_general" 1>&2 failed=yes } else - echo "upload> Skipping upload of packages." + echo "upload> Skipping upload of non-vulnerable packages." echo " Run \"$upload_general\" to upload them later." fi +cat <<EOF > "$upload_vulnerable" +#! /bin/sh +set -e +cd "$packages/All" +rsync $RSFLAGS --files-from="${vulnerable_packages}" --exclude-from="${old_packages}" . "$RSYNC_DST/All/" +EOF +chmod +x "$upload_vulnerable" + +if [ "$do_upload" = "yes" ]; then + echo "upload> Uploading vulnerable packages" + ${shell} "$upload_vulnerable" \ + || { + echo "upload> ERROR: rsync failed. To retry later, you can run $upload_vulnerable" 1>&2 + failed=yes + } +else + echo "upload> Skipping upload of vulnerable packages." + echo " Run \"$upload_vulnerable\" to upload them later." +fi + # clean up temp files if [ "$failed,$debug,$do_upload" = "no,no,yes" ]; then rm -fr "$TMP" |