ubuntu-archive-tools

Merge lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs into lp:ubuntu-archive-tools

  1. copy-proposed-kernel--support-lrg-lrs
  2. Merge into trunk
Proposed by Andy Whitcroft
Status: Merged
Merged at revision: 1462
Proposed branch: lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs
Merge into: lp:ubuntu-archive-tools
Diff against target: 533 lines (+239/-72)
1 file modified
copy-proposed-kernel (+239/-72)
To merge this branch: bzr merge lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs
Reviewer Review Type Date Requested Status
Łukasz Zemczak Approve
Review via email: mp+399495@code.launchpad.net

Commit message

Add support for the new linux-restricted-generate/linux-restricted-signatures workflow.

To post a comment you must log in.
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Generally looks good. A whitespace comment inline, but that's not really important.

One thing I just would like to make sure is intended: from the commit messages I understood that we do not want to allow unembargoing only for selected, safe places. But this can be overriden via the --unembargo argument, right? So it's like a hard override, skipping over all checks, right?

review: Approve
Revision history for this message
Andy Whitcroft (apw) wrote :

> Generally looks good. A whitespace comment inline, but that's not really
> important.
>
> One thing I just would like to make sure is intended: from the commit messages
> I understood that we do not want to allow unembargoing only for selected, safe
> places. But this can be overriden via the --unembargo argument, right? So it's
> like a hard override, skipping over all checks, right?

Right, the automated enablement of --embargo is only for safe source/destination pairs. --embargo on the command line is intended to be a "Look just to what I need there is fire" override.

lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs updated
1464. By Andy Whitcroft

copy-proposed-kernel: clean up whitespace

Clean up whitespace based on review feedback.

Signed-off-by: Andy Whitcroft <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'copy-proposed-kernel'
2--- copy-proposed-kernel 2021-03-10 10:13:48 +0000
3+++ copy-proposed-kernel 2021-03-11 17:44:33 +0000
4@@ -42,14 +42,14 @@
5 self.series = None
6 self.source = None
7 self.ppa2 = False
8- self.security = False
9- self.security2 = False
10+ self.security = None
11 self.esm = False
12 self.fips = False
13 self.ibmgt = False
14 self.to_signing = False
15 self.from_signing = False
16 self.no_auto = False
17+ self.unembargo = False
18
19 self.update(**kwargs)
20
21@@ -81,6 +81,25 @@
22 - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ]
23 proposed:
24 - ['ubuntu', 'Proposed' ]
25+ drivers:
26+ security-build:
27+ - ['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release' ]
28+ - ['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release' ]
29+ build:
30+ - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ]
31+ build-private:
32+ - ['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release' ]
33+ signing:
34+ - ['ppa:canonical-signing/ubuntu/primary', 'Release']
35+ proposed:
36+ - ['ubuntu', 'Proposed' ]
37+ drivers-contrived: # build-private but no signing is invalid
38+ build:
39+ - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ]
40+ build-private:
41+ - ['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release' ]
42+ proposed:
43+ - ['ubuntu', 'Proposed' ]
44 esm:
45 security-build:
46 - ['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release']
47@@ -90,6 +109,17 @@
48 - ['ppa:canonical-signing/ubuntu/esm', 'Release']
49 proposed:
50 - ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release']
51+ uc20:
52+ security-build:
53+ - ['ppa:canonical-kernel-security-team/ubuntu/uc20', 'Release']
54+ - ['ppa:canonical-kernel-security-team/ubuntu/uc20-2', 'Release']
55+ - ['ppa:canonical-kernel-security-team/ubuntu/uc20-3', 'Release']
56+ build:
57+ - ['ppa:canonical-kernel-team/ubuntu/uc20-build', 'Release']
58+ signing:
59+ - ['ppa:canonical-signing/ubuntu/uc20', 'Release']
60+ proposed:
61+ - ['ppa:canonical-kernel-team/ubuntu/uc20-staging', 'Release']
62 14.04:
63 codename: trusty
64 supported: true
65@@ -134,6 +164,8 @@
66 type: signed
67 linux-meta:
68 type: meta
69+ linux-restricted-modules:
70+ type: lrm
71 linux-ibm-gt:
72 routing:
73 security-build:
74@@ -141,65 +173,182 @@
75 - ['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release']
76 build:
77 - ['ppa:ibm-cloud/ubuntu/build', 'Release']
78+ signing:
79+ - ['ppa:canonical-signing/ubuntu/ibm-gt', 'Release']
80 proposed:
81 - ['ppa:ibm-cloud/ubuntu/proposed', 'Release']
82 packages:
83 linux-ibm-gt:
84 linux-meta-ibm-gt:
85 type: meta
86+ 20.04:
87+ codename: focal
88+ supported: true
89+ sources:
90+ linux:
91+ routing: drivers
92+ packages:
93+ linux:
94+ linux-signed:
95+ type: signed
96+ linux-meta:
97+ type: meta
98+ linux-restricted-modules:
99+ type: lrm
100+ linux-restricted-generate:
101+ type: lrg
102+ linux-restricted-signatures:
103+ type: lrs
104+ linux-contrived:
105+ routing: drivers-contrived
106+ packages:
107+ linux-contrived:
108+ linux-restricted-generate-contrived:
109+ type: lrg
110+ linux-uc20-efi:
111+ routing: uc20
112+ packages:
113+ linux-uc20-efi:
114+ linux-signed-uc20-efi:
115+ type: signed
116 """
117 cls.ks = KernelSeries(data=data)
118
119
120 class TestRouting(TestBase):
121 def test_default(self):
122- expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False)
123+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, True)
124 result = routing(self.FakeArgs(series='bionic', source='linux'), self.ks)
125 self.assertEqual(expected, result)
126
127 def test_security(self):
128- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], True)
129- result = routing(self.FakeArgs(series='bionic', source='linux', security=True), self.ks)
130+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], True, True)
131+ result = routing(self.FakeArgs(series='bionic', source='linux', security=1), self.ks)
132 self.assertEqual(expected, result)
133
134 def test_security2(self):
135- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ubuntu', 'Proposed'], True)
136- result = routing(self.FakeArgs(series='bionic', source='linux', security2=True), self.ks)
137+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ubuntu', 'Proposed'], True, True)
138+ result = routing(self.FakeArgs(series='bionic', source='linux', security=2), self.ks)
139 self.assertEqual(expected, result)
140
141 def test_to_signing(self):
142- expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], None, False)
143+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], None, False, True)
144 result = routing(self.FakeArgs(series='bionic', source='linux', to_signing=True), self.ks)
145 self.assertEqual(expected, result)
146
147- def test_from_signing(self):
148- expected = (None, ['ubuntu', 'Proposed'], False)
149+ def test_from_signing_no_signing(self):
150+ # No signing present ... this should fail elsewhere, but confirm it would not
151+ # allow unembargo.
152+ expected = (None, ['ubuntu', 'Proposed'], False, True)
153 result = routing(self.FakeArgs(series='bionic', source='linux', from_signing=True), self.ks)
154 self.assertEqual(expected, result)
155
156+ def test_from_signing_to_main(self):
157+ expected = (['ppa:canonical-signing/ubuntu/primary', 'Release'], ['ubuntu', 'Proposed'], True, True)
158+ result = routing(self.FakeArgs(series='focal', source='linux', from_signing=True), self.ks)
159+ self.assertEqual(expected, result)
160+
161+ def test_from_signing_to_uc20(self):
162+ expected = (['ppa:canonical-signing/ubuntu/uc20', 'Release'], ['ppa:canonical-kernel-team/ubuntu/uc20-staging', 'Release'], True, True)
163+ result = routing(self.FakeArgs(series='focal', source='linux-uc20-efi', from_signing=True), self.ks)
164+ self.assertEqual(expected, result)
165+
166+ def test_from_signing_to_private(self):
167+ expected = (['ppa:canonical-signing/ubuntu/ibm-gt', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True)
168+ result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', from_signing=True), self.ks)
169+ self.assertEqual(expected, result)
170+
171+ def test_binaries_from_build_to_proposed(self):
172+ for package, binaries in (
173+ ('linux', True),
174+ ('linux-signed', False),
175+ ('linux-meta', True),
176+ ('linux-restricted-modules', True),
177+ ):
178+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, binaries)
179+ result = routing(self.FakeArgs(series='bionic', source=package), self.ks)
180+ self.assertEqual(expected, result)
181+
182+ def test_binaries_from_build_to_signing(self):
183+ for package, binaries in (
184+ ('linux', True),
185+ ('linux-signed', False),
186+ ('linux-meta', True),
187+ ('linux-restricted-modules', True),
188+ ):
189+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries)
190+ result = routing(self.FakeArgs(series='focal', source=package), self.ks)
191+ self.assertEqual(expected, result)
192+ for package, binaries in (
193+ ('linux-restricted-generate', True),
194+ ('linux-restricted-signatures', False),
195+ ):
196+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries)
197+ result = routing(self.FakeArgs(series='focal', source=package), self.ks)
198+ self.assertEqual(expected, result)
199+
200+ def test_binaries_from_build_to_signing(self):
201+ for package, binaries in (
202+ ('linux', True),
203+ ('linux-signed', False),
204+ ('linux-meta', True),
205+ ('linux-restricted-modules', True),
206+ ):
207+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries)
208+ result = routing(self.FakeArgs(series='focal', source=package), self.ks)
209+ self.assertEqual(expected, result)
210+ for package, binaries in (
211+ ('linux-restricted-generate', True),
212+ ('linux-restricted-signatures', False),
213+ ):
214+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries)
215+ result = routing(self.FakeArgs(series='focal', source=package), self.ks)
216+ self.assertEqual(expected, result)
217+
218+ def test_binaries_from_signing_to_proposed(self):
219+ for package, binaries in (
220+ ('linux', True),
221+ ('linux-signed', True),
222+ ('linux-meta', True),
223+ ('linux-restricted-modules', True),
224+ ('linux-restricted-signatures', True),
225+ ):
226+ expected = (['ppa:canonical-signing/ubuntu/primary', 'Release'], ['ubuntu', 'Proposed'], True, binaries)
227+ result = routing(self.FakeArgs(series='focal', source=package, from_signing=True), self.ks)
228+ self.assertEqual(expected, result)
229+ # LRG should not go anywhere but signing.
230+ self.assertRaises(RoutingError, routing, self.FakeArgs(series='focal', source='linux-restricted-generate', from_signing=True), self.ks)
231+
232+ def test_binaries_from_build_to_proposed_lrg(self):
233+ expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, True)
234+ result = routing(self.FakeArgs(series='focal', source='linux-contrived'), self.ks)
235+ self.assertEqual(expected, result)
236+ # LRG should not go anywhere but signing.
237+ self.assertRaises(RoutingError, routing, self.FakeArgs(series='focal', source='linux-restricted-generate-contrived'), self.ks)
238+
239 def test_esm(self):
240- expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False)
241+ expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True)
242 result = routing(self.FakeArgs(series='trusty', source='linux'), self.ks)
243 self.assertEqual(expected, result)
244
245 def test_esm_security(self):
246- expected = (['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False)
247- result = routing(self.FakeArgs(series='trusty', source='linux', security=True), self.ks)
248+ expected = (['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True)
249+ result = routing(self.FakeArgs(series='trusty', source='linux', security=1), self.ks)
250 self.assertEqual(expected, result)
251
252 def test_esm_security2(self):
253 with self.assertRaises(SystemExit), self.capture() as (out, err):
254- expected = (None, ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False)
255- result = routing(self.FakeArgs(series='trusty', source='linux', security2=True), self.ks)
256+ expected = (None, ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True)
257+ result = routing(self.FakeArgs(series='trusty', source='linux', security=2), self.ks)
258 self.assertEqual(expected, result)
259
260 def test_esm_to_signing(self):
261- expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False)
262+ expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True)
263 result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, to_signing=True), self.ks)
264 self.assertEqual(expected, result)
265
266 def test_esm_from_signing(self):
267- expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False)
268+ expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True)
269 result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, from_signing=True), self.ks)
270 self.assertEqual(expected, result)
271
272@@ -208,59 +357,66 @@
273 # simple we make from_signing take presidence over to_signing. Test this
274 # is honoured correctly.
275 def test_esm_from_signing_override_to_signing(self):
276- expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False)
277+ expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True)
278 result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, to_signing=True, from_signing=True), self.ks)
279 self.assertEqual(expected, result)
280
281 def test_fips(self):
282- expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False)
283+ expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True)
284 result = routing(self.FakeArgs(series='xenial', source='linux-fips'), self.ks)
285 self.assertEqual(expected, result)
286
287 def test_fips_security(self):
288- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False)
289- result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=True), self.ks)
290+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True)
291+ result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=1), self.ks)
292 self.assertEqual(expected, result)
293
294 def test_fips_security2(self):
295- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False)
296- result = routing(self.FakeArgs(series='xenial', source='linux-fips', security2=True), self.ks)
297+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True)
298+ result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=2), self.ks)
299 self.assertEqual(expected, result)
300
301 def test_fips_to_signing(self):
302- expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False)
303+ expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True)
304 result = routing(self.FakeArgs(series='xenial', source='linux-fips', to_signing=True), self.ks)
305 self.assertEqual(expected, result)
306
307 def test_fips_from_signing(self):
308- expected = (['ppa:canonical-signing/ubuntu/fips', 'Release'], ['ppa:ubuntu-advantage/ubuntu/fips-proposed', 'Release'], False)
309+ expected = (['ppa:canonical-signing/ubuntu/fips', 'Release'], ['ppa:ubuntu-advantage/ubuntu/fips-proposed', 'Release'], False, True)
310 result = routing(self.FakeArgs(series='xenial', source='linux-fips', from_signing=True), self.ks)
311 self.assertEqual(expected, result)
312
313 def test_ibmgt(self):
314- expected = (['ppa:ibm-cloud/ubuntu/build', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False)
315+ expected = (['ppa:ibm-cloud/ubuntu/build', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True)
316 result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt'), self.ks)
317 self.assertEqual(expected, result)
318
319 def test_ibmgt_security(self):
320- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False)
321- result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=True), self.ks)
322+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True)
323+ result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=1), self.ks)
324 self.assertEqual(expected, result)
325
326 def test_ibmgt_security2(self):
327- expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False)
328- result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security2=True), self.ks)
329+ expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True)
330+ result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=2), self.ks)
331 self.assertEqual(expected, result)
332
333
334+class RoutingError(Exception):
335+ pass
336+
337+
338+unembargo_from_security = ['ppa:canonical-kernel-security-team/ubuntu/ppa' + v for v in ('', '2', '3')]
339+unembargo_from_signing = ['ppa:canonical-signing/ubuntu/primary', 'ppa:canonical-signing/ubuntu/uc20']
340+unembargo_to_ok = ['ubuntu', 'ppa:canonical-kernel-team/ubuntu/uc20-staging']
341+
342 def routing(args, ks):
343 series_name = args.series
344 package_name = args.source
345
346 series = ks.lookup_series(codename=series_name)
347 if series is None:
348- print("ERROR: {} -- series unknown".format(series_name))
349- sys.exit(1)
350+ raise RoutingError("ERROR: {} -- series unknown".format(series_name))
351
352 package = None
353 package_signed = None
354@@ -269,43 +425,38 @@
355 for package_srch in source_srch.packages:
356 if package_srch.name == package_name:
357 package = package_srch
358- if package_srch.type == 'signed':
359+ # XXX: this should be package_srch.signing
360+ if package_srch.type in ('signed', 'lrs'):
361 package_signed = package_srch
362 if package is not None:
363 break
364 if package is None:
365- print("ERROR: {}/{} -- package unknown".format(series_name, package_name))
366- sys.exit(1)
367+ raise RoutingError("ERROR: {}/{} -- package unknown".format(series_name, package_name))
368
369 source = package.source
370 routing = source.routing
371 if routing is None:
372- print("ERROR: {}/{} -- package has no routing".format(series_name, package_name))
373- sys.exit(1)
374+ raise RoutingError("ERROR: {}/{} -- package has no routing".format(series_name, package_name))
375
376- build_archives = routing.lookup_destination('build')
377+ # XXX: this should be package_srch.adjunct
378+ if package.type in ('lrg', 'lrs'):
379+ build_archives = routing.lookup_destination('build-private')
380+ else:
381+ build_archives = routing.lookup_destination('build')
382 security_archives = routing.lookup_destination('security-build')
383 proposed_archive = routing.lookup_destination('proposed', primary=True)
384 signing_archive = routing.lookup_destination('signing', primary=True)
385
386 if build_archives is None or len(build_archives) < 1:
387- print("ERROR: {}/{} -- package has no primary build archive".format(series_name, package_name))
388- sys.exit(1)
389+ raise RoutingError("ERROR: {}/{} -- package has no primary build archive".format(series_name, package_name))
390 if args.ppa2 and (build_archives is None or len(build_archives) < 2):
391- print("ERROR: {}/{} -- package has no secondary build archive".format(series_name, package_name))
392- sys.exit(1)
393+ raise RoutingError("ERROR: {}/{} -- package has no secondary build archive".format(series_name, package_name))
394 if build_archives is None:
395- print("ERROR: {}/{} -- package has no build archive".format(series_name, package_name))
396- sys.exit(1)
397+ raise RoutingError("ERROR: {}/{} -- package has no build archive".format(series_name, package_name))
398 if proposed_archive is None:
399- print("ERROR: {}/{} -- package has no proposed archive".format(series_name, package_name))
400- sys.exit(1)
401- if args.security and (security_archives is None or len(security_archives) < 1):
402- print("ERROR: {}/{} -- package has no primary security archive".format(series_name, package_name))
403- sys.exit(1)
404- if args.security2 and (security_archives is None or len(security_archives) < 2):
405- print("ERROR: {}/{} -- package has no secondary security archive".format(series_name, package_name))
406- sys.exit(1)
407+ RoutingError("ERROR: {}/{} -- package has no proposed archive".format(series_name, package_name))
408+ if args.security and (security_archives is None or len(security_archives) < args.security):
409+ RoutingError("ERROR: {}/{} -- package has no security archive #{}".format(series_name, package_name, args.security))
410
411 # Default route build -> proposed
412 if args.ppa2:
413@@ -314,17 +465,9 @@
414 from_archive = build_archives[0]
415 to_archive = proposed_archive
416
417- unembargo = False
418-
419 # Handle security routing.
420 if args.security:
421- from_archive = security_archives[0]
422- if args.security2:
423- from_archive = security_archives[1]
424-
425- # Allow us to unembargo when releasing from security to ubuntu.
426- if (args.security or args.security2) and to_archive[0] == 'ubuntu':
427- unembargo = True
428+ from_archive = security_archives[args.security - 1]
429
430 # Handle signing routing.
431 if args.from_signing:
432@@ -335,6 +478,23 @@
433 elif args.no_auto is False and signing_archive is not None and package_signed is not None:
434 to_archive = signing_archive
435
436+ # Allow us to unembargo when releasing from security. Ensure the source
437+ # is somewhere where we expect things which are public.
438+ unembargo = args.unembargo
439+ if args.security and from_archive[0] in unembargo_from_security and to_archive[0] in unembargo_to_ok:
440+ unembargo = True
441+ elif signing_archive and args.from_signing and from_archive[0] in unembargo_from_signing and to_archive[0] in unembargo_to_ok:
442+ unembargo = True
443+
444+ # We should be copying binaries for non-'signing' packages
445+ # when on their way to somewhere where signing is intended.
446+ binaries = True
447+ # XXX: this should be package_srch.signing
448+ if (package.type in ('signed', 'lrs') and
449+ (to_archive == signing_archive or
450+ (from_archive != signing_archive and to_archive == proposed_archive))):
451+ binaries = False
452+
453 # Announce the routing if needed.
454 if (args.testing is False and (routing.name != 'default' or from_archive == signing_archive or to_archive == signing_archive)):
455 msg = "NOTE: directing copy using {} routes".format(routing.name)
456@@ -344,7 +504,12 @@
457 msg += ' to signing'
458 print(msg)
459
460- return (from_archive, to_archive, unembargo)
461+
462+ # It is only safe to copy linux-restricted-generate to signing. Refuse to copy.
463+ if package.type == 'lrg' and to_archive != signing_archive:
464+ raise RoutingError("ERROR: {}/{} -- package type lrg is embargoed, copy only allowed to signing".format(series_name, package_name))
465+
466+ return (from_archive, to_archive, unembargo, binaries)
467
468
469 # SELF-TESTS:
470@@ -356,14 +521,16 @@
471 parser.set_defaults(testing=False)
472 parser.add_argument('--dry-run', action='store_true', help='Do everything but actually copy the package')
473 parser.add_argument('--ppa2', action='store_true', help='Copy from the kernel build PPA2')
474-parser.add_argument('--security', '-S', action='store_true', help='Copy from the kernel security PPA')
475-parser.add_argument('--security2', action='store_true', help='Copy from the kernel security PPA2')
476+parser.add_argument('--security', '-S', action='store_const', const=1, help='Copy from the kernel security PPA')
477+parser.add_argument('--security2', action='store_const', const=2, dest='security', help='Copy from the kernel security PPA2')
478+parser.add_argument('--security3', action='store_const', const=3, dest='security', help='Copy from the kernel security PPA3')
479 parser.add_argument('--esm', '-E', action='store_true', help='Copy from the kernel ESM PPA and to the kernel ESM proposed PPA')
480 parser.add_argument('--fips', action='store_true', help='Copy from the kernel FIPS PPA and to the kernel FIPS proposed PPA')
481 parser.add_argument('--ibmgt', action='store_true', help='Copy from the kernel IBM-GT build PPA to the corresponding proposed PPA')
482 parser.add_argument('--no-auto', action='store_true', help='Turn off automatic detection of ESM et al based on series')
483 parser.add_argument('--to-signing', action='store_true', help='Copy from the kernel ESM/FIPS PPA to the ESM/FIPS signing PPA')
484 parser.add_argument('--from-signing', action='store_true', help='Copy from the ESM/FIPS signing PPA to the ESM/FIPS proposed PPA')
485+parser.add_argument('--unembargo', action='store_true', default=False, help='Allow copies from private PPAs')
486 parser.add_argument('series', action='store', help='The series the source package is in')
487 parser.add_argument('source', action='store', nargs='+', help='The source package name')
488
489@@ -386,8 +553,12 @@
490 # BODGE: routing should just take release/pkg.
491 args.source = pkg
492
493- (from_archive, to_archive, security) = routing(args, ks)
494+ try:
495+ (from_archive, to_archive, unembargo, include_binaries) = routing(args, ks)
496 ##print("from_archive<{}> to_archive<{}>".format(from_archive, to_archive))
497+ except RoutingError as e:
498+ print("ERROR: {}", e.args[0])
499+ sys.exit(1)
500
501 if from_archive is None:
502 print("ERROR: bad source PPA")
503@@ -414,11 +585,6 @@
504 if versions.total_size == 1:
505 version = versions[0].source_package_version
506
507- include_binaries = (pkg not in ('debian-installer')
508- and not pkg.startswith('linux-signed'))
509- if args.from_signing:
510- include_binaries = True
511-
512 print("""Copying {}/{}:
513 From: {} {} {}
514 To: {} {} {}
515@@ -426,7 +592,8 @@
516
517 if not version:
518 print("ERROR: no version to copy")
519- sys.exit(1)
520+ if not args.dry_run:
521+ sys.exit(1)
522
523 copies.append({
524 'from_archive': from_archive,
525@@ -436,7 +603,7 @@
526 'to_pocket': to_pocket,
527 'version': version,
528 'auto_approve': True,
529- 'unembargo': security,
530+ 'unembargo': unembargo,
531 })
532
533 if args.dry_run:

Subscribers

People subscribed via source and target branches