Merge lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs into lp:ubuntu-archive-tools
- copy-proposed-kernel--support-lrg-lrs
- Merge into trunk
Status: | Merged |
---|---|
Merged at revision: | 1462 |
Proposed branch: | lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs |
Merge into: | lp:ubuntu-archive-tools |
Diff against target: |
533 lines (+239/-72) 1 file modified
copy-proposed-kernel (+239/-72) |
To merge this branch: | bzr merge lp:~apw/ubuntu-archive-tools/copy-proposed-kernel--support-lrg-lrs |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Łukasz Zemczak | Approve | ||
Review via email: mp+399495@code.launchpad.net |
Commit message
Add support for the new linux-restricte
Description of the change
Andy Whitcroft (apw) wrote : | # |
> Generally looks good. A whitespace comment inline, but that's not really
> important.
>
> One thing I just would like to make sure is intended: from the commit messages
> I understood that we do not want to allow unembargoing only for selected, safe
> places. But this can be overriden via the --unembargo argument, right? So it's
> like a hard override, skipping over all checks, right?
Right, the automated enablement of --embargo is only for safe source/destination pairs. --embargo on the command line is intended to be a "Look just to what I need there is fire" override.
- 1464. By Andy Whitcroft
-
copy-proposed-
kernel: clean up whitespace Clean up whitespace based on review feedback.
Signed-off-by: Andy Whitcroft <email address hidden>
Preview Diff
1 | === modified file 'copy-proposed-kernel' |
2 | --- copy-proposed-kernel 2021-03-10 10:13:48 +0000 |
3 | +++ copy-proposed-kernel 2021-03-11 17:44:33 +0000 |
4 | @@ -42,14 +42,14 @@ |
5 | self.series = None |
6 | self.source = None |
7 | self.ppa2 = False |
8 | - self.security = False |
9 | - self.security2 = False |
10 | + self.security = None |
11 | self.esm = False |
12 | self.fips = False |
13 | self.ibmgt = False |
14 | self.to_signing = False |
15 | self.from_signing = False |
16 | self.no_auto = False |
17 | + self.unembargo = False |
18 | |
19 | self.update(**kwargs) |
20 | |
21 | @@ -81,6 +81,25 @@ |
22 | - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ] |
23 | proposed: |
24 | - ['ubuntu', 'Proposed' ] |
25 | + drivers: |
26 | + security-build: |
27 | + - ['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release' ] |
28 | + - ['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release' ] |
29 | + build: |
30 | + - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ] |
31 | + build-private: |
32 | + - ['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release' ] |
33 | + signing: |
34 | + - ['ppa:canonical-signing/ubuntu/primary', 'Release'] |
35 | + proposed: |
36 | + - ['ubuntu', 'Proposed' ] |
37 | + drivers-contrived: # build-private but no signing is invalid |
38 | + build: |
39 | + - ['ppa:canonical-kernel-team/ubuntu/ppa', 'Release' ] |
40 | + build-private: |
41 | + - ['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release' ] |
42 | + proposed: |
43 | + - ['ubuntu', 'Proposed' ] |
44 | esm: |
45 | security-build: |
46 | - ['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release'] |
47 | @@ -90,6 +109,17 @@ |
48 | - ['ppa:canonical-signing/ubuntu/esm', 'Release'] |
49 | proposed: |
50 | - ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'] |
51 | + uc20: |
52 | + security-build: |
53 | + - ['ppa:canonical-kernel-security-team/ubuntu/uc20', 'Release'] |
54 | + - ['ppa:canonical-kernel-security-team/ubuntu/uc20-2', 'Release'] |
55 | + - ['ppa:canonical-kernel-security-team/ubuntu/uc20-3', 'Release'] |
56 | + build: |
57 | + - ['ppa:canonical-kernel-team/ubuntu/uc20-build', 'Release'] |
58 | + signing: |
59 | + - ['ppa:canonical-signing/ubuntu/uc20', 'Release'] |
60 | + proposed: |
61 | + - ['ppa:canonical-kernel-team/ubuntu/uc20-staging', 'Release'] |
62 | 14.04: |
63 | codename: trusty |
64 | supported: true |
65 | @@ -134,6 +164,8 @@ |
66 | type: signed |
67 | linux-meta: |
68 | type: meta |
69 | + linux-restricted-modules: |
70 | + type: lrm |
71 | linux-ibm-gt: |
72 | routing: |
73 | security-build: |
74 | @@ -141,65 +173,182 @@ |
75 | - ['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'] |
76 | build: |
77 | - ['ppa:ibm-cloud/ubuntu/build', 'Release'] |
78 | + signing: |
79 | + - ['ppa:canonical-signing/ubuntu/ibm-gt', 'Release'] |
80 | proposed: |
81 | - ['ppa:ibm-cloud/ubuntu/proposed', 'Release'] |
82 | packages: |
83 | linux-ibm-gt: |
84 | linux-meta-ibm-gt: |
85 | type: meta |
86 | + 20.04: |
87 | + codename: focal |
88 | + supported: true |
89 | + sources: |
90 | + linux: |
91 | + routing: drivers |
92 | + packages: |
93 | + linux: |
94 | + linux-signed: |
95 | + type: signed |
96 | + linux-meta: |
97 | + type: meta |
98 | + linux-restricted-modules: |
99 | + type: lrm |
100 | + linux-restricted-generate: |
101 | + type: lrg |
102 | + linux-restricted-signatures: |
103 | + type: lrs |
104 | + linux-contrived: |
105 | + routing: drivers-contrived |
106 | + packages: |
107 | + linux-contrived: |
108 | + linux-restricted-generate-contrived: |
109 | + type: lrg |
110 | + linux-uc20-efi: |
111 | + routing: uc20 |
112 | + packages: |
113 | + linux-uc20-efi: |
114 | + linux-signed-uc20-efi: |
115 | + type: signed |
116 | """ |
117 | cls.ks = KernelSeries(data=data) |
118 | |
119 | |
120 | class TestRouting(TestBase): |
121 | def test_default(self): |
122 | - expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False) |
123 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, True) |
124 | result = routing(self.FakeArgs(series='bionic', source='linux'), self.ks) |
125 | self.assertEqual(expected, result) |
126 | |
127 | def test_security(self): |
128 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], True) |
129 | - result = routing(self.FakeArgs(series='bionic', source='linux', security=True), self.ks) |
130 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], True, True) |
131 | + result = routing(self.FakeArgs(series='bionic', source='linux', security=1), self.ks) |
132 | self.assertEqual(expected, result) |
133 | |
134 | def test_security2(self): |
135 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ubuntu', 'Proposed'], True) |
136 | - result = routing(self.FakeArgs(series='bionic', source='linux', security2=True), self.ks) |
137 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ubuntu', 'Proposed'], True, True) |
138 | + result = routing(self.FakeArgs(series='bionic', source='linux', security=2), self.ks) |
139 | self.assertEqual(expected, result) |
140 | |
141 | def test_to_signing(self): |
142 | - expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], None, False) |
143 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], None, False, True) |
144 | result = routing(self.FakeArgs(series='bionic', source='linux', to_signing=True), self.ks) |
145 | self.assertEqual(expected, result) |
146 | |
147 | - def test_from_signing(self): |
148 | - expected = (None, ['ubuntu', 'Proposed'], False) |
149 | + def test_from_signing_no_signing(self): |
150 | + # No signing present ... this should fail elsewhere, but confirm it would not |
151 | + # allow unembargo. |
152 | + expected = (None, ['ubuntu', 'Proposed'], False, True) |
153 | result = routing(self.FakeArgs(series='bionic', source='linux', from_signing=True), self.ks) |
154 | self.assertEqual(expected, result) |
155 | |
156 | + def test_from_signing_to_main(self): |
157 | + expected = (['ppa:canonical-signing/ubuntu/primary', 'Release'], ['ubuntu', 'Proposed'], True, True) |
158 | + result = routing(self.FakeArgs(series='focal', source='linux', from_signing=True), self.ks) |
159 | + self.assertEqual(expected, result) |
160 | + |
161 | + def test_from_signing_to_uc20(self): |
162 | + expected = (['ppa:canonical-signing/ubuntu/uc20', 'Release'], ['ppa:canonical-kernel-team/ubuntu/uc20-staging', 'Release'], True, True) |
163 | + result = routing(self.FakeArgs(series='focal', source='linux-uc20-efi', from_signing=True), self.ks) |
164 | + self.assertEqual(expected, result) |
165 | + |
166 | + def test_from_signing_to_private(self): |
167 | + expected = (['ppa:canonical-signing/ubuntu/ibm-gt', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True) |
168 | + result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', from_signing=True), self.ks) |
169 | + self.assertEqual(expected, result) |
170 | + |
171 | + def test_binaries_from_build_to_proposed(self): |
172 | + for package, binaries in ( |
173 | + ('linux', True), |
174 | + ('linux-signed', False), |
175 | + ('linux-meta', True), |
176 | + ('linux-restricted-modules', True), |
177 | + ): |
178 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, binaries) |
179 | + result = routing(self.FakeArgs(series='bionic', source=package), self.ks) |
180 | + self.assertEqual(expected, result) |
181 | + |
182 | + def test_binaries_from_build_to_signing(self): |
183 | + for package, binaries in ( |
184 | + ('linux', True), |
185 | + ('linux-signed', False), |
186 | + ('linux-meta', True), |
187 | + ('linux-restricted-modules', True), |
188 | + ): |
189 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries) |
190 | + result = routing(self.FakeArgs(series='focal', source=package), self.ks) |
191 | + self.assertEqual(expected, result) |
192 | + for package, binaries in ( |
193 | + ('linux-restricted-generate', True), |
194 | + ('linux-restricted-signatures', False), |
195 | + ): |
196 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries) |
197 | + result = routing(self.FakeArgs(series='focal', source=package), self.ks) |
198 | + self.assertEqual(expected, result) |
199 | + |
200 | + def test_binaries_from_build_to_signing(self): |
201 | + for package, binaries in ( |
202 | + ('linux', True), |
203 | + ('linux-signed', False), |
204 | + ('linux-meta', True), |
205 | + ('linux-restricted-modules', True), |
206 | + ): |
207 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries) |
208 | + result = routing(self.FakeArgs(series='focal', source=package), self.ks) |
209 | + self.assertEqual(expected, result) |
210 | + for package, binaries in ( |
211 | + ('linux-restricted-generate', True), |
212 | + ('linux-restricted-signatures', False), |
213 | + ): |
214 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa-ps', 'Release'], ['ppa:canonical-signing/ubuntu/primary', 'Release'], False, binaries) |
215 | + result = routing(self.FakeArgs(series='focal', source=package), self.ks) |
216 | + self.assertEqual(expected, result) |
217 | + |
218 | + def test_binaries_from_signing_to_proposed(self): |
219 | + for package, binaries in ( |
220 | + ('linux', True), |
221 | + ('linux-signed', True), |
222 | + ('linux-meta', True), |
223 | + ('linux-restricted-modules', True), |
224 | + ('linux-restricted-signatures', True), |
225 | + ): |
226 | + expected = (['ppa:canonical-signing/ubuntu/primary', 'Release'], ['ubuntu', 'Proposed'], True, binaries) |
227 | + result = routing(self.FakeArgs(series='focal', source=package, from_signing=True), self.ks) |
228 | + self.assertEqual(expected, result) |
229 | + # LRG should not go anywhere but signing. |
230 | + self.assertRaises(RoutingError, routing, self.FakeArgs(series='focal', source='linux-restricted-generate', from_signing=True), self.ks) |
231 | + |
232 | + def test_binaries_from_build_to_proposed_lrg(self): |
233 | + expected = (['ppa:canonical-kernel-team/ubuntu/ppa', 'Release'], ['ubuntu', 'Proposed'], False, True) |
234 | + result = routing(self.FakeArgs(series='focal', source='linux-contrived'), self.ks) |
235 | + self.assertEqual(expected, result) |
236 | + # LRG should not go anywhere but signing. |
237 | + self.assertRaises(RoutingError, routing, self.FakeArgs(series='focal', source='linux-restricted-generate-contrived'), self.ks) |
238 | + |
239 | def test_esm(self): |
240 | - expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False) |
241 | + expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True) |
242 | result = routing(self.FakeArgs(series='trusty', source='linux'), self.ks) |
243 | self.assertEqual(expected, result) |
244 | |
245 | def test_esm_security(self): |
246 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False) |
247 | - result = routing(self.FakeArgs(series='trusty', source='linux', security=True), self.ks) |
248 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/esm', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True) |
249 | + result = routing(self.FakeArgs(series='trusty', source='linux', security=1), self.ks) |
250 | self.assertEqual(expected, result) |
251 | |
252 | def test_esm_security2(self): |
253 | with self.assertRaises(SystemExit), self.capture() as (out, err): |
254 | - expected = (None, ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False) |
255 | - result = routing(self.FakeArgs(series='trusty', source='linux', security2=True), self.ks) |
256 | + expected = (None, ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True) |
257 | + result = routing(self.FakeArgs(series='trusty', source='linux', security=2), self.ks) |
258 | self.assertEqual(expected, result) |
259 | |
260 | def test_esm_to_signing(self): |
261 | - expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False) |
262 | + expected = (['ppa:canonical-kernel-esm/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/esm', 'Release'], False, True) |
263 | result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, to_signing=True), self.ks) |
264 | self.assertEqual(expected, result) |
265 | |
266 | def test_esm_from_signing(self): |
267 | - expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False) |
268 | + expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True) |
269 | result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, from_signing=True), self.ks) |
270 | self.assertEqual(expected, result) |
271 | |
272 | @@ -208,59 +357,66 @@ |
273 | # simple we make from_signing take presidence over to_signing. Test this |
274 | # is honoured correctly. |
275 | def test_esm_from_signing_override_to_signing(self): |
276 | - expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False) |
277 | + expected = (['ppa:canonical-signing/ubuntu/esm', 'Release'], ['ppa:canonical-kernel-esm/ubuntu/proposed', 'Release'], False, True) |
278 | result = routing(self.FakeArgs(series='trusty', source='linux', esm=True, to_signing=True, from_signing=True), self.ks) |
279 | self.assertEqual(expected, result) |
280 | |
281 | def test_fips(self): |
282 | - expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False) |
283 | + expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True) |
284 | result = routing(self.FakeArgs(series='xenial', source='linux-fips'), self.ks) |
285 | self.assertEqual(expected, result) |
286 | |
287 | def test_fips_security(self): |
288 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False) |
289 | - result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=True), self.ks) |
290 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True) |
291 | + result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=1), self.ks) |
292 | self.assertEqual(expected, result) |
293 | |
294 | def test_fips_security2(self): |
295 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False) |
296 | - result = routing(self.FakeArgs(series='xenial', source='linux-fips', security2=True), self.ks) |
297 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True) |
298 | + result = routing(self.FakeArgs(series='xenial', source='linux-fips', security=2), self.ks) |
299 | self.assertEqual(expected, result) |
300 | |
301 | def test_fips_to_signing(self): |
302 | - expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False) |
303 | + expected = (['ppa:fips-cc-stig/ubuntu/fips-build', 'Release'], ['ppa:canonical-signing/ubuntu/fips', 'Release'], False, True) |
304 | result = routing(self.FakeArgs(series='xenial', source='linux-fips', to_signing=True), self.ks) |
305 | self.assertEqual(expected, result) |
306 | |
307 | def test_fips_from_signing(self): |
308 | - expected = (['ppa:canonical-signing/ubuntu/fips', 'Release'], ['ppa:ubuntu-advantage/ubuntu/fips-proposed', 'Release'], False) |
309 | + expected = (['ppa:canonical-signing/ubuntu/fips', 'Release'], ['ppa:ubuntu-advantage/ubuntu/fips-proposed', 'Release'], False, True) |
310 | result = routing(self.FakeArgs(series='xenial', source='linux-fips', from_signing=True), self.ks) |
311 | self.assertEqual(expected, result) |
312 | |
313 | def test_ibmgt(self): |
314 | - expected = (['ppa:ibm-cloud/ubuntu/build', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False) |
315 | + expected = (['ppa:ibm-cloud/ubuntu/build', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True) |
316 | result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt'), self.ks) |
317 | self.assertEqual(expected, result) |
318 | |
319 | def test_ibmgt_security(self): |
320 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False) |
321 | - result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=True), self.ks) |
322 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True) |
323 | + result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=1), self.ks) |
324 | self.assertEqual(expected, result) |
325 | |
326 | def test_ibmgt_security2(self): |
327 | - expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False) |
328 | - result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security2=True), self.ks) |
329 | + expected = (['ppa:canonical-kernel-security-team/ubuntu/ppa2', 'Release'], ['ppa:ibm-cloud/ubuntu/proposed', 'Release'], False, True) |
330 | + result = routing(self.FakeArgs(series='bionic', source='linux-ibm-gt', security=2), self.ks) |
331 | self.assertEqual(expected, result) |
332 | |
333 | |
334 | +class RoutingError(Exception): |
335 | + pass |
336 | + |
337 | + |
338 | +unembargo_from_security = ['ppa:canonical-kernel-security-team/ubuntu/ppa' + v for v in ('', '2', '3')] |
339 | +unembargo_from_signing = ['ppa:canonical-signing/ubuntu/primary', 'ppa:canonical-signing/ubuntu/uc20'] |
340 | +unembargo_to_ok = ['ubuntu', 'ppa:canonical-kernel-team/ubuntu/uc20-staging'] |
341 | + |
342 | def routing(args, ks): |
343 | series_name = args.series |
344 | package_name = args.source |
345 | |
346 | series = ks.lookup_series(codename=series_name) |
347 | if series is None: |
348 | - print("ERROR: {} -- series unknown".format(series_name)) |
349 | - sys.exit(1) |
350 | + raise RoutingError("ERROR: {} -- series unknown".format(series_name)) |
351 | |
352 | package = None |
353 | package_signed = None |
354 | @@ -269,43 +425,38 @@ |
355 | for package_srch in source_srch.packages: |
356 | if package_srch.name == package_name: |
357 | package = package_srch |
358 | - if package_srch.type == 'signed': |
359 | + # XXX: this should be package_srch.signing |
360 | + if package_srch.type in ('signed', 'lrs'): |
361 | package_signed = package_srch |
362 | if package is not None: |
363 | break |
364 | if package is None: |
365 | - print("ERROR: {}/{} -- package unknown".format(series_name, package_name)) |
366 | - sys.exit(1) |
367 | + raise RoutingError("ERROR: {}/{} -- package unknown".format(series_name, package_name)) |
368 | |
369 | source = package.source |
370 | routing = source.routing |
371 | if routing is None: |
372 | - print("ERROR: {}/{} -- package has no routing".format(series_name, package_name)) |
373 | - sys.exit(1) |
374 | + raise RoutingError("ERROR: {}/{} -- package has no routing".format(series_name, package_name)) |
375 | |
376 | - build_archives = routing.lookup_destination('build') |
377 | + # XXX: this should be package_srch.adjunct |
378 | + if package.type in ('lrg', 'lrs'): |
379 | + build_archives = routing.lookup_destination('build-private') |
380 | + else: |
381 | + build_archives = routing.lookup_destination('build') |
382 | security_archives = routing.lookup_destination('security-build') |
383 | proposed_archive = routing.lookup_destination('proposed', primary=True) |
384 | signing_archive = routing.lookup_destination('signing', primary=True) |
385 | |
386 | if build_archives is None or len(build_archives) < 1: |
387 | - print("ERROR: {}/{} -- package has no primary build archive".format(series_name, package_name)) |
388 | - sys.exit(1) |
389 | + raise RoutingError("ERROR: {}/{} -- package has no primary build archive".format(series_name, package_name)) |
390 | if args.ppa2 and (build_archives is None or len(build_archives) < 2): |
391 | - print("ERROR: {}/{} -- package has no secondary build archive".format(series_name, package_name)) |
392 | - sys.exit(1) |
393 | + raise RoutingError("ERROR: {}/{} -- package has no secondary build archive".format(series_name, package_name)) |
394 | if build_archives is None: |
395 | - print("ERROR: {}/{} -- package has no build archive".format(series_name, package_name)) |
396 | - sys.exit(1) |
397 | + raise RoutingError("ERROR: {}/{} -- package has no build archive".format(series_name, package_name)) |
398 | if proposed_archive is None: |
399 | - print("ERROR: {}/{} -- package has no proposed archive".format(series_name, package_name)) |
400 | - sys.exit(1) |
401 | - if args.security and (security_archives is None or len(security_archives) < 1): |
402 | - print("ERROR: {}/{} -- package has no primary security archive".format(series_name, package_name)) |
403 | - sys.exit(1) |
404 | - if args.security2 and (security_archives is None or len(security_archives) < 2): |
405 | - print("ERROR: {}/{} -- package has no secondary security archive".format(series_name, package_name)) |
406 | - sys.exit(1) |
407 | + RoutingError("ERROR: {}/{} -- package has no proposed archive".format(series_name, package_name)) |
408 | + if args.security and (security_archives is None or len(security_archives) < args.security): |
409 | + RoutingError("ERROR: {}/{} -- package has no security archive #{}".format(series_name, package_name, args.security)) |
410 | |
411 | # Default route build -> proposed |
412 | if args.ppa2: |
413 | @@ -314,17 +465,9 @@ |
414 | from_archive = build_archives[0] |
415 | to_archive = proposed_archive |
416 | |
417 | - unembargo = False |
418 | - |
419 | # Handle security routing. |
420 | if args.security: |
421 | - from_archive = security_archives[0] |
422 | - if args.security2: |
423 | - from_archive = security_archives[1] |
424 | - |
425 | - # Allow us to unembargo when releasing from security to ubuntu. |
426 | - if (args.security or args.security2) and to_archive[0] == 'ubuntu': |
427 | - unembargo = True |
428 | + from_archive = security_archives[args.security - 1] |
429 | |
430 | # Handle signing routing. |
431 | if args.from_signing: |
432 | @@ -335,6 +478,23 @@ |
433 | elif args.no_auto is False and signing_archive is not None and package_signed is not None: |
434 | to_archive = signing_archive |
435 | |
436 | + # Allow us to unembargo when releasing from security. Ensure the source |
437 | + # is somewhere where we expect things which are public. |
438 | + unembargo = args.unembargo |
439 | + if args.security and from_archive[0] in unembargo_from_security and to_archive[0] in unembargo_to_ok: |
440 | + unembargo = True |
441 | + elif signing_archive and args.from_signing and from_archive[0] in unembargo_from_signing and to_archive[0] in unembargo_to_ok: |
442 | + unembargo = True |
443 | + |
444 | + # We should be copying binaries for non-'signing' packages |
445 | + # when on their way to somewhere where signing is intended. |
446 | + binaries = True |
447 | + # XXX: this should be package_srch.signing |
448 | + if (package.type in ('signed', 'lrs') and |
449 | + (to_archive == signing_archive or |
450 | + (from_archive != signing_archive and to_archive == proposed_archive))): |
451 | + binaries = False |
452 | + |
453 | # Announce the routing if needed. |
454 | if (args.testing is False and (routing.name != 'default' or from_archive == signing_archive or to_archive == signing_archive)): |
455 | msg = "NOTE: directing copy using {} routes".format(routing.name) |
456 | @@ -344,7 +504,12 @@ |
457 | msg += ' to signing' |
458 | print(msg) |
459 | |
460 | - return (from_archive, to_archive, unembargo) |
461 | + |
462 | + # It is only safe to copy linux-restricted-generate to signing. Refuse to copy. |
463 | + if package.type == 'lrg' and to_archive != signing_archive: |
464 | + raise RoutingError("ERROR: {}/{} -- package type lrg is embargoed, copy only allowed to signing".format(series_name, package_name)) |
465 | + |
466 | + return (from_archive, to_archive, unembargo, binaries) |
467 | |
468 | |
469 | # SELF-TESTS: |
470 | @@ -356,14 +521,16 @@ |
471 | parser.set_defaults(testing=False) |
472 | parser.add_argument('--dry-run', action='store_true', help='Do everything but actually copy the package') |
473 | parser.add_argument('--ppa2', action='store_true', help='Copy from the kernel build PPA2') |
474 | -parser.add_argument('--security', '-S', action='store_true', help='Copy from the kernel security PPA') |
475 | -parser.add_argument('--security2', action='store_true', help='Copy from the kernel security PPA2') |
476 | +parser.add_argument('--security', '-S', action='store_const', const=1, help='Copy from the kernel security PPA') |
477 | +parser.add_argument('--security2', action='store_const', const=2, dest='security', help='Copy from the kernel security PPA2') |
478 | +parser.add_argument('--security3', action='store_const', const=3, dest='security', help='Copy from the kernel security PPA3') |
479 | parser.add_argument('--esm', '-E', action='store_true', help='Copy from the kernel ESM PPA and to the kernel ESM proposed PPA') |
480 | parser.add_argument('--fips', action='store_true', help='Copy from the kernel FIPS PPA and to the kernel FIPS proposed PPA') |
481 | parser.add_argument('--ibmgt', action='store_true', help='Copy from the kernel IBM-GT build PPA to the corresponding proposed PPA') |
482 | parser.add_argument('--no-auto', action='store_true', help='Turn off automatic detection of ESM et al based on series') |
483 | parser.add_argument('--to-signing', action='store_true', help='Copy from the kernel ESM/FIPS PPA to the ESM/FIPS signing PPA') |
484 | parser.add_argument('--from-signing', action='store_true', help='Copy from the ESM/FIPS signing PPA to the ESM/FIPS proposed PPA') |
485 | +parser.add_argument('--unembargo', action='store_true', default=False, help='Allow copies from private PPAs') |
486 | parser.add_argument('series', action='store', help='The series the source package is in') |
487 | parser.add_argument('source', action='store', nargs='+', help='The source package name') |
488 | |
489 | @@ -386,8 +553,12 @@ |
490 | # BODGE: routing should just take release/pkg. |
491 | args.source = pkg |
492 | |
493 | - (from_archive, to_archive, security) = routing(args, ks) |
494 | + try: |
495 | + (from_archive, to_archive, unembargo, include_binaries) = routing(args, ks) |
496 | ##print("from_archive<{}> to_archive<{}>".format(from_archive, to_archive)) |
497 | + except RoutingError as e: |
498 | + print("ERROR: {}", e.args[0]) |
499 | + sys.exit(1) |
500 | |
501 | if from_archive is None: |
502 | print("ERROR: bad source PPA") |
503 | @@ -414,11 +585,6 @@ |
504 | if versions.total_size == 1: |
505 | version = versions[0].source_package_version |
506 | |
507 | - include_binaries = (pkg not in ('debian-installer') |
508 | - and not pkg.startswith('linux-signed')) |
509 | - if args.from_signing: |
510 | - include_binaries = True |
511 | - |
512 | print("""Copying {}/{}: |
513 | From: {} {} {} |
514 | To: {} {} {} |
515 | @@ -426,7 +592,8 @@ |
516 | |
517 | if not version: |
518 | print("ERROR: no version to copy") |
519 | - sys.exit(1) |
520 | + if not args.dry_run: |
521 | + sys.exit(1) |
522 | |
523 | copies.append({ |
524 | 'from_archive': from_archive, |
525 | @@ -436,7 +603,7 @@ |
526 | 'to_pocket': to_pocket, |
527 | 'version': version, |
528 | 'auto_approve': True, |
529 | - 'unembargo': security, |
530 | + 'unembargo': unembargo, |
531 | }) |
532 | |
533 | if args.dry_run: |
Generally looks good. A whitespace comment inline, but that's not really important.
One thing I just would like to make sure is intended: from the commit messages I understood that we do not want to allow unembargoing only for selected, safe places. But this can be overriden via the --unembargo argument, right? So it's like a hard override, skipping over all checks, right?