Commit 0ace60ca authored by Andrew Lee (李健秋)'s avatar Andrew Lee (李健秋)

Merge branch 'debian/master' into merge-debian-master

Signed-off-by: Andrew Lee's avatarAndrew Lee (李健秋) <andrew.lee@collabora.co.uk>
parents ee18240a 83c71b20
......@@ -121,6 +121,7 @@ Depends: apt-utils,
cpio,
curl,
debootstrap,
fdisk | util-linux (<< 2.29.2-3~),
libcompress-raw-zlib-perl,
libtimedate-perl,
libxml-parser-perl,
......@@ -131,7 +132,6 @@ Depends: apt-utils,
psmisc,
rpm,
screen,
util-linux (>= 2.16),
${misc:Depends},
${shlibs:Depends}
Description: Open Build Service (build host component)
......
......@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults
PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20
PassengerDefaultUser obsapi
#RailsEnv "development"
# allow long request urls and being part of headers
......
#!/bin/sh -e
# Add obsapi user and group to run the passenger RubyApp
if ! getent group obsapi > /dev/null; then
addgroup --system --quiet obsapi
fi
if ! getent passwd obsapi > /dev/null; then
adduser --system --quiet \
--ingroup obsapi --shell /bin/false \
--no-create-home --home /nonexistent obsapi
usermod -c "User for build service api/webui" obsapi
fi
# Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f`
......@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key
fi
SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then
( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
touch $SECRET_KEY
chmod 0640 $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi
else
# cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY
chown nobody:www-data $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
fi
# Generate log files
touch /var/log/obs/access.log
......
......@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true
fi
# Delete obsapi user and group
deluser --system --quiet obsapi || true
delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf
reload_apache restart
fi
......
Author: Michael Schroeder <mls@suse.de>
Date: Mon Mar 20 10:28:41 2017 +0100
[backend] ignore symlinks in build result
[backend] only allow plain files in cpio_sender
No devices, sockets, directories, symlinks please...
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661, https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Bug: https://bugzilla.suse.com/show_bug.cgi?id=1029824
Bug-Debian: https://bugs.debian.org/900133
--- a/src/backend/bs_worker
+++ b/src/backend/bs_worker
@@ -3394,7 +3394,7 @@ if ($ex == 0) {
undef $kiwitree unless @$kiwitree;
undef $kiwitree if defined($BSConfig::nokiwitree) && $BSConfig::nokiwitree;
}
- @files = grep {-f "$buildroot/.build.packages/$d/$_"} @files;
+ @files = grep {! -l "$buildroot/.build.packages/$d/$_" && -f _} @files;
push @send, map {"$buildroot/.build.packages/$d/$_"} @files;
}
@send = map {{name => (split('/', $_))[-1], filename => $_}} @send;
--- a/src/backend/BSHTTP.pm
+++ b/src/backend/BSHTTP.pm
@@ -357,13 +357,24 @@ sub cpio_sender {
my $filename = $file->{'filename'};
if (ref($filename)) {
*F = $filename;
- } elsif (!open(F, '<', $filename)) {
- $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
- next;
+ } else {
+ @s = lstat($filename);
+ if (!@s) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
+ if (-l _ || ! -f _) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: not a plain file\n";
+ next;
+ }
+ if (!open(F, '<', $filename)) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
}
@s = stat(F);
if (!@s) {
- $errors->{'data'} .= "$file->{'name'}: stat: $!\n";
+ $errors->{'data'} .= "$file->{'name'}: fstat: $!\n";
close F unless ref $filename;
next;
}
From be9fc5f2f7c564392948f127faff6486225ba8e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
Date: Mon, 26 Jun 2017 15:06:51 +0200
Subject: [PATCH] [dist] Use 2.7 packages for testing 2.7 branch in travis
---
dist/ci/obs_testsuite_travis_install.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
diff --git a/dist/ci/obs_testsuite_travis_install.sh b/dist/ci/obs_testsuite_travis_install.sh
index 85238dbd1..f9ecadaeb 100755
--- a/dist/ci/obs_testsuite_travis_install.sh
+++ b/dist/ci/obs_testsuite_travis_install.sh
@@ -8,7 +8,7 @@ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C5C219E7
# Install updates from our own repository
sudo chmod a+w /etc/apt/sources.list.d
-echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/Unstable/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
+echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/2.7/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
# We could use this to only update the package list from the OBS,
# but apprently this is not possible anymore. So we update all package lists.
--
2.11.0
commit 3b73dab1a9e676e28334df10fac7c054418228a8
Author: Michael Schroeder <mls@suse.de>
Date: Fri Mar 17 10:49:14 2017 +0100
[backend] fix kiwitree symlink check
Bad code copied from the build package. Sigh.
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
--- a/src/backend/bs_repserver
+++ b/src/backend/bs_repserver
@@ -1743,7 +1743,7 @@ sub receivekiwitree {
} elsif ($type eq 'l') {
$extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
- if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
my ($head, $tail) = ($1, $2);
die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
commit d4bddd6df495cc436185961fb497dacedc046008
Author: Adrian Schröter <adrian@suse.de>
Date: Thu Jun 22 12:12:01 2017 +0200
[webui] Handle links properly when doing backend build operations
OBS wasn't properly handling linked projects when triggering rebuilds,
wipe binaries and abort build. This resulted in packages of linked
projects being aborted, wiped, rebuilt.
This fixes the falsey code.
Pair-programmed with @eduardoj and @bgeuken
Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
--- a/src/api/app/models/package.rb
+++ b/src/api/app/models/package.rb
@@ -1344,22 +1344,23 @@ class Package < ActiveRecord::Base
self
end
+ #### WARNING: these operations run in build object, not this package object
def rebuild(params)
- backend_build_command(:rebuild, params.slice(:package, :arch, :repository))
+ backend_build_command(:rebuild, params[:project], params.slice(:package, :arch, :repository))
end
def wipe_binaries(params)
- backend_build_command(:wipe, params.slice(:package, :arch, :repository))
+ backend_build_command(:wipe, params[:project], params.slice(:package, :arch, :repository))
end
def abort_build(params)
- backend_build_command(:abortbuild, params.slice(:package, :arch, :repository))
+ backend_build_command(:abortbuild, params[:project], params.slice(:package, :arch, :repository))
end
- def backend_build_command(command, params)
+ def backend_build_command(command, build_project, params)
begin
- Suse::Backend.post("/build/#{URI.escape(project.name)}?cmd=#{command}&#{params.to_query}", '')
- rescue ActiveXML::Transport::Error, Timeout::Error => e
+ Suse::Backend.post("/build/#{URI.escape(build_project)}?cmd=#{command}&#{params.to_query}", '')
+ rescue ActiveXML::Transport::Error, Timeout::Error, Project::WritePermissionError => e
errors.add(:base, e.message)
return false
end
......@@ -15,6 +15,10 @@ missing-codemirror-js.patch
Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
fix-kiwitree-symlink.patch
handle-links-properly.patch
dist-Use-2.7-packages-for-testing.patch
Add_global_configuration_for_a_shared_reprepro.patch
Add_--ignore=unusedarch_to_reprepro_params.patch
publish_Also_accept_udebs_into_reprepro_repository.patch
......
......@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown nobody:www-data /etc/obs/api/config/database.yml
chmod 660 /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log
chown nobody:www-data /var/log/obs/production.log
chown obsapi:www-data /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
chown obsapi:www-data /var/log/obs/backend_access.log
chown obsapi:www-data /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
......
......@@ -69,6 +69,9 @@ override_dh_install:
# Fix Mark scripts as executable until upstream fixes
chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
# Remove useless Gemfile.lock
rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
override_dh_systemd_enable:
dh_systemd_enable -p obs-server \
obsrepserver.service \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment