Hi

Thanks for the suggestion. I like the solution. The question is whether we
should do this for more commands or not.

// Ola


On Mon, Jul 21, 2014 at 12:27 AM, Ron <[email protected]> wrote:

> Package: debarchiver
> Version: 0.10.1
> Severity: normal
>
> Hi Ola,
>
> I ran into another quirk today :)  The way that $vrfycmd is used means
> it's not directly possible to set that to a command that requires some
> arguments other than the changes file.
>
> What I wanted to do was this:
>
>  $vrfycmd = "dscverify --no-default-keyrings --keyring
> /var/lib/debarchiver/.gnupg/pubring.gpg";
>
> So that I could sign packages uploaded to this repo with a different key
> to the one that is in the DD keyring, to avoid there ever being any sort
> of accident with them actually getting pushed into a distro upload queue
> (either by me, or by someone else later).
>
> It looks like there's a few easy options to fix this though.
> My favourite so far is the patch below, which is backward compatible for
> any existing user config, but lets me instead do:
>
>  @vrfycmd = ("dscverify", "--no-default-keyrings", "--keyring",
>              "/var/lib/debarchiver/.gnupg/pubring.gpg");
>
> Which ensures there'll never be any quoting issues for weird arguments.
>
> Alternatively we could do system("$vrfycmd $cfile"), but that has a
> different set of pros and cons.
>
> It looks like the rest of the *cmd options go through cmdaction() so
> they don't have this problem.
>
> If you like this version, it probably also wants a oneliner in the
> sample debarchiver.conf too to note @vrfycmd can be an array now.
>
>   Cheers,
>   Ron
>
>
> --- /usr/bin/debarchiver        2014-07-21 06:05:08.059769856 +0930
> +++ debarchiver 2014-07-21 07:22:11.316828267 +0930
> @@ -96,6 +96,7 @@
>  $rmcmd = "rm -f";
>  $movecmd = "mv";
>  $vrfycmd = "dscverify";
> +@vrfycmd = ($vrfycmd);
>  $cachedir = "/var/cache/debarchiver";
>  $inputdir = "/var/lib/debarchiver/incoming";
>  $destdir = "/var/lib/debarchiver/dists";
> @@ -1742,9 +1743,9 @@
>      }
>      # Verify signatures.
>      if ($verify) {
> -       if (system($vrfycmd,$cfile)) { # non-zero == verification failure
> +       if (system(@vrfycmd,$cfile)) { # non-zero == verification failure
>             pdebug(4, "Signature verification failed for $cfile");
> -           $CConf{ERROR} = "$CConf{ERROR}$vrfycmd was not able to verify
> $cfile.\n";
> +           $CConf{ERROR} = "$CConf{ERROR}@vrfycmd was not able to verify
> $cfile.\n";
>             return "reject";
>         }
>      }
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  [email protected]                    Annebergsslingan 37        \
|  [email protected]                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply via email to