[PATCH 2/2] Better infrastructure for newcomers

[Antonio Terceiro]

- checkout now works without needing to touch ~/.mrtrust

- setup will prepare evertyhing need to build packages

- build will do builds "the right way"

- upload will do uploads "the right way". It has been adapted from a
  locally-modified copy of the original Ruby team upload script I had
  been cultivating for quite some time. It will handle correctly
  source-only uploads (not to NEW or security uploads etc), running
  lintian, running autopkgtest, etc.

- upload-no-build will do uploads "the right way" assuming the build is
  already ok.

A Vagrantfile is provided as a convenience.
---
 Vagrantfile     |  10 ++++
 build           |   1 +
 checkout        |   2 +-
 setup           |  26 ++++++++
 upload          | 180 +++++++++++++++++++++++++++++++++++++++++++++++++-------
 upload-no-build |   1 +
 6 files changed, 198 insertions(+), 22 deletions(-)
 create mode 100644 Vagrantfile
 create mode 120000 build
 create mode 100755 setup
 create mode 120000 upload-no-build

diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..7dfe460
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,10 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+  config.vm.box = "debian/sid64"
+  config.vm.provision :shell do |shell|
+    shell.privileged = false
+    shell.path = 'setup'
+  end
+end
diff --git a/build b/build
new file mode 120000
index 0000000..53c3962
--- /dev/null
+++ b/build
@@ -0,0 +1 @@
+upload
\ No newline at end of file
diff --git a/checkout b/checkout
index 42e5dc5..08765d9 100755
--- a/checkout
+++ b/checkout
@@ -3,5 +3,5 @@
 set -e
 
 for repo in $@; do
-       mr --force -d $repo checkout
+       mr --trust-all --force -d $repo checkout
 done
diff --git a/setup b/setup
new file mode 100755
index 0000000..8d2b8c2
--- /dev/null
+++ b/setup
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -exu
+
+sudo apt-get install -qy gem2deb git git-buildpackage myrepos sbuild 
autopkgtest
+
+sudo mkdir -p /root/.gnupg # To work around #792100
+sudo sbuild-update --keygen
+sudo sbuild-adduser $USER
+
+chrootname=unstable-$(dpkg --print-architecture)-sbuild
+chroot=/srv/chroots/$chrootname
+if schroot --list --all-source-chroots  | grep unstable-amd64-sbuild; then
+  :
+else
+  sudo sbuild-createchroot unstable $chroot http://httpredir.debian.org/debian
+fi
+for conf in $(grep -l '^union-type=' /etc/schroot/chroot.d/*-sbuild*); do
+  if ! grep -q "^union-overlay-directory=" "$conf" ; then
+    echo 'union-overlay-directory=/dev/shm' | sudo tee --append "$conf"
+  fi
+done
+
+if ! grep -q /var/cache/apt/archives /etc/schroot/sbuild/fstab; then
+  sudo sh -c 'echo /var/cache/apt/archives /var/cache/apt/archives none 
rw,bind 0 0 >>/etc/schroot/sbuild/fstab'
+fi
diff --git a/upload b/upload
index b51739e..9b39b82 100755
--- a/upload
+++ b/upload
@@ -2,15 +2,34 @@
 
 set -e
 
+BUILD=no
+UPLOAD=no
+PROGRAM_NAME=$(basename $0)
+case "$PROGRAM_NAME" in
+  build)
+    BUILD=yes
+    UPLOAD=no
+    ;;
+  upload)
+    BUILD=yes
+    UPLOAD=yes
+    ;;
+  upload-no-build)
+    BUILD=no
+    UPLOAD=yes
+    ;;
+esac
+
 if ! [ -e debian/changelog ]; then
   echo "Not inside a Debian package!"
   exit 1
 fi
 
-if grep --quiet UNRELEASED debian/changelog; then
-    echo "Uploading files for distribution UNRELEASED to ftp-master" \
-         "is not allowed!"
+if [ -x debian/release-check ]; then
+  if ! debian/release-check; then
+    echo "aborting release because debian/release-check failed"
     exit 1
+  fi
 fi
 
 highlight() {
@@ -32,11 +51,11 @@ warning() {
   printf "\n"
 }
 
-# build
-gbp buildpackage --git-pbuilder
-
 # check
 check_package() {
+  banner "Overall package contents"
+  debc "$changes"
+
   banner "Changelog"
   dpkg-parsechangelog
 
@@ -47,31 +66,150 @@ check_package() {
 
   if grep -q Build-Depends:.*gem2deb debian/control; then
     banner "Rubygems integration"
-    debc | grep gemspec | sed 's/.*\s//'
+    debc | grep 'gemspec$' | sed 's/.*\s//'
     echo
   fi
 
-  banner "Overall package contents"
-  debc
+  if [ -f debian/tests/control ] || grep -q '^\(XS-\)\?Testsuite:' 
debian/control; then
+    banner "This package has a test suite!"
+    if confirm "Run the test suite now? [Y/n]" y; then
+      adt_dist="$distribution"
+      if [ "$adt_dist" = unstable ]; then
+        adt_dist=sid
+      fi
+      rc=0
+      adt-run --apt-upgrade --shell-fail "$changes" --- lxc --sudo 
adt-"$adt_dist"-"$arch" || rc=$?
+      if [ $rc -ne 0 ]; then
+        warning "Test suite failed! Please verify before uploading"
+      fi
+    else
+      echo "OK, but you should probably run the test suite before uploading!"
+    fi
+  fi
 }
 
-check_package | less -FRSX
+confirm() {
+  prompt="$1"
+  default="${2:-n}"
+  printf "$prompt"
+  read confirm
+  if [ -z "$confirm" ]; then
+    confirm="$default"
+  fi
+  [ "$confirm" = 'y' ] || [ "$confirm" = 'Y' ]
+}
 
-printf "Proceed with the upload? [y/N] "
-read proceed
-if [ "$proceed" != 'y' ] && [ "$proceed" != 'Y' ]; then
-  echo "Aborted upon your request."
-  exit 2
+ask_to_proceed() {
+  if ! confirm "$@"; then
+    echo "Aborted upon your request."
+    exit 2
+  fi
+}
+
+source=$(dpkg-parsechangelog -SSource)
+version=$(dpkg-parsechangelog -SVersion | sed -e 's/^[0-9]\+://') # remove 
epoch
+arch=$(dpkg --print-architecture)
+changes=${source}_${version}_${arch}.changes
+if [ -e "../$changes" ]; then
+  changes="../$changes"
+else
+  if [ -e "../build-area/$changes" ]; then
+    changes="../build-area/$changes"
+  else
+    "echo E: $changes not found!"
+    exit 1
+  fi
 fi
 
-# tag
-gbp buildpackage --git-tag-only
+# target distribution/host
+distribution=$(dpkg-parsechangelog -SDistribution)
+host=ftp-master
+git_builder=--git-builder=sbuild\ --arch-all\ --source
+case "$distribution" in
+  *-security)
+    git_builder="$git_builder"\ --git-ignore-branch
+    if confirm "Security upload detected; include orig source? [Y/n]" y; then
+      git_builder="$git_builder"\ --force-orig-source
+    fi
+    host=security-master
+    ;;
+  UNRELEASED)
+    git_builder="$git_builder"\ -c\ unstable-${arch}-sbuild
+    ;;
+  *)
+    git_builder="$git_builder"\ -d\ $distribution
+    true
+esac
+
+# check urgency for security upload
+if [ "$host" = 'security-master' ] || dpkg-parsechangelog | grep -q CVE; then
+  urgency=$(dpkg-parsechangelog -SUrgency)
+  if [ "$urgency" != 'high' ] && [ "$distribution" != "unstable" ] && [ 
"$distribution" != 'UNRELEASED' ]; then
+    echo "Security upload should have urgency=high"
+    exit 1
+  fi
+fi
 
-# push
-git push origin : --follow-tags
+buildprogram=gbp\ buildpackage\ --git-ignore-branch
+
+# build
+if [ "$BUILD" = 'yes' ]; then
+  gbp buildpackage $git_builder "$@"
+fi
+
+if [ "$UPLOAD" = 'no' ]; then
+  exit 0
+fi
+
+check_package 2>&1
+
+ask_to_proceed "Proceed with the upload to \033[38;1;1m${host}\033[m? [y/N] "
+
+# cleanup
+git checkout .
+git clean -dxf
+
+gbp buildpackage --git-tag-only --git-ignore-branch
+
+SOURCE=yes
+NEW=no
+
+case "$distribution" in
+  unstable|experimental)
+    # source only uploads are OK
+    SOURCE=yes
+    ;;
+  *)
+    # source only uploads not OK
+    SOURCE=no
+    ;;
+esac
+
+if [ $(grep -c "^${source}\s" debian/changelog) -eq 1 ]; then
+  NEW=yes
+  # must always upload binaries to NEW
+  SOURCE=no
+fi
+
+if [ $SOURCE = yes ]; then
+  $buildprogram -S "$@"
+  changes=${changes%%_${arch}.changes}_source.changes
+fi
 
 # sign
-debsign
+debsign "$changes"
+
+# push
+if [ $NEW = yes ]; then
+  git push -u --all
+else
+  current_branch=$(git symbolic-ref HEAD | sed 's#refs/heads/##')
+  if [ "$current_branch" != master -a ! -f 
.git/refs/remotes/origin/$current_branch ]; then
+    git push -u origin "$current_branch"
+  fi
+  git push origin :
+fi
+git push --tags
 
 # upload
-debrelease
+dput "$host" "$changes"
diff --git a/upload-no-build b/upload-no-build
new file mode 120000
index 0000000..53c3962
--- /dev/null
+++ b/upload-no-build
@@ -0,0 +1 @@
+upload
\ No newline at end of file
-- 
2.7.0