Re: svn commit: r1902582 - /subversion/trunk/tools/dist/release.py

Wed, 13 Jul 2022 06:57:58 -0700 

dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 20:47:42 -0000:
> +++ subversion/trunk/tools/dist/release.py Fri Jul  8 20:47:42 2022
> @@ -980,7 +979,12 @@ def roll_tarballs(args):
>          # from a committer's LDAP profile down the road)
>          basename = 'subversion-%s.KEYS' % (str(args.version),)
>          filepath = os.path.join(get_tempdir(args.base_dir), basename)
> -        download_file(KEYS, filepath, None)
> +        # The following code require release.py to be executed within a
> +        # complete wc, not a shallow wc as indicated in HACKING as one 
> option.
> +        # We /could/ download COMMITTERS from /trunk if it doesn't exist...

Well, could you please either change HACKING or download COMMITTERS?
The code for the latter is basically the tempfile+urlopen mechanics from
the next hunk of this very diff.

> +        subprocess.check_call([os.path.dirname(__file__) + '/make-keys.sh',
> +                               '-c', os.path.dirname(__file__) + '/../..',
> +                               '-o', filepath])
>          shutil.move(filepath, get_target(args))
>  
>      # And we're done!
> @@ -1465,12 +1469,11 @@ def check_sigs(args):
>  
>  def get_keys(args):
>      'Import the LDAP-based KEYS file to gpg'
> -    # We use a tempfile because urlopen() objects don't have a .fileno()
> -    with tempfile.SpooledTemporaryFile() as fd:
> -        fd.write(urlopen(KEYS).read())
> -        fd.flush()
> -        fd.seek(0)
> -        subprocess.check_call(['gpg', '--import'], stdin=fd)
> +    with tempfile.NamedTemporaryFile(delete=False) as tmpfile:
> +      keyspath = tmpfile.name
> +    subprocess.check_call([os.path.dirname(__file__) + '/make-keys.sh', 
> '-c', os.path.dirname(__file__) + '/../..', '-o', keyspath])
> +    subprocess.check_call(['gpg', '--import', keyspath])
> +    os.remove(keyspath)

That's not how one uses NamedTemporaryFile().

Generally, all uses of the file should be inside the «with» block, and
unlinking the file should be left to block's implicit handling
(tmpfile.__exit__()).

As written, however, NamedTemporaryFile() is used as though it were
a "generate a safe temporary name" API.  That means the file is not
created atomically and won't be cleaned up if subprocess.check_call()
raises an exception.

Could you rewrite so the file isn't used outside its «with» block?

>  def add_to_changes_dict(changes_dict, audience, section, change, revision):
>      # Normalize arguments
> 
>

Reply via email to