Hello Ansgar, I just created the attached patch. It's untested for now but I wanted you to check if the approach used was matching your expectation.
There's a new configuration entry DInstall::UploadMailRecipients that lists the recipients of the mails, either static ones (like [email protected]) or dynamic ones (like "maintainer", "changed_by" or "signer"). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
>From 22dd9037264c7d5ca9cf9e85ab1c1ab1f75ae913 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <[email protected]> Date: Tue, 1 Dec 2015 16:20:22 +0100 Subject: [PATCH] Implement DInstall::UploadMailRecipients to control recipients of upload mails WORK IN PROGRESS This new setting lets you configure the list of recipients of upload mails (Accepted/Rejected), you can mix harcoded emails and the special keywords "maintainer", "changed_by" and "signer" which get replaced by the corresponding address extracted from the upload data. The goal is that the security archive only sends mails to the security team and to the person who signed the upload to not leak any information about embargoed uploads. Status: not tested yet --- config/debian-security/dak.conf | 5 ++++- daklib/utils.py | 39 +++++++++++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index ad47e33..c8ff8c3 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -18,7 +18,10 @@ Dinstall BXANotify "false"; DefaultSuite "stable"; SuiteSuffix "updates/"; - OverrideMaintainer "[email protected]"; + UploadMailRecipients { + "[email protected]"; + "signer"; + }; LegacyStableHasNoSections "false"; AllowSourceOnlyUploads "true"; }; diff --git a/daklib/utils.py b/daklib/utils.py index 518d66e..3e41b2a 100644 --- a/daklib/utils.py +++ b/daklib/utils.py @@ -1086,13 +1086,40 @@ def mail_addresses_for_upload(maintainer, changed_by, fingerprint): @return: list of RFC 2047-encoded mail addresses to contact regarding this upload """ - addresses = [maintainer] - if changed_by != maintainer: - addresses.append(changed_by) + recipients = Cnf.value_list('Dinstall::UploadMailRecipients') + if not recipients: + recipients = [ + 'maintainer', + 'changed_by', + 'signer' + ] + + addresses = [] + emails_added = {} + for recipient in recipients: + if '@' in recipient: # Email hardcoded in config + address = recipient + elif recipient == 'maintainer': + address = maintainer + elif recipient == 'changed_by': + address = changed_by + elif recipient == 'signer': + fpr_addresses = gpg_get_key_addresses(fingerprint) + for fpr_addr in fpr_addresses: + if fpr_addr in emails_added: + break # The signer already gets a copy via another email + else: + if len(fpr_addresses) > 0: + address = fpr_addresses[0] + else: + raise Exception('Unsupported entry in {0}: {1}'.format( + 'Dinstall::UploadMailRecipients', recipient)) - fpr_addresses = gpg_get_key_addresses(fingerprint) - if len(fpr_addresses) > 0 and fix_maintainer(changed_by)[3] not in fpr_addresses and fix_maintainer(maintainer)[3] not in fpr_addresses: - addresses.append(fpr_addresses[0]) + if address is not None: + email = fix_maintainer(address)[3] + if email not in emails_added: + addresses.append(address) + emails_added[email] = True encoded_addresses = [ fix_maintainer(e)[1] for e in addresses ] return encoded_addresses -- 2.6.2.409.gb049f0a
