[CVS] OpenPKG: openpkg-web/security/ release.pl

[Ralf S. Engelschall]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   08-Jan-2004 16:18:13
  Branch: HEAD                             Handle: 2004010815181300

  Added files:
    openpkg-web/security    release.pl

  Log:
    add new born SA release tool

  Summary:
    Revision    Changes     Path
    1.1         +131 -0     openpkg-web/security/release.pl
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/release.pl
  ============================================================================
  $ cvs diff -u -r0 -r1.1 release.pl
  --- /dev/null 2004-01-08 16:18:13.000000000 +0100
  +++ release.pl        2004-01-08 16:18:13.000000000 +0100
  @@ -0,0 +1,131 @@
  +#!/e/openpkg/sw/bin/perl
  +##
  +##  release.pl -- Automated OpenPKG Security Advisory Release Procedure
  +##
  +
  +use IO;
  +use POSIX qw(strftime);
  +
  +#   exit handler
  +$SIG{__DIE__} = sub {
  +    my ($msg) = @_;
  +    print STDERR "release:ERROR: $msg\n";
  +    exit(1);
  +};
  +
  +#   command line parsing
  +if (@ARGV != 1) {
  +    die "invalid number of arguments (expected \"YYYY.NNN\")";
  +}
  +my $id = @ARGV[0];
  +if ($id !~ m|^200[4-9]\.\d{3}$|) {
  +    die "invalid argument \"$id\" (expected \"YYYY.NNN\")";
  +}
  +
  +#   read configuration
  +print STDERR "++ reading configuration\n";
  +my $rcpt = [];
  +my $io = new IO::File "<release.cf"
  +   or die "unable to read \"release.cf\"";
  +while (<$io>) {
  +    next if (m/^\s*#.*/);
  +    if (m/^(\S+)\s+(\S+)\s*$/) {
  +        push(@{$rcpt}, { -addr => $1, -passwd => $2 });
  +    }
  +    elsif (m/^(\S+)\s*$/) {
  +        push(@{$rcpt}, { -addr => $1, -passwd => undef });
  +    }
  +    else {
  +        die "invalid configuration line \"$_\"";
  +    }
  +}
  +$io->close;
  +
  +#   make sure exactly one security advisory exists
  +#   and read in for sanity checking
  +print STDERR "++ read security advisory text file\n";
  +my @sas = glob("OpenPKG-SA-$id-*.txt");
  +if (@sas != 1) {
  +    die "invalid number (".scalar(@sas).") of security advisories found";
  +}
  +my $sa = $sas[0];
  +$io = new IO::File "<$sa"
  +    or die "unable to open security advisory \"$sa\"";
  +my $txt = '';
  +$txt .= $_ while (<$io>);
  +$io->close;
  +
  +#   determine package name
  +my $pkg = "";
  +if ($sa =~ m|^OpenPKG-SA-$id-(\S+)\.txt$|) {
  +    $pkg = $1;
  +}
  +else {
  +    die "unable to determine package name from filename";
  +}
  +
  +#   sanity check security advisory text
  +print STDERR "++ sanity check security advisory text\n";
  +if ($txt !~ m|^___+|s or $txt !~ m|___\n\n$|s) {
  +    die "invalid header/footer line";
  +}
  +my $date = strftime("%d-%b-%Y", localtime(time()));
  +my $re = "OpenPKG Security Advisory                            The OpenPKG 
Project\n" .
  +         "http://www\\.openpkg\\.org/security\\.html              
http://www\\.openpkg\\.org\n"; .
  +         "[EMAIL PROTECTED]                         [EMAIL PROTECTED]" .
  +         "OpenPKG-SA-$id                                          $date\n";
  +if ($txt !~ m|$re|) {
  +    die "invalid security advisory header";
  +}
  +if ($txt !~ m|\nPackage:\s+$pkg\n|s) {
  +    die "package name \"$pkg\" not found on Package: header";
  +}
  +#   FIXME: add more checks here!
  +
  +#   sign security advisory
  +print STDERR "++ OpenPGP sign security advisory text file\n";
  +system("cp $sa $sa.bak");
  +system("gpg --clearsign $sa") == 0
  +   or die "failed to sign security advisory";
  +system("mv $sa.asc $sa");
  +system("gpg --verify $sa >/dev/null 2>&1") == 0
  +   or die "failed to verify security advisory signature";
  +
  +#   final human sanity check
  +print STDERR "++ sanity checking signed security advisory text file\n";
  +system("more $sa");
  +
  +#   determine subject line
  +my $subject = "[OpenPKG-SA-$id] OpenPKG Security Advisory ($pkg)";
  +
  +#   final human approval question
  +print STDERR "++ final approval:\n";
  +srand(time());
  +my $challenge = sprintf("%d", rand()*100);
  +print STDOUT "Security Advisory will be sent out with subject\n";
  +print STDOUT "  \"$subject\"\n";
  +print STDOUT "to the following Email addresses:\n";
  +print STDOUT "  - " . join("\n  - ", map { $_->{-addr} } @{$rcpt}) . "\n";
  +print STDOUT "If you are sure, enter \"$challenge\": ";
  +my $response = <STDIN>;
  +$response =~ s|^\s+||s;
  +$response =~ s|\s+$||s;
  +if ($response != $challenge) {
  +    die "invalid response -- ABORTING";
  +}
  +
  +#   create mail header
  +print STDERR "++ sending out security advisory:\n";
  +foreach my $r (@{$rcpt}) {
  +    $io = new IO::File ">release.hdr"
  +       or die "unable to create mail header file \"release.hdr\"";
  +    $io->print("To: $r->{-addr}\n");
  +    $io->print("Subject: $subject\n");
  +    $io->print("Message-Id: <[EMAIL PROTECTED]>\n");
  +    $io->print("Approved: $r->{-passwd}\n") if (defined($r->{-passwd}));
  +    $io->close;
  +    print STDERR "   $r->{-addr}\n";
  +    system("mutt -H release.hdr <$sa");
  +    unlink("release.hdr");
  +}
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]