Bug#755447: debarchiver: Allow vrfycmd to include command line options

Sun, 20 Jul 2014 15:36:27 -0700 

Package: debarchiver
Version: 0.10.1
Severity: normal

Hi Ola,

I ran into another quirk today :)  The way that $vrfycmd is used means
it's not directly possible to set that to a command that requires some
arguments other than the changes file.

What I wanted to do was this:

 $vrfycmd = "dscverify --no-default-keyrings --keyring 
/var/lib/debarchiver/.gnupg/pubring.gpg";

So that I could sign packages uploaded to this repo with a different key
to the one that is in the DD keyring, to avoid there ever being any sort
of accident with them actually getting pushed into a distro upload queue
(either by me, or by someone else later).

It looks like there's a few easy options to fix this though.
My favourite so far is the patch below, which is backward compatible for
any existing user config, but lets me instead do:

 @vrfycmd = ("dscverify", "--no-default-keyrings", "--keyring",
             "/var/lib/debarchiver/.gnupg/pubring.gpg");

Which ensures there'll never be any quoting issues for weird arguments.

Alternatively we could do system("$vrfycmd $cfile"), but that has a
different set of pros and cons.

It looks like the rest of the *cmd options go through cmdaction() so
they don't have this problem.

If you like this version, it probably also wants a oneliner in the
sample debarchiver.conf too to note @vrfycmd can be an array now.

  Cheers,
  Ron


--- /usr/bin/debarchiver        2014-07-21 06:05:08.059769856 +0930
+++ debarchiver 2014-07-21 07:22:11.316828267 +0930
@@ -96,6 +96,7 @@
 $rmcmd = "rm -f";
 $movecmd = "mv";
 $vrfycmd = "dscverify";
+@vrfycmd = ($vrfycmd);
 $cachedir = "/var/cache/debarchiver";
 $inputdir = "/var/lib/debarchiver/incoming";
 $destdir = "/var/lib/debarchiver/dists";
@@ -1742,9 +1743,9 @@
     }
     # Verify signatures.
     if ($verify) {
-       if (system($vrfycmd,$cfile)) { # non-zero == verification failure
+       if (system(@vrfycmd,$cfile)) { # non-zero == verification failure
            pdebug(4, "Signature verification failed for $cfile");
-           $CConf{ERROR} = "$CConf{ERROR}$vrfycmd was not able to verify 
$cfile.\n";
+           $CConf{ERROR} = "$CConf{ERROR}@vrfycmd was not able to verify 
$cfile.\n";
            return "reject";
        }
     }


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to