Do not inject GLSAs into the checkfile when fixing them

There is no reason applied GLSAs must be stored in a checkfile. In the
current glsa-check GUI this will make it impossible to determine whether
the system is still affected by the GLSA (e.g. by re-emerging, or when a
GLSA is changed afterwards).

The current place for the checkfile (/var/cache) is not persistent per
FHS, meaning that people might clean out the contents of their injected
GLSAs. Since glsa.py is moving to portage anyway, we can use
/var/lib/portage as a place to store the injected GLSAs. Documentation
has been updated accordingly.

Note that the old checkfile should not be moved to the previous location
on upgrade since this will cause false negatives due to the above
arguments. A message should appear on upgrade (pkg_postinst or similar).

svn path=/trunk/gentoolkit/; revision=649

http://git.overlays.gentoo.org/gitweb/?p=proj/gentoolkit.git;a=commit;h=4138f5b1b6dbcf1042663a45b3eae1e652bfc9be

diff --git a/bin/glsa-check b/bin/glsa-check
index 3cfe0bac7432b687151ba12bf125325e3bbf06aa..2b21d717f060a6993d5b6c263d79cc333876ee1e 100644 (file)
--- a/bin/glsa-check
+++ b/bin/glsa-check
@@ -55,7 +55,7 @@ modes.add_option("-f", "--fix", action="store_const",
                const="fix", dest="mode",
                help="Try to auto-apply this GLSA (experimental)")
 modes.add_option("-i", "--inject", action="store_const", dest="mode",
-               help="Inject the given GLSA into the checkfile")
+               help="inject the given GLSA into the glsa_injected file")
 modes.add_option("-m", "--mail", action="store_const",
                const="mail", dest="mode",
                help="Send a mail with the given GLSAs to the administrator")
@@ -144,7 +144,7 @@ glsalist.extend([g for g in params if g not in glsalist])
 def summarylist(myglsalist, fd1=sys.stdout, fd2=sys.stderr, encoding="utf-8"):
        fd1 = codecs.getwriter(encoding)(fd1)
        fd2 = codecs.getwriter(encoding)(fd2)
-       fd2.write(white("[A]")+" means this GLSA was already applied,\n")
+       fd2.write(white("[A]")+" means this GLSA was marked as applied (injected),\n")
        fd2.write(green("[U]")+" means the system is not affected and\n")
        fd2.write(red("[N]")+" indicates that the system might be affected.\n\n")
 
@@ -156,7 +156,7 @@ def summarylist(myglsalist, fd1=sys.stdout, fd2=sys.stderr, encoding="utf-8"):
                        if verbose:
                                fd2.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e)))
                        continue
-               if myglsa.isApplied():
+               if myglsa.isInjected():
                        status = "[A]"
                        color = white
                elif myglsa.isVulnerable():
@@ -229,7 +229,6 @@ if mode in ["dump", "fix", "inject", "pretend"]:
                                                sys.exit(exitcode)
                        if len(mergelist):
                                sys.stdout.write("\n")
-                       myglsa.inject()
                elif mode == "pretend":
                        sys.stdout.write("Checking GLSA "+myid+"\n")
                        if not myglsa.isVulnerable():

diff --git a/pym/portage/glsa.py b/pym/portage/glsa.py
index 5cc735ba3f0600bfa41ab931e075e1bb703ba04e..84bf7fddc95535dbf3c9484f2d792ad21d00448a 100644 (file)
--- a/pym/portage/glsa.py
+++ b/pym/portage/glsa.py
@@ -22,7 +22,7 @@ from portage import _unicode_decode
 from portage import _unicode_encode
 from portage.versions import pkgsplit, vercmp, best
 from portage.util import grabfile
-from portage.const import CACHE_PATH
+from portage.const import PRIVATE_PATH
 from portage.localization import _
 from portage.dep import _slot_separator
 
@@ -42,7 +42,7 @@ def get_applied_glsas(settings):
        @rtype:         list
        @return:        list of glsa IDs
        """
-       return grabfile(os.path.join(settings["EROOT"], CACHE_PATH, "glsa"))
+       return grabfile(os.path.join(settings["EROOT"], PRIVATE_PATH, "glsa_injected"))
 
 
 # TODO: use the textwrap module instead
@@ -661,14 +661,17 @@ class Glsa:
                                                                                self.portdbapi, self.vardbapi))
                return rValue
        
-       def isApplied(self):
+       def isInjected(self):
                """
-               Looks if the GLSA IDis in the GLSA checkfile to check if this
-               GLSA was already applied.
+               Looks if the GLSA ID is in the GLSA checkfile to check if this
+               GLSA should be marked as applied.
                
                @rtype:         Boolean
-               @return:        True if the GLSA was applied, False if not
+               @returns:       True if the GLSA is in the inject file, False if not
                """
+               if not os.access(os.path.join(self.config["EROOT"],
+                       PRIVATE_PATH, "glsa_injected"), os.R_OK):
+                       return False
                return (self.nr in get_applied_glsas(self.config))
 
        def inject(self):
@@ -680,11 +683,11 @@ class Glsa:
                @rtype:         None
                @return:        None
                """
-               if not self.isApplied():
+               if not self.isInjected():
                        checkfile = io.open(
                                _unicode_encode(os.path.join(self.config["EROOT"],
-                               CACHE_PATH, "glsa"),
-                               encoding=_encodings['fs'], errors='strict'), 
+                               PRIVATE_PATH, "glsa_injected"),
+                               encoding=_encodings['fs'], errors='strict'),
                                mode='a+', encoding=_encodings['content'], errors='strict')
                        checkfile.write(_unicode_decode(self.nr + "\n"))
                        checkfile.close()