Skip to content

APT repository: notify incoming

Tell reprepro to email what processincoming does, probably using reprepro hooks: file:///usr/share/doc/reprepro/manual.html#hooks, or piggy-backing on the existing inotifyincoming system (https://gitlab.com/shared-puppet-modules-group/reprepro/blob/master/files/inoticoming.init, https://gitlab.com/shared-puppet-modules-group/reprepro/blob/master/templates/inoticoming.default.erb).

Ideally, the granularity of change notification should be uploading a .changes file (which dput/dupload do after they’ve finished uploading the files referenced in the .changes file).

The initial research can be done without any special setup: one needs reprepro with basic configuration and running reprepro processincoming.

The script/hook that emails changes should allow customizing the destination email address without modifying the code (command line argument, preferably).

Regarding implementation language: Python, Ruby or Modern Perl; but very good shell might be OK. The code should be defensive enough: assume the input is untrusted.

Then, it should be integrated in:

Sources of inspiration:

Now, regarding security, this notification system can be bypassed by developers with SSH access to the reprepro account: they can run arbitrary reprepro commands to modify the contents of our repository. To bring this to the next level, we need to limit their access to scp’ing files to the incoming directory (likely with sftp only accounts or similar, with adequate ownership/permissions or chroot’ing to ensure they cannot modify the other repository files directly). Once the notification system is in place, a new ticket must be created to track these next steps.

Feature Branch: puppet-tails:feature/5894-reprepro-notify-incoming-changes

Attachments

Related issues

Original created by @tails on 5894 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information