security/ported-notes.sh at master · NixOS/security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
#!/usr/bin/env bash
#!/usr/bin/env nix-shell
#!nix-shell --pure -i bash -p git

set -eu
set -o pipefail

TMPDIR="/tmp"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

source "$DIR/state/port_state.sh"

readonly TMPTO=$(mktemp -d ported.XXXXXXXXXX -p "$TMPDIR")
cleanup() {
    rm -rf "$TMPTO"
}
trap cleanup EXIT

debug() {
    set +u
    if ! [ "x$DEBUG" = "x" ]; then
        echo "$@" >&2
    fi
    set -u
}

commits() {
    local cache
    local branchname
    local range
    branchname="$1"
    range="$2"
    cache="$TMPTO/${branchname}_commits"
    if [ ! -f "$cache" ]; then
        git rev-list "${range}" | tee "$cache"
    else
        cat "$cache"
    fi
}

commit_has_note() {
    local commit
    commit="$1"

    if git notes --ref=security show "$commit" > /dev/null 2>&1; then
        return 0
    else
        return 1
    fi
}

commits_with_notes() {
    local cache
    local branchname
    local range
    branchname="$1"
    range="$2"

    cache="$TMPTO/${branchname}_commits_with_notes"
    if [ ! -f "$cache" ]; then
        local commit
        (for commit in $(commits "$branchname" "$range"); do
             if commit_has_note "$commit"; then
                 echo "$commit"
             fi
        done) | tee "$cache"
    else
        cat "$cache"
    fi
}

log_commit() {
    local commit

    commit="$1"

    author=$(git show --no-patch --notes=security --pretty="format:%an" "${commit}")
    committer=$(git show --no-patch --notes=security --pretty="format:%cn" "${commit}")

    dontthank="Graham Christensen"
    if [ "x$author" = "x$committer" ]; then
        if [ "x$author" = "x$dontthank" ]; then
            thanks="";
        else
            thanks="(Thank you, $author)"
        fi
    elif [ "x$author" = "x$dontthank" ]; then
        thanks="(Thank you, ${committer} (committer))"
    elif [ "x$committer" = "x$dontthank" ]; then
        thanks="(Thank you, ${author} (author))"
    else
        thanks="(Thank you: ${author} (author), ${committer} (committer))"
    fi

    git show --no-patch --notes=security --pretty="format:
%h  %<(60,trunc)%s
" "${commit}"
    if [ "x$thanks" != "x" ]; then
        echo "$thanks"
    fi
    git show --no-patch --notes=security \
        --pretty="format:%N" "${commit}" \
        | sed -e 's/^/> /'

}

cat <<EOF
From: Graham Christensen <[email protected]>
To: [email protected]
Subject: Security fixes from $(date -u "+%F %R %Z")
--text follows this line--
<#secure method=pgp mode=sign>

The following issues have been resolved in NixOS in release-16.09,
release-17.03, and unstable. They remain potentially vulnerable on
older major releases.

These patches will be released to the release-16.09, release-17.03,
and unstable channels when Hydra finishes building the "tested" job
for each channel:

 - https://hydra.nixos.org/job/nixos/release-16.09/tested
 - https://hydra.nixos.org/job/nixos/release-17.03/tested
 - https://hydra.nixos.org/job/nixos/trunk-combined/tested

Currently, 17.03 is considered beta. It will be released around the
end of March. NixOS typically only supports one release at a time.
This means when 17.03 is released you should upgrade as soon as
possible. To ease this transition, I've decided to extend 16.09
security patches for one month after 17.03 is released.

You can switch from 16.09 to 17.03-beta via:

$ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
$ sudo nix-channel --update
$ sudo nixos-rebuild boot
$ reboot

Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
changed, and using switch will break setuid binaries (like sudo, ping,
etc.) until you reboot.

Please consider helping with the next security roundup by commenting on
LATEST_ROUNDUP_URL.

EOF


changes_for() {
    local branch
    local range
    branch="$1"
    range="$2"

    echo "The following changes were applied to ${branch}"

    (for commit in $(commits_with_notes "$branch" "$range"); do
         log_commit "$commit"
     done) | cat
}

separator() {
    echo "======================================================================"
    echo ""
    echo ""
    echo ""
}

changes_for "release-16.09" "$RELEASE_16_09_SENT..origin/release-16.09"

separator

changes_for "release-17.03" "$RELEASE_17_03_SENT..origin/release-17.03"

separator

changes_for "unstable" "$MASTER_SENT..origin/master"

cat <<EOF

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
EOF

update_state() {
    echo "MASTER_SENT=$(git rev-parse "origin/master")"
    echo "RELEASE_16_09_SENT=$(git rev-parse "origin/release-16.09")"
    echo "RELEASE_17.03_SENT=$(git rev-parse "origin/release-17.03")"
}

update_state > "$DIR/state/port_state.sh"