1
0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-09 00:40:11 +01:00
Commit Graph

5066 Commits

Author SHA1 Message Date
Hans-Christoph Steiner
b851d49d24 shell=True is too dangerous to allow; there are unfiltered user inputs
There are all sorts of unfiltered user inputs like tag and branch names in
source repos.  If those names are fed into popen calls that use shell=True,
that opens up a wide range of exploits.  All core operations should never
use shell=True.
2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
07cdf848d7 use '--' in source vcs calls to protect against malicious input
This is a quick and very incomplete addition of '--' to command line calls
to source VCSs like git and hg that could manipulated by malicious
tag/branch names or other vectors.

These were all manually tested by calling the command lines on my own
machine.
2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
32213ef040 scanner: allow running without versionCode and as API
This lets `fdroid scanner my.package.name` run without requiring that the
versionCode is also specified.  It also allows scanner.scan_source() to be
called as a function in the public API of fdroidserver.
2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
53f603bf30 lint: check description for forbidden HTML tags: iframe, link, script, etc. 2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
f0940540ee buildserver: include python3-git for future use
We should be replacing all our custom git shell commands with python3-git,
since it is a common library for doing that.  It will receive a lot more
attention and maintenance than our code for doing it.  For example, we
should not ever use shell=True, since that opens up a lot of security
risks.
2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
a57f17b276 wiki: include per-app link to all related activity on gitlab.com 2018-01-26 10:18:41 +01:00
Hans-Christoph Steiner
528aa9269e Merge branch 'platform27' into 'master'
makebuildserver: re-add platform 27

Closes #445

See merge request fdroid/fdroidserver!444
2018-01-26 09:09:15 +00:00
Marcus Hoffmann
0e68971eef
makebuildserver: re-add platform 27
Closes #445
2018-01-25 16:56:56 +01:00
Marcus
9f6862ce82 Merge branch 'build_tools_27.0.3' into 'master'
makebuildserver: add build-tools 27.0.3

See merge request fdroid/fdroidserver!443
2018-01-25 13:12:53 +00:00
Marcus Hoffmann
98313fc066
makebuildserver: add build-tools 27.0.3 2018-01-25 11:53:27 +01:00
Hans-Christoph Steiner
a4bdd104d7 Merge branch 'remove-kivy' into 'master'
build: remove unused, unmaintained Kivy build method

See merge request fdroid/fdroidserver!441
2018-01-24 05:35:32 +00:00
Hans-Christoph Steiner
513c95894c build: remove unused, unmaintained Kivy build method
This code has never been used and contains some insecure uses of shell=True
Building Kivy apps should be done with the buildozer=yes method.  The
buildozer method should probably be moved to a provisioner once that is in
place.
2018-01-23 23:16:05 +01:00
Hans-Christoph Steiner
b0b9f2f601 Merge branch 'remove-qt' into 'master'
buildserver: remove Qt installer, its huge, outdated, and being replaced

See merge request fdroid/fdroidserver!440
2018-01-23 20:52:22 +00:00
Hans-Christoph Steiner
62ddab7edd buildserver: remove Qt installer, its huge, outdated, and being replaced
The currently included Qt has known security issues and is outdated.  This
can now be replaced by downloading and installing the Qt installer using
the sudo= build field.  @relan's provisioner system will also replace this
once that's done.  There are only two apps that currently use the Qt stuff:

* csd.qtproject.minesweeper
* org.openorienteering.mapper
2018-01-23 20:28:26 +01:00
Hans-Christoph Steiner
825b8e9683 Merge branch 'build_timeout' into 'master'
Build timeout

See merge request fdroid/fdroidserver!437
2018-01-22 20:49:01 +00:00
Marcus Hoffmann
a1a88e1c6a
main: force exit on keyboard interrupt
This applies the same workaround as b8ed892ad9.
2018-01-22 16:02:49 +01:00
Marcus Hoffmann
fa43066f8d
build: add global soft timeout of 12 hours
Only start new builds for 12 hours. This ensures we publish new builds
often enough even on long backlogs.

This could be made configurable at a later point.
2018-01-22 16:02:49 +01:00
Marcus Hoffmann
80e121d182
build: log timeouts to the wiki 2018-01-22 16:02:49 +01:00
Marcus Hoffmann
85985074d4
build: enable watchdog timer for each build that kills in 2 hours
This introduces locking for the commonly used vagrant functions in
vmtools because vagrant fails when another vagrant command is
already running.
2018-01-22 16:01:20 +01:00
Marcus Hoffmann
9a4f3ac019
Revert "build: bump max_apps_per_run to 50"
This reverts commit 56a53055be.

Revert "build: limit --all to 10 apps at a time"

This reverts commit afc5cc6b6a.
2018-01-22 15:53:45 +01:00
Hans-Christoph Steiner
61bb74a369 Merge branch 'log-update-checkupdates-server-to-wiki' into 'master'
Log update/checkupdates/server to wiki

See merge request fdroid/fdroidserver!439
2018-01-22 13:29:45 +00:00
Hans-Christoph Steiner
22563bdf17 gitlab-ci: make metadata_v0 test work even when tags are missing
This uses the commit ID of the release tags, rather than the release tag
itself so that contributor forks do not need to include the tags in them
for this test to work.

The COMMIT_ID should be bumped after each release, so that the list of sed
hacks needed does not continuously grow.
2018-01-22 14:00:20 +01:00
Hans-Christoph Steiner
486ee25708 wiki: log build start/stop time, command line, RAM, and processor count 2018-01-22 14:00:16 +01:00
Hans-Christoph Steiner
ef69bbff34 wiki: log server start/stop times and command line 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
cd3e531731 buildserver: force no auto updates of package lists or upgrades 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
8d2092ada1 jenkins-test: include repo_pubkey in config.py for BUILD test
The BUILD machine does not have a keyring on it, only the public key for
the index signing key.  This is a very rudementary test for that.
2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
f841ec745f wiki: move checkupdates wiki log to separate function 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
010f1c5029 log installed android sdk versions for update and checkupdates 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
e163c09e26 move get_android_tools_versions functions to common 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
4beb2d52e9 wiki: log update start/stop time and command line 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
5b92820ff3 wiki: fix bug updating Repository Maintenance
site.pages doesn't seem to exist anywhere, site.Pages is used throughout.
2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
22c6acc026 wiki: log appids as checkupdates goes through them 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
fc4f5a79a7 wiki: log checkupdates start/stop time and command line for each run 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
df51a6e999 common.get_wiki_timestamp() for posting timestamps to wiki log pages 2018-01-22 13:49:10 +01:00
Hans-Christoph Steiner
e013fde8b9 Merge branch 'iconfix' into 'master'
fix "cannot identify image file" with XML icons

See merge request fdroid/fdroidserver!435
2018-01-18 10:53:34 +00:00
Hans-Christoph Steiner
4612ddf312 Merge branch 'gitlab-mirrors-reorder' into 'master'
Reorder the gitlab mirrors so GitLab Pages comes before "raw".

See merge request fdroid/fdroidserver!438
2018-01-18 09:01:17 +00:00
Peter Serwylo
3180acc454 Reorder the gitlab mirrors so GitLab Pages comes before "raw".
GitLab storage provides two mirrors by default:
 * https://gitlab.com/user/repo/raw/master/fdroid/repo
 * https://user.gitlab.io/repo/fdroid/repo

While the F-Droid client will happily fetch the index*.jar files and
parse them from either of these two mirrors, only the GitLab Pages
mirror will serve files with the correct mime type. Many repos
tend to put index.html files (and associated .css/.js/image files) in
the root of a repository to provide information about that repo.

One example is RepoMaker. The way in which RepoMaker decides the public
URL of a repo, is to take the first mirror in the list. This means that
the URL which RepoMaker directs people to for GitLab storage returns a
.html document in text/plain, which means that it is not rendered.

We could change RepoMaker so that it takes the last mirror, and then it
woruld work. However there is something nice about the first mirror in a
list being the most authoritative (even though the mirror order doesn't
- and perhaps shouldn't have any specific meaning).
2018-01-18 08:02:07 +11:00
Izzy
42ac65e8aa simplifying fix for "cannot identify image file" with XML icons 2018-01-17 16:48:08 +01:00
Izzy
6f5b539a54 fix "cannot identify image file" with XML icons 2018-01-12 22:12:27 +01:00
Hans-Christoph Steiner
56a53055be build: bump max_apps_per_run to 50
With this at 10, it seems that there are often runs that produce no builds
at all.  That's bad.
2018-01-11 23:25:31 +01:00
Hans-Christoph Steiner
846a8c68c4 jenkins-build-all: don't fail if max build limit caused no builds 2018-01-11 23:25:24 +01:00
Hans-Christoph Steiner
ee89468818 jenkins-test: ensure gpg is starting from a clean and proper place
There have been frequent failures on import, some bugs suggest that it
might be because these dirs are missing.  They would get wiped by a
`git clean -fdx`.
2018-01-11 21:27:33 +01:00
Hans-Christoph Steiner
5ad661ef7b jenkins-build-all: use local mediawiki if available 2018-01-11 16:47:49 +01:00
Hans-Christoph Steiner
c4dbc58d10 build: buildserverid must always be str not bytes 2018-01-11 14:09:12 +01:00
Hans-Christoph Steiner
87524622ea build: fix str vs. bytes error in buildserverid
ERROR: Could not build app org.fdroid.fdroid due to unknown error: Traceback (most recent call last):
  File "/var/lib/jenkins/userContent/reproducible/reproducible_setup_fdroid_build_environment/fdroidserver/build.py", line 1202, in main
    options.onserver, options.refresh):
  File "/var/lib/jenkins/userContent/reproducible/reproducible_setup_fdroid_build_environment/fdroidserver/build.py", line 972, in trybuild
    build_server(app, build, vcs, build_dir, output_dir, log_dir, force)
  File "/var/lib/jenkins/userContent/reproducible/reproducible_setup_fdroid_build_environment/fdroidserver/build.py", line 82, in build_server
    logging.debug(_('Fetched buildserverid from VM: ') + buildserverid)
TypeError: Can't convert 'bytes' object to str implicitly
2018-01-11 12:50:18 +01:00
Hans-Christoph Steiner
3a792a8c3d Merge branch 'cleaner-clean' into 'master'
build: clean up only known subdirectories in build/*

Closes #438

See merge request fdroid/fdroidserver!432
2018-01-10 19:14:49 +00:00
relan
e29be52da0 build: clean up only known subdirectories in build/*
We remove the whole "build" directory while cleaning source code tree
because Gradle can leave there files even after "gradle clean". But some
projects (Mozilla Fennec) actually have useful stuff checked into VCS
under the "build" directory.

Remove only those subdirectories that we known for sure are leftovers
from Gradle.

Fixes fdroid/fdroidserver#438.
2018-01-10 21:45:26 +03:00
Marcus
784e456cc6 Merge branch 'gradle-4.4.1' into 'master'
makebuildserver: add Gradle 4.4.1

See merge request fdroid/fdroidserver!433
2018-01-10 18:40:36 +00:00
relan
70fba5d08c makebuildserver: add Gradle 4.4.1 2018-01-10 21:31:59 +03:00
Hans-Christoph Steiner
4e9ff9570d Merge branch 'master' into 'master'
new script to audit the FDroid.apk on https://f-droid.org

See merge request fdroid/fdroidserver!431
2018-01-05 13:47:48 +00:00