We have moved to Git. This repository is only provided for compatibility with old installations. Learn how to migrate your installation here.

changeset 220:5fc6acd937e1

dev-vcs/kallithea: version bump to 0.3.6 (security update), masking <0.3.6
author Daniel Neugebauer <dneuge@energiequant.de>
date Sat, 29 Dec 2018 16:31:18 +0100
parents 69bf0e308425
children 77fe2c26eb42
files dev-vcs/kallithea/Manifest dev-vcs/kallithea/kallithea-0.3.6.ebuild profiles/package.mask
diffstat 3 files changed, 436 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/dev-vcs/kallithea/Manifest	Sun Nov 11 15:08:42 2018 +0100
+++ b/dev-vcs/kallithea/Manifest	Sat Dec 29 16:31:18 2018 +0100
@@ -2,5 +2,7 @@
 AUX start-virtualenv.sh 463 SHA256 2f5def6c4840b94b78055fcc3f3e37aa42dd709e4e71dfa16d1fc63966274456 SHA512 0912644b3806b9c04d301f5f2f59c9b212549e73dec848a324fb0dd8bc9410e60750a571a3438ccc4b9dd940020986b67a9f3bb29a7fd27945daa2ae4c24139d WHIRLPOOL f4cbb8e583ec907baaa0801c6c2f73a9832689422654661079d420002a6c55ff872f8af1b4a2b78e50085f90e2c8d5876e93a436c443ac75f9d589510d8f615c
 DIST Kallithea-0.3.2.tar.gz 5347665 SHA256 891a7f88cf02a887c8eb711bfe56ff79f053a9051e0748fc29293bc7fa6ef0b3 SHA512 6f0cbab03004ea776e7278470ce12c025ba252b2194fc93c2dc5f3675811ca01306fd7ca076f1248915f22265d03d94741f2fdb7edeb8a90425e9d297a7f6af4 WHIRLPOOL ee0249a7563271ed94cc0a04ed1e90508854573a2395909e8525da19be68c04ed9b8c6968f47e76b86c6fa697a8fbf4c316fdd210caea4550655201a80bc360e
 DIST Kallithea-0.3.5.tar.gz 6358269 SHA256 4b598546494a3b68a5a7ff40b313606dc5de14e8eeb351b8a6adafc68631f729 SHA512 dbf752afab9cbda07880fd1ce77ff0389280746aab4ca530a15745258e52732c240e95b8e6ee9ffef7df3e135ceab5d063bec3b2a4d77f022b3687dfbf51f126 WHIRLPOOL 099e4d2129b664a9550cb8073c455635f43ff784d4b9b79ae1543ec0b745795945b1b50f026b31e993c40be9e94f0ba2398012bcae7e3465fe09de506b042fd6
+DIST Kallithea-0.3.6.tar.gz 6374356 SHA256 745b2032ab85be07f94b8ee499059a3b015a619262d64dee067d4b7198d64180 SHA512 dfba39f64d960b6c1eae491c62dae2edd9095507d68486d344a4d4b58298a859bfeefb5f4fc33f89909507801139041facdb099bad0400737db26a5edd9cffa9 WHIRLPOOL be0ef47c136f9ce40787fd6ce57fec96c567660d6bdbd74c21ad629cefe3b76021a6e497e913b69576c436319b056cfcd2f0d6496711696271abd0ec7febbf9f
 EBUILD kallithea-0.3.2.ebuild 15573 SHA256 d84b9f260eb6a5af551b5def59a89340366927dd1af0936b755fc885fcc11366 SHA512 13f3843d33cef3fce28e0e3e46999b407020a0f2fdc86baa05dac093a89881a453686ab5f7902567e5f33ef9670bb484465f6eaface3e74779e8d40d4dce5646 WHIRLPOOL 6deb4b03e56cf171403c6f92a9cab17e4eef4acb5791d76ac08a2b57806b923317e6b41110eaed3d9a6534ed5dee1b6beb883b80ae504a61ac74f2a0ae69c3ac
 EBUILD kallithea-0.3.5.ebuild 15585 SHA256 27c518602eebdd4f5cee59b584fdcf50c6ae0c871d2aba9188fa5793c3d11c64 SHA512 1408dec24433afa622b1bcc747070067de71778d0c07d11a8daf8667740475d8f3da4d7156b328367d16b34c96cce02aff9b2a56099b68f10527a959324bcc8c WHIRLPOOL ee52143dff5796b268236f1359896becda961e9920b32e8753f5fcb67b9505ba21cce9ebc71b3340576a4868b7baa4a0126deec571a0fa6da4d95dc35f9a0adc
+EBUILD kallithea-0.3.6.ebuild 15772 SHA256 325eddb2fe47ba538246cf0ab02c4c9372c6cf4f13773a849a7e458a65e0d61c SHA512 d4630abdabd4464b7a2a5bb5b36b0461fc64fd81329818ef2cdf2e0397af9c85f25e023586488df82692615006b50bcf213a564664f536a68e0a67b4edeaf508 WHIRLPOOL e3b05e4a1918c4280257cfdaf1fc1b1da445079bdae816bc0e0d8d57370f7766e1d50f37c65d563080e50964b0f849ac9d5c1ac8e758fd8373ca8c2151259cbf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dev-vcs/kallithea/kallithea-0.3.6.ebuild	Sat Dec 29 16:31:18 2018 +0100
@@ -0,0 +1,423 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+### NOTES ##########################################################################
+# When updating this ebuild, comment out all workarounds and try without them first.
+# Only re-enable them if they are still required.
+# Also check that documentation URLs are still correct.
+inherit user
+DESCRIPTION="a web-based frontend and middleware to Mercurial and Git repositories"
+IUSE="+git mysql postgres sqlite"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+	dev-python/virtualenv
+	git? ( dev-vcs/git )
+	mysql? ( dev-db/mysql )
+	postgres? ( dev-db/postgresql )
+	sqlite? ( dev-lang/python:2.7[sqlite] )
+	#mysql? ( virtual/libmysqlclient )
+	app-arch/unzip
+	sys-apps/sed"
+KEYWORDS="~amd64 ~x86"
+pkg_setup() {
+	# create user and group
+	enewgroup kallithea
+	enewuser kallithea -1 -1 "${installDataPath}" kallithea 
+src_unpack() {
+	unpack ${A}
+	mv Kallithea-${PV} kallithea-${PV} || die "Unexpected directory structure, aborting..."
+src_compile() {
+	# not really compiling anything
+	realWorkDir=$(pwd)
+	# create new virtual environment
+	virtualenv --python=python2.7 --no-site-packages dist/v
+	# activate environment
+	source "dist/v/${virtualenvActivationPath}"
+	# upgrade PIP
+	pip2.7 install --upgrade pip || einfo "Failed to upgrade PIP inside virtual environment; not a severe issue but might have been helpful to reduce errors."
+	# we need to make sure we have a current version of setuptools to install Kallithea's dependencies
+	pip2.7 install 'setuptools>=17.1' || die "Failed to install setuptools, aborting!"
+	# _after_ installation on --config we need a certain version of paster to create the initial config file...
+	pip2.7 install 'PasteScript==2.0.2' || die "Failed to install PasteScript, aborting!"
+	# Kallithea's attempt to install Mercurial fails, so we do it first
+	pip2.7 install 'mercurial<4.3,>=2.9' || die "Failed to install Mercurial, aborting!"
+	# Kallithea needs psycopg2 for PostgreSQL support which is not currently listed as a dependency?!
+	# at the time of writing 2.6.1 is current, so we limit the version to <2.7
+	if use postgres ; then
+		pip2.7 install 'psycopg2>=2.6,<2.7' || die "Failed to install psycopg2 (required for PostgreSQL support), aborting!"
+	fi
+	# Kallithea needs MySQLdb for MySQL support which is not currently listed as a dependency?!
+	# at the time of writing 1.2.5 is current, so we limit the version to <1.3
+	if use mysql ; then
+		pip2.7 install 'MySQL-python>=1.2,<1.3' || die "Failed to install MySQL-python (required for MySQL support), aborting!"
+	fi
+	# perform automatic installation, includes dependencies
+	echo
+	echo "===> output by Kallithea's setup.py"
+	python2.7 setup.py install
+	retval=$?
+	echo "<=== Kallithea's setup.py is done, resuming ebuild code"
+	echo
+	# quit now if failed
+	if [ ${retval} -ne 0 ]; then
+		echo "Bad return value ${retval} from setup.py install"
+		exit 1
+	fi
+	# unzip all eggs
+	echo 'Unzipping all eggs...'
+	cd dist/v/lib/python2.7/site-packages/ || die "site-packages not found"
+	for eggname in *.egg; do
+		if [ -f "${eggname}" ]; then
+			mv "${eggname}" tmp.extract.zip
+			unzip -d "${eggname}" tmp.extract.zip
+			rm tmp.extract.zip
+		fi
+	done
+	# disable Git support according to manual
+	# see: http://kallithea.readthedocs.org/en/0.3.1/usage/vcs_support.html
+	if ! use git ; then
+		sed -i -e "/^BACKENDS\s*=\s*{/,/}/ s/^\(\s*\)\('git'\)/\1#\2/" Kallithea-${PV}-py2.7.egg/kallithea/__init__.py || die 'Failed to disable git support, aborting...'
+	fi
+	# create config
+	mkdir "${realWorkDir}/etc"
+	cd "${realWorkDir}/etc"
+	paster make-config Kallithea production.ini || die "unable to create configuration file"
+	# rewrite config to refer to correct default paths
+	sed -i -e "s/%(here)s\(\/\(tarballcache\|data\)\)/${installDataPath//\//\\/}\1/" production.ini
+	sed -i -e "s/%(here)s\(\/kallithea.db\)/${installDataPath//\//\\/}\1/" production.ini
+	# rewrite config to only log from WARN level to "console"
+	# By Kallithea defaults, handler_console logs everything from INFO level to "console".
+	# As mod_wsgi logs everything from "console" to error_log this results in a huge amount
+	# of unnecessary log entries which we would like to prevent.
+	# NOTE: As sed syntax is hard to read... this replacement rule is prefixed with an "address" which
+	#       is being defined by two regexps, effectively restricting replacements just to the
+	#       handler_console section of our ini file.
+	sed -i -e '/^\[handler_console\]/,/^\[/ s/level\s*=\s*INFO/level = WARN/' production.ini
+	# rewrite config to disable debug mode
+	# By default, Kallithea uses debug = true which should *NOT* be used except during development.
+	# See: http://kallithea.readthedocs.org/en/0.3.1/usage/debugging.html
+	sed -i -e '/^\[DEFAULT\]/,/^\[/ s/\(debug\s*=\s*\)true/\1false/' production.ini
+	## (disabled, does not work from sandbox)
+	## maintain system-unique variables from previous production.ini if available
+	#previousProductionConfig="${installConfigPath}/production.ini"
+	#if [ -e "${previousProductionConfig}" ]; then
+	#	previousAppInstanceUUID="$(grep -oE '^\s*app_instance_uuid\s*=\s*[0-9a-f\-]+' /etc/kallithea/production.ini | cut -d'=' -f2 | tr -d ' ')"
+	#	previousBeakerSessionSecret="$(grep -oE '^\s*beaker\.session\.secret\s*=\s*[0-9a-f\-]+' "${previousProductionConfig}" | cut -d'=' -f2 | tr -d ' ')"
+	#	
+	#	if [ ! -z "${previousAppInstanceUUID}" ]; then
+	#		echo 'Transferring previous app instance UUID to new production.ini'
+	#		sed -i -e "s/^\(\s*app_instance_uuid\s*=\s*\).*/\1${previousAppInstanceUUID}/" production.ini
+	#	fi
+	#	
+	#	if [ ! -z "${previousBeakerSessionSecret}" ]; then
+	#		echo 'Transferring previous Beaker session secret to new production.ini'
+	#		sed -i -e "s/^\(\s*beaker\.session\.secret\s*=\s*\).*/\1${previousBeakerSessionSecret}/" production.ini
+	#	fi
+	#fi
+	# remove newly generated UUID and Beaker session secret from config
+	# as user should configure that instead and config diffs don't show
+	# unnecessary stuff
+	sed -i -e "s/^\(\s*app_instance_uuid\s*=\).*/#\1 (run uuidgen and insert the returned UUID here)/" production.ini
+	sed -i -e "s/^\(\s*beaker\.session\.secret\s*=\).*/#\1 (run uuidgen and insert the returned UUID here)/" production.ini
+	# comment out sqlite DB as we don't want users to use it by accident
+	sed -i -e 's/^\(\s*\)\(sqlalchemy\.db1\.url\s*=\s*sqlite:.*\)/\1#\2/' production.ini
+	# rename production.ini as it requires more configuration and is hard to read
+	mv production.ini production.ini.example
+	# rewrite virtualenv directory to later installation directory
+	oldIFS="${IFS}"
+	IFS="
+	"
+	echo "Searching files that need to have paths replaced when leaving portage sandbox..."
+	dirtyFiles=$(grep -Ri "${realWorkDir}/dist/v" ${realWorkDir}/dist/v | grep -vE '^Binary' | cut -d':' -f1 | sort | uniq)
+	for dirtyFile in ${dirtyFiles}; do
+		echo "    patching ${dirtyFile}"
+		sed -e "s#${realWorkDir}/dist/v#${installBasePath}#" -i "${dirtyFile}"
+	done
+	IFS="${oldIFS}"
+	# create WSGI file
+	cd "${realWorkDir}/etc"
+	cp "${FILESDIR}/production.wsgi" .
+	sed -e "s:###BASEDIR###:${installBasePath}:" -i production.wsgi
+	sed -e "s:###DATADIR###:${installDataPath}:" -i production.wsgi
+	sed -e "s:###CONFDIR###:${installConfigPath}:" -i production.wsgi
+src_install() {
+	# QA: no need to have anything world-writable...
+	chmod o-w -R dist/v/lib/python2.7/site-packages/
+	# just copy the virtualenv directory to /opt/kallithea
+	dodir /opt
+	cp -aR "${S}/dist/v" "${D}${installBasePath}"
+	# install configuration files to /etc/kallithea
+	diropts -m750 -oroot -gkallithea
+	insopts -m640 -oroot -gkallithea
+	insinto "${installConfigPath}"
+	doins "${S}/etc/production.ini.example"
+	insopts -m644 -oroot -gkallithea
+	doins "${S}/etc/production.wsgi"
+	# create data directory and subdirectories
+	diropts -m2770 -okallithea -gkallithea
+	keepdir "${installDataPath}"
+	keepdir "${installDataPath}/data"
+	keepdir "${installDataPath}/data/cache"
+	keepdir "${installDataPath}/data/cache/data"
+	keepdir "${installDataPath}/data/cache/lock"
+	keepdir "${installDataPath}/data/index"
+	keepdir "${installDataPath}/repositories"
+	keepdir "${installDataPath}/tarballcache"
+pkg_postinst() {
+	#               1         2         3         4         5         6         7         8
+	#      12345678901234567890123456789012345678901234567890123456789012345678901234567890
+	elog  "An example configuration file has already been created so you don't need to run"
+	elog  "make-config again; please copy and edit carefully on first setup:"
+	elog  "    cp -a ${installConfigPath}/production.ini.example ${installConfigPath}/production.ini"
+	elog  "    \$EDITOR ${installConfigPath}/production.ini"
+	elog  ""
+	elog  "After updates, please compare what has changed and copy any necessary changes:"
+	elog  "    diff -u ${installConfigPath}/production.ini ${installConfigPath}/production.ini.example"
+	elog  ""
+	elog  "You still need to follow Kallithea's other setup steps according to the"
+	elog  "instructions at:"
+	elog  "    ${urlDocumentationSetup}"
+	elog  ""
+	elog  "When doing so, please mind that Kallithea was installed into a Python virtual"
+	elog  "environment that has to be \"activated\" before it can be used. To do so,"
+	elog  "you will have to run a dedicated shell and initialize the environment by running"
+	elog  ""
+	elog  "    source ${installBasePath}/${virtualenvActivationPath}"
+	elog  ""
+	#elog  "We altered the default config slightly. It may be best to have a look at our"
+	#elog  "short example on how to setup hosting with Apache and mod_wsgi, even if you"
+	#elog  "prefer another method of hosting Kallithea:"
+	#elog  "    ${urlDocumentationMegacoffee}"
+	#elog  ""
+	#elog  "We can wrap those commands for you if you run (no prior activation needed):"
+	#elog  "    emerge --config =${CATEGORY}/${PF}"
+	#elog  ""
+	elog  "Kallithea also provides a way to migrate your database if you are coming from"
+	elog  "RhodeCode 2.2 or below. Instructions can be found at:"
+	elog  "${urlDocumentationRhodeCode}"
+	elog  ""
+	ewarn "Bear in mind that the whole purpose of a Python virtual environment is to"
+	ewarn "isolate complex dependency installations from other instances installed on the"
+	ewarn "same system so you will have to remember to re-emerge this ebuild when"
+	ewarn "Kallithea's dependencies received bug and in particular security fixes (assuming"
+	ewarn "it allows any more recent versions to be installed)."
+	if use sqlite ; then
+		ewarn ""
+		ewarn "You chose to use SQLite for Kallithea. Please be advised that this is *ONLY* for"
+		ewarn "testing purposes, please avoid using SQLite in production and choose a different"
+		ewarn "database instead."
+	fi
+### SHOULD STAY DEACTIVATED FOR NOW                                                           ###
+my_read_line() {
+	# BASH function 'read' cannot write input back to variable in correct environment
+	# when run by emerge so we have to do *this* instead... great... :/
+	# (at least this works...)
+	python -c 'import sys; print(sys.stdin.readline().strip())'
+config_menu() {
+	choice=""
+	oldIFS="${IFS}"
+	IFS="
+	"
+	#              1         2         3         4         5         6         7         8
+	#     12345678901234567890123456789012345678901234567890123456789012345678901234567890
+	echo
+	echo "==============================================================================="
+	echo
+	echo "Your options:"
+	echo
+	echo "  1) create production config from template (paster make-config ...)"
+	echo "  2) edit production config"
+	echo "  3) initialize Kallithea (paster setup-db)"
+	echo "     This will also ask for repository location and create an admin account."
+	echo "  0) quit"
+	echo "     Kallithea should be able to run now, check documentation for more options"
+	echo "     such as setting up a task queue or full text search if you need it."
+	echo
+	echo "TERM is ${TERM}"
+	while [[ ! "${choice}" =~ ^[0-3]$ ]]; do
+		echo -n "Your choice? "
+		choice=$(my_read_line)
+	done
+	IFS="${oldIFS}"
+	return ${choice}
+pkg_config() {
+	echo "Erm... You are not supposed to call --config as it has not been completed."
+	echo "Sorry, you will have to follow the docs yourself for now, see:"
+	echo "  ${urlDocumentationSetup}"
+	echo
+	echo
+	exit 1
+	#              1         2         3         4         5         6         7         8
+	#     12345678901234567890123456789012345678901234567890123456789012345678901234567890
+	echo "Kallithea setup requires following multiple steps, some of which need to be run"
+	echo "in the correct virtual Python environment. This script helps you running those"
+	echo "commands by wrapping the commands to be run inside the correct virtualenv."
+	echo "You may still want to read the setup instructions while running this script:"
+	echo
+	echo "  ${urlDocumentationSetup}"
+	# activate virtualenv
+	cd ${installBasePath} || die "installation is gone? (${installBasePath})"
+	source "${virtualenvActivationPath}" || die "failed to activate virtualenv (${installBasePath}/${virtualenvActivationPath})"
+	configFileName='production.ini'
+	while true; do
+		config_menu
+		choice=$?
+		echo
+		case "${choice}" in
+			0) 	break
+				;;
+			1)	mkdir -p "${installBasePath}/etc"
+				cd "${installBasePath}/etc"
+				shouldCreate="y"
+				if [ -e "${configFileName}" ]; then
+					shouldCreate=""
+					while true; do
+						echo "${configFileName} already exists, overwrite?"
+					        while [[ ! "${shouldCreate}" =~ ^[yn]$ ]]; do
+					                echo -n "Enter y to overwrite, n to abort: "
+					                shouldCreate=$(my_read_line)
+					        done
+					done
+				fi
+				if [ "${shouldCreate}" == 'y' ]; then
+					echo 'Creating configuration file...'
+					paster make-config Kallithea ${configFileName}
+				else
+					echo 'Aborted, configuration file has not been overwritten.'
+				fi
+				;;
+			2)	iniPath="${installBasePath}/etc/${configFileName}"
+				if [ ! -e "${iniPath}" ]; then
+					echo "config not found at ${iniPath}; did you follow step 1?"
+					continue
+				fi
+				# terminal and shell need a reset or editor will be screwed up
+				source /etc/profile
+				reset
+				stty sane
+				# open editor
+				if [[ "${EDITOR}" != "" ]] && [ -e "${EDITOR}" ]; then
+					TERM="xterm" ${EDITOR} "${iniPath}"
+				else
+					TERM="xterm" nano -w "${iniPath}"
+				fi
+				# we better reset again...
+				source /etc/profile
+				reset
+				stty sane
+				;;
+			*)	echo "invalid choice ${choice}"
+				;;
+		esac
+	done
--- a/profiles/package.mask	Sun Nov 11 15:08:42 2018 +0100
+++ b/profiles/package.mask	Sat Dec 29 16:31:18 2018 +0100
@@ -12,3 +12,14 @@
 # already published on 6 Jun 2018):
 # https://kallithea-scm.org/news/release-0.3.5.html
+# Daniel Neugebauer <dneuge@energiequant.de> (29 Dec 2018)
+# for gentoo-overlay.megacoffee.net
+# Kallithea versions before 0.3.6 are vulnerable to privilege escalation
+# in Mercurial (CVE-2018-1000132).
+# Note that Kallithea 0.3.6 continues to use a vulnerable Mercurial version
+# (<4.5.1) but attempts to mitigate the issue.
+# Upgrade ASAP (updates were already published on 6 Mar 2018 for Mercurial
+# and 4 Nov 2018 for additional mitigation in Kallithea):
+# https://kallithea-scm.org/news/release-0.3.6.html