From ad6b47c27b1113abacdfebf7234d38b6524606cd Mon Sep 17 00:00:00 2001
From: Jon Turney <jon.turney@dronecode.org.uk>
Date: Thu, 19 Jan 2023 11:50:43 +0000
Subject: Relax trusted maintainer restrictions

Rename orphanmaint -> trustedmaint

Also revise and relax logic so it's more consistent: trusted maintainers
can do these things via a shell, so don't stop doing them more easily
via calm.

Drop convulted "add trusted maintainers as maintainers of orphaned
packages so they can upload them", and just check directly against
trusted maintainer list to determine if an upload is permitted.
---
 calm/calm.py             | 11 ++++++++---
 calm/common_constants.py | 11 ++++++++---
 calm/maintainers.py      | 14 +++++---------
 calm/mkgitoliteconf.py   |  4 ++--
 calm/tool_util.py        | 17 +++++++++++------
 calm/uploads.py          |  4 ++--
 test/test_calm.py        |  2 +-
 7 files changed, 37 insertions(+), 26 deletions(-)

diff --git a/calm/calm.py b/calm/calm.py
index 17a9932..e8a7f08 100755
--- a/calm/calm.py
+++ b/calm/calm.py
@@ -144,7 +144,7 @@ def process_relarea(args, state):
 
 def process_uploads(args, state):
     # read maintainer list
-    mlist = maintainers.read(args, getattr(args, 'orphanmaint', None))
+    mlist = maintainers.read(args)
 
     # make the list of all packages
     all_packages = maintainers.all_packages(mlist)
@@ -656,6 +656,11 @@ def mail_cb(state, loghandler):
 
     # send each maintainer mail containing log entries caused by their actions,
     # or pertaining to their packages
+    #
+    # XXX: prev_maint=False here is a kind of wrong: it prevents the previous
+    # maintainer of an orphaned package from getting mails about it being
+    # altered by a trusted maintainer, but also stops them getting mails if the
+    # do something themselves...
     mlist = maintainers.read(state.args, prev_maint=False)
     for m in mlist.values():
         email = m.email
@@ -713,7 +718,7 @@ def main():
     htdocs_default = os.path.join(common_constants.HTDOCS, 'packages')
     homedir_default = common_constants.HOMEDIR
     stagingdir_default = common_constants.STAGINGDIR
-    orphanmaint_default = common_constants.ORPHANMAINT
+    trustedmaint_default = common_constants.TRUSTEDMAINT
     pidfile_default = '/sourceware/cygwin-staging/calm.pid'
     pkglist_default = common_constants.PKGMAINT
     relarea_default = common_constants.FTP
@@ -729,7 +734,7 @@ def main():
     parser.add_argument('--htdocs', action='store', metavar='DIR', help="htdocs output directory (default: " + htdocs_default + ")", default=htdocs_default)
     parser.add_argument('--key', action='append', metavar='KEYID', help="key to use to sign setup.ini", default=[], dest='keys')
     parser.add_argument('--logdir', action='store', metavar='DIR', help="log directory (default: '" + logdir_default + "')", default=logdir_default)
-    parser.add_argument('--orphanmaint', action='store', metavar='NAMES', help="orphan package maintainers (default: '" + orphanmaint_default + "')", default=orphanmaint_default)
+    parser.add_argument('--trustedmaint', action='store', metavar='NAMES', help="trusted package maintainers (default: '" + trustedmaint_default + "')", default=trustedmaint_default)
     parser.add_argument('--pkglist', action='store', metavar='FILE', help="package maintainer list (default: " + pkglist_default + ")", default=pkglist_default)
     parser.add_argument('--release', action='store', help='value for setup-release key (default: cygwin)', default='cygwin')
     parser.add_argument('--releasearea', action='store', metavar='DIR', help="release directory (default: " + relarea_default + ")", default=relarea_default, dest='rel_area')
diff --git a/calm/common_constants.py b/calm/common_constants.py
index cc43009..fb7cdc3 100644
--- a/calm/common_constants.py
+++ b/calm/common_constants.py
@@ -44,17 +44,22 @@ EMAILS = ','.join(list(map(lambda m: m[0] + '@' + m[1], zip(['corinna', 'Stromek
 # every email we send is bcc'd to these addresses
 ALWAYS_BCC = 'jturney@sourceware.org'
 
-# these maintainers can upload orphaned packages as well
+# these maintainers are 'trusted'
+#
+# they can:
+# - git push to any package repo
+# - upload any package
+# - untest any package
+# - vault any package
 #
 # (these people have sourceware shell access and cygwin group membership, so
 # they can do whatever they like directly, anyhow)
-ORPHANMAINT = '/'.join([
+TRUSTEDMAINT = '/'.join([
     'Corinna Vinschen',
     'Eric Blake',
     'Jon Turney',
     'Ken Brown',
     'Marco Atzeri',
-    'Yaakov Selkowitz',
 ])
 
 # architectures we support
diff --git a/calm/maintainers.py b/calm/maintainers.py
index 0a8225a..7c1fc7d 100644
--- a/calm/maintainers.py
+++ b/calm/maintainers.py
@@ -136,7 +136,7 @@ def add_directories(mlist, homedirs):
 
 # add maintainers from the package maintainers list, with the packages they
 # maintain
-def add_packages(mlist, pkglist, orphanMaint=None, prev_maint=True):
+def add_packages(mlist, pkglist, prev_maint=True):
     with open(pkglist) as f:
         for (i, l) in enumerate(f):
             l = l.rstrip()
@@ -156,13 +156,9 @@ def add_packages(mlist, pkglist, orphanMaint=None, prev_maint=True):
                     if status == 'OBSOLETE':
                         continue
 
-                    # orphaned packages get the default maintainer(s) if we
-                    # have one, otherwise they are assigned to 'ORPHANED'
+                    # orphaned packages are assigned to 'ORPHANED'
                     elif status == 'ORPHANED':
-                        if orphanMaint is not None:
-                            m = orphanMaint
-                        else:
-                            m = status
+                        m = status
 
                         if prev_maint:
                             # also add any previous maintainer(s) listed
@@ -199,10 +195,10 @@ def add_packages(mlist, pkglist, orphanMaint=None, prev_maint=True):
 
 
 # create maintainer list
-def read(args, orphanmaint=None, prev_maint=True):
+def read(args, prev_maint=True):
     mlist = {}
     mlist = add_directories(mlist, args.homedir)
-    mlist = add_packages(mlist, args.pkglist, orphanmaint, prev_maint)
+    mlist = add_packages(mlist, args.pkglist, prev_maint)
 
     return mlist
 
diff --git a/calm/mkgitoliteconf.py b/calm/mkgitoliteconf.py
index e90b4c8..c67277e 100755
--- a/calm/mkgitoliteconf.py
+++ b/calm/mkgitoliteconf.py
@@ -51,7 +51,7 @@ def transform_username(name):
 def do_main(args):
     # read maintainer list
     mlist = {}
-    mlist = maintainers.add_packages(mlist, args.pkglist, getattr(args, 'orphanmaint', None))
+    mlist = maintainers.add_packages(mlist, args.pkglist)
 
     # make the list of all packages
     maintainers.all_packages(mlist)
@@ -70,7 +70,7 @@ def do_main(args):
 
     # global configuration
     print('')
-    print('@leads = %s' % ' '.join(map(transform_username, common_constants.ORPHANMAINT.split('/'))))
+    print('@leads = %s' % ' '.join(map(transform_username, common_constants.TRUSTEDMAINT.split('/'))))
     print('')
     print('repo @all')
     print('    RW = @leads')
diff --git a/calm/tool_util.py b/calm/tool_util.py
index 09e40e8..43fe3ea 100644
--- a/calm/tool_util.py
+++ b/calm/tool_util.py
@@ -47,14 +47,19 @@ def permitted(p):
     cygname = os.environ.get('CYGNAME', None)
 
     mlist = {}
-    mlist = maintainers.add_packages(mlist, common_constants.PKGMAINT, orphanMaint=common_constants.ORPHANMAINT)
+    mlist = maintainers.add_packages(mlist, common_constants.PKGMAINT, trustedMaint=common_constants.TRUSTEDMAINT)
+
+    # CYGNAME is a maintainer for package
+    if p in mlist[cygname].pkgs:
+        return True
+
+    # CYGNAME is a trusted maintainer
+    if cygname in common_constants.TRUSTEDMAINT.split('/'):
+        return True
 
     if cygname not in mlist:
         logging.error("'%s' is not a package maintainer" % (cygname))
         return False
 
-    if p not in mlist[cygname].pkgs:
-        logging.error("package '%s' is not in the package list for maintainer '%s'" % (p, cygname))
-        return False
-
-    return True
+    logging.error("package '%s' is not in the package list for maintainer '%s'" % (p, cygname))
+    return False
diff --git a/calm/uploads.py b/calm/uploads.py
index ba18217..fcb23cd 100644
--- a/calm/uploads.py
+++ b/calm/uploads.py
@@ -143,8 +143,8 @@ def scan(scandir, m, all_packages, arch, args):
             logging.error("package '%s' is not in the package list" % relpath)
             continue
 
-        # only process packages for which we are listed as a maintainer
-        if not package.is_in_package_list(pkgpath, m.pkgs):
+        # only process packages for which we are listed as a maintainer, or we are a trusted maintainer
+        if not (package.is_in_package_list(pkgpath, m.pkgs) or (m.name in args.trustedmaint.split('/'))):
             logging.warning("package '%s' is not in the package list for maintainer '%s'" % (relpath, m.name))
             continue
 
diff --git a/test/test_calm.py b/test/test_calm.py
index 0f1534c..aced23b 100755
--- a/test/test_calm.py
+++ b/test/test_calm.py
@@ -319,7 +319,7 @@ class CalmTest(unittest.TestCase):
 
         mlist = {}
         mlist = maintainers.add_directories(mlist, 'testdata/homes')
-        mlist = maintainers.add_packages(mlist, 'testdata/pkglist/cygwin-pkg-maint', None)
+        mlist = maintainers.add_packages(mlist, 'testdata/pkglist/cygwin-pkg-maint')
 
         compare_with_expected_file(self, 'testdata/pkglist', mlist)
 
-- 
cgit v1.2.3