bin/apt-snapshots-expiry

   1 #!/bin/sh
   2
   3 set -eu
   4
   5 FAILURE=no
   6 for dir in config/APT_snapshots.d vagrant/definitions/tails-builder/config/APT_snapshots.d; do
   7     echo "${dir:?}:"
   8     cd "$(git rev-parse --show-toplevel)/${dir:?}"
   9     for ARCHIVE in * ; do
  10         SERIAL="$(cat "${ARCHIVE:?}/serial")"
  11         if [ "${SERIAL:?}" = 'latest' ]; then
  12             EXPIRY='never'
  13             if [ "${ARCHIVE:?}" != 'debian-security' ]; then
  14                 echo "Warning: origin '${ARCHIVE:?}' is using the 'latest' snapshot, which is unexpected" >&2
  15             fi
  16         else
  17             case "${ARCHIVE:?}" in
  18                 'debian-security')
  19                     DIST='bookworm-security'
  20                     ;;
  21                 'torproject')
  22                     DIST='bookworm'
  23                     ;;
  24                 *)
  25                     DIST='stable'
  26                     ;;
  27             esac
  28             EXPIRY="$(curl --silent "https://time-based.snapshots.deb.tails.boum.org/${ARCHIVE:?}/dists/${DIST:?}/snapshots/${SERIAL:?}/Release" | sed -n 's/^Valid-Until:\s\+\(.*\)$/\1/p')"
  29             if [ -z "${EXPIRY:-}" ]; then
  30                 FAILURE=yes
  31                 echo "FAIL: archive '${ARCHIVE:?}' has no snapshot '${SERIAL}'!"
  32                 continue
  33             fi
  34         fi
  35         STATUS="archive '${ARCHIVE:?}' uses snapshot '${SERIAL:?}' which expires on: ${EXPIRY:?}"
  36         if [ "${EXPIRY}" = 'never' ] || \
  37            [ "$(date -d "${EXPIRY}" +%s)" -ge "$(date -d "now + 1 month" +%s)" ]; then
  38             echo "OK:   ${STATUS}"
  39         else
  40             FAILURE=yes
  41             echo "FAIL: ${STATUS}, which is within one month!" >&2
  42         fi
  43     done
  44     echo ---
  45 done
  46
  47 if [ "${FAILURE}" = yes ]; then
  48     exit 1
  49 fi