Automate mirror submission

[Torxed]

Concept so far:

• Public endpoint that doesn't require an arch account
• Captcha to combat most spam
• When submitted, the mirror is default Active: False and Public: False. These change to True when:
  • Upon (automated?) verification of Completion: 100.0%
  • After email to maintainers is sent and they manually change the two values after inspection.
• Tier 1 requests gets automatically rejected (with a nice email explaining why) if:
  • No valid Tier 2 in the database matching the same name and URL endpoints.
  • Tier 2 is newer than registered < MIN days
  • Tier 2 has a log containing multiple suspicious errors

[jelly]

Cool! I've made some minor comments in the PR. Would be nice to also add a test later, happy to help if you have some questions.

[jelly]

ideally this uses the url template tag

[Torxed]

Good idea, I'll learn how those work and see if I can get it working.

[Torxed]

Not sure how to work around the fact that the tier url's use re_path(r'^tier/(?P<tier>\d+)/$', mirrors, name='mirror-list-tier'), with one common name (I assume that's how those links work after reading up).

[Torxed]

Cool! I've made some minor comments in the PR. Would be nice to also add a test later, happy to help if you have some questions.

Thanks for the feedback, me and the misses will get onto fixing the last few things before I mark this as ready instead of WIP.

The whole Django thing is still new to me and I have no idea where things are stored in the db 🙈
Tests are coming too, once I know it's all working in manual tests.

[Torxed]

Oh, and I will run a code linter once I feel ready. Just can't stand the syntax while developing :)

[Torxed]

Mail function looks good:

Aside from automatic check to make the mirror public after certain criterias, I think the PR is mostly ready.

[Torxed]

@jelly I consider the PR ready, as I might need help with writing tests for this.
But as mentioned, I can't figure out why the pip+git breaks (even in the runner):

Obtaining cssmin from git+git://github.com/fredj/cssmin.git@master#egg=cssmin (from -r requirements.txt (line 1))
  Cloning git://github.com/fredj/cssmin.git (to revision master) to ./src/cssmin
  Running command git clone --filter=blob:none --quiet git://github.com/fredj/cssmin.git /home/runner/work/archweb/archweb/src/cssmin
  fatal: unable to connect to github.com:
  github.com[0: 140.82.112.3]: errno=Connection timed out

  error: subprocess-exited-with-error
  
  × git clone --filter=blob:none --quiet git://github.com/fredj/cssmin.git /home/runner/work/archweb/archweb/src/cssmin did not run successfully.
  │ exit code: 128
  ╰─> See above for output.
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× git clone --filter=blob:none --quiet git://github.com/fredj/cssmin.git /home/runner/work/archweb/archweb/src/cssmin did not run successfully.
│ exit code: 128
╰─> See above for output.

[Torxed]

It's a crude test, but will at least test that the endpoint exists and that it accepts the request data (captcha will fail)

[Torxed]

A thought that hit me while administrating the manual process was that adding a bunch of URL's to the same mirror might be desirable.

That currently won't work with this approach, but very well could in v2.0 of this endpoint.
I feel it's a bit of an undertaking adding support for 3+ URL's, especially dynamically added URL's.
So if no one objects, I'd prefer if this goes in before I start working on v2.0 of this.

[jelly]

This PR still has CI issues.

[jelly]

Please / rebase cleanup the comments and I'll take another look

[jelly]

Are you on an old branch? On master it's

   1   │ -e git+https://github.com/fredj/cssmin.git@master#egg=cssmin

[Torxed]

Changing.

[jelly]

Please drop this, this shouldn't be required anymore. It's also unrelated to the other changes.

[Torxed]

Sure it's "unrelated", but the fact remains that whenever you work from the project folder and follow some instructions about downloading a database or something similar you run the risk of pushing it globally.

If the project does not need .tar.gz files to be built or executed, there's really no risk of adding it to the ignore list. And I thought while I'm at it, I'll add it.

[jelly]

This is not linked anywhere on archlinux.org, maybe we should add a link with some text on https://archlinux.org/mirrors.

[jelly]

This should not be in here? Please rebase and drop it.

[Torxed]

Sure, but saw an opportunity to update old stuff seeing as they have a few vulns in 4.0 that should be fixed in 4.1. But I'll revert it and someone can update later.

[jelly]

Please add this in a separate commit.

[Torxed]

Separate commit to the same PR, or separate PR with a separate commit?

[jelly]

This looks wrong, a form should never be able to be posted with a GET, it should always be a POST.

[jelly]

Also please create the url programmatically so you can easily assert the data when expanding the test.

[Torxed]

Same as below:

• archweb/templates/mirrors/mirrorlist_generate.html

  Lines 38 to 41 in ad3b182

  	<form id="list-generator" method="get">
  	{{ mirrorlist_form.as_div }}
  	<p><label></label> <input type="submit" value="Generate List" /></p>
  	</form>

[jelly]

Unneeded change

[jelly]

Same as above.

[Torxed]

I'm sorry, but PEP8#Blank-Lines dictates two blank lines between function definitions. The rest of the code is also spaced out this way.

For reference:

archweb/mirrors/views/mirrorlist.py

Lines 191 to 194 in 3904bac

	return urls
	def find_mirrors(request, countries=None, protocols=None, use_status=False,

[jelly]

A Form should never be a GET, but always a POST and should have:

    <form method="post">{% csrf_token %}

[Torxed]

And just for reference, I took the method from this form:

• archweb/templates/mirrors/mirrorlist_generate.html

  Lines 38 to 41 in ad3b182

  	<form id="list-generator" method="get">
  	{{ mirrorlist_form.as_div }}
  	<p><label></label> <input type="submit" value="Generate List" /></p>
  	</form>

[jelly]

Not sure if I like the captch dependency, we don't have it for flagging packages. Do you think it's really required?

[Torxed]

Well this is what people said I should put in when I was asking in the arch channels, I don't mind dropping it but to reduce spam this is what was suggested.

To quote: "Just make a captcha thing"