#!/bin/bash
# Unattended system upgrade
# Copyright (C) 2005, 2006  Cliss XXI

# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

# Author: Sylvain Beucler <beuc@beuc.net>

# Security consideration:
# http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s9.1.7

#APT='apt-get -o quiet=2'
APT='apt-get'


# Initial GPG setup:
if [ ! -e ~/.gnupg ]; then
    gpg < /dev/null 2> /dev/null # init .gnupg
    touch ~/.gnupg/trustedkeys.gpg
    chmod 600 ~/.gnupg/trustedkeys.gpg
fi

# gpg --no-default-keyring --keyring trustedkeys.gpg \
#   --keyserver keyring.debian.org --recv 4F368D5D
# Remember to keep the ftpmaster key up-to-date, eg:
# http://ftp-master.debian.org/ziyi_key_2006.asc

# For testing security:
# http://secure-testing-master.debian.net/ziyi-2005-7.asc

cur_year=`date +%Y`
prev_year=$[ cur_year - 1 ]
key_name=ziyi_key_$cur_year.asc
key_dir=/var/lib/apt-autoupgrade
if [ ! -e /var/lib/apt-autoupgrade/$key_name ]; then
    wget --quiet --directory-prefix $key_dir http://ftp-master.debian.org/$key_name
    apt-key add $key_dir/$key_name
    gpg --no-default-keyring --keyring trustedkeys.gpg --import $key_dir/$key_name

    prev_keyid=`gpg --keyid-format=long $key_dir/ziyi_key_$prev_year.asc | awk '{ print $2 }' | cut -d/ -f2`
    apt-key remove $prev_keyid
    gpg --no-default-keyring --keyring trustedkeys.gpg --batch --delete-key $prev_keyid
fi

echo "Updating sources..."
$APT update

echo "Disabling components that cannot be GPG-verified..."
apt-check-sigs | grep PROBLEMS >&2

echo "Upgrading..."
export DEBIAN_FRONTEND=noninteractive
yes '' | aptitude --assume-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade #> /dev/null

# Is it a good idea to enable dist-upgrading? This is more serious
# matter because that means APT needs to install new packages (and
# possibly remove existing ones). However, if a package cannot be
# dist-upgraded, it may prevent other packages from being upgraded,
# for some reason... You'd better keep your sources/pinning well
# configured.
echo "Dist-upgrading..."
yes '' | aptitude --assume-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade #> /dev/null

echo "Upgrading source packages..."
if which apt-src > /dev/null 2>&1; then
    apt-src upgrade --installdebs
fi

# Remove unused .deb's
echo "Auto-cleaning"
$APT autoclean
