From d0824f1862f5c2dfa55b735b01e14b5c21aa860d Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Mon, 27 Apr 2015 19:44:59 +0000
Subject: [PATCH] Add security update versions to regex and
 distribution/version sanity checks

Currently we don't allow versions like 3.16.7-ckt9-3~deb8u1~bpo7+1 in
*-backports, but we should!  Add the security suffix as an option
before the backports suffix.

We also don't check that an upload to *-security or *-lts includes the
expected suffix and nothing else.  Add a check for that.

svn path=/dists/trunk/linux/; revision=22539
---
 debian/bin/gencontrol.py                 | 4 ++++
 debian/lib/python/debian_linux/debian.py | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index eac59f4be..7eaba6fe1 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -492,6 +492,10 @@ class Gencontrol(Base):
         if distribution in ('experimental', ):
             if not version.linux_revision_experimental:
                 raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))
+        if distribution.endswith('-security') or distribution.endswith('-lts'):
+            if (not version.linux_revision_security or
+                version.linux_revision_backports):
+                raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))
         if distribution.endswith('-backports'):
             if not version.linux_revision_backports:
                 raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))
diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py
index ad8e70219..936a9ab94 100644
--- a/debian/lib/python/debian_linux/debian.py
+++ b/debian/lib/python/debian_linux/debian.py
@@ -139,14 +139,17 @@ class VersionLinux(Version):
         ~exp\d+
     )
     |
+    (?P<revision_security>
+        [~+]deb\d+u\d+
+    )?
     (?P<revision_backports>
         ~bpo\d+\+\d+
-    )
+    )?
     |
     (?P<revision_other>
         [^-]+
     )
-)?
+)
 $
 """
     _version_linux_re = re.compile(_version_linux_rules, re.X)
@@ -167,6 +170,7 @@ $
         self.linux_upstream_full = self.linux_upstream + d['update']
         self.linux_dfsg = d['dfsg']
         self.linux_revision_experimental = match.group('revision_experimental') and True
+        self.linux_revision_security = match.group('revision_security') and True
         self.linux_revision_backports = match.group('revision_backports') and True
         self.linux_revision_other = match.group('revision_other') and True