windows-release/merge-and-upload.py converts installer metadata URLs from
__install__.json into remote filesystem paths. The resulting paths are then
used in SSH and SCP command arguments for directory creation, upload, group, and
mode updates.
The metadata is normally produced by the release process, but the URL-derived
path should still be treated as path data and quoted before it is passed through
remote command strings.
Reproducer
Run this from the repository root on the current base tree. It mocks the
subprocess boundary and does not contact the upload host:
import importlib.util
from pathlib import Path
script = Path("windows-release/merge-and-upload.py")
spec = importlib.util.spec_from_file_location("merge_and_upload_repro", script)
module = importlib.util.module_from_spec(spec)
try:
spec.loader.exec_module(module)
except SystemExit:
# The script exits when no local __install__.json files are present. The
# upload helper functions are already defined by that point.
pass
calls = []
def fake_run(*args, single_cmd=False):
calls.append(args)
return ""
module._run = fake_run
module.PLINK = "plink.exe"
module.PSCP = "pscp.exe"
module.UPLOAD_HOST = "downloads.example.org"
module.UPLOAD_USER = "release-manager"
module.NO_UPLOAD = False
module.LOCAL_INDEX = False
dest = module.url2path(
"https://www.python.org/ftp/python/3.14.0;touch marker/"
"python-3.14.0-amd64.exe"
)
# This matches the directory preparation code in the base upload loop.
destdir = dest.rpartition("/")[0]
module.call_ssh(f"mkdir {destdir} && chgrp downloads {destdir} && chmod a+rx {destdir}")
module.upload_ssh("python-3.14.0-amd64.exe", dest)
for call in calls:
print(call)The captured commands include the URL-derived path without shell quoting:
('plink.exe', '-batch', 'release-manager@downloads.example.org', 'mkdir /srv/www.python.org/ftp/python/3.14.0;touch marker && chgrp downloads /srv/www.python.org/ftp/python/3.14.0;touch marker && chmod a+rx /srv/www.python.org/ftp/python/3.14.0;touch marker')
('pscp.exe', '-batch', 'python-3.14.0-amd64.exe', 'release-manager@downloads.example.org:/srv/www.python.org/ftp/python/3.14.0;touch marker/python-3.14.0-amd64.exe')
('plink.exe', '-batch', 'release-manager@downloads.example.org', 'chgrp downloads /srv/www.python.org/ftp/python/3.14.0;touch marker/python-3.14.0-amd64.exe && chmod g-x,o+r /srv/www.python.org/ftp/python/3.14.0;touch marker/python-3.14.0-amd64.exe')
The semicolon from the metadata URL remains shell syntax in the generated
directory, upload, group, and mode commands.
Expected behavior
Remote paths derived from installer metadata URLs should be quoted as path data
before they are used in SSH command strings or SCP remote path arguments.
windows-release/merge-and-upload.pyconverts installer metadata URLs from__install__.jsoninto remote filesystem paths. The resulting paths are thenused in SSH and SCP command arguments for directory creation, upload, group, and
mode updates.
The metadata is normally produced by the release process, but the URL-derived
path should still be treated as path data and quoted before it is passed through
remote command strings.
Reproducer
Run this from the repository root on the current base tree. It mocks the
subprocess boundary and does not contact the upload host:
The captured commands include the URL-derived path without shell quoting:
The semicolon from the metadata URL remains shell syntax in the generated
directory, upload, group, and mode commands.
Expected behavior
Remote paths derived from installer metadata URLs should be quoted as path data
before they are used in SSH command strings or SCP remote path arguments.