#! /bin/sh
dummy=0
release=1
BUILDROOT=../build

while :; do
  case "$1" in
  -n ) dummy=1 ; shift ;;
  -r | --release ) release=$2 ; shift 2 ;;
  -b | --buildroot ) BUILDROOT=$2 ; shift 2 ;;
  -- ) shift ; break ;;
  -* ) echo "Unknown option $1" ; exit 1 ;;
  * ) break ;;
  esac
done

case "$#" in
1 )	;;
* )	echo "Usage: $0 [-n] version" >&2 ;exit 1 ;;
esac
version=$1

PREP=${TMP:-/tmp}/eugridpma.$$
DIST=webegp@www.eugridpma.org:/project/srv/www/site/eugridpma/html/distribution/
RSYNC="rsync -rav -e ssh"
TARDISTNAME=eugridpma-policy-accredited-bundle-$version

mkdir $PREP
mkdir $PREP/$version
mkdir $PREP/$version/worthless
mkdir $PREP/$version/others
mkdir $PREP/$version/accredited
PREP=$PREP/$version

echo "This is version $version" > $PREP/version.txt

cat <<EOF > $PREP/worthless/README.txt

Version $version WORTHLESS root certificates

This area contains explicitly "worthless" root certificates. Do
not rely on these certificates in a real environment - you install
them entirely at your own risk!

Examples of worthless CAs include the "tutorial" on-line exercise
CA, and the Globus Certificate Service.
Especially the Globus Certificate Service is governed by this
disclaimer from the Globus web site:

"
The Globus Certificate Service is a service that issues low-quality
certificates to users who require certificates to use the Globus
Toolkit(C) and do not have other means of acquiring certificates.  The
Globus Certificate Service is not a true CA (for example, it does not
revoke or reissue certificates) and certificates from the Globus
Certificate Service are intended solely for experimentation and
testing.  Care should be taken when using certificates issued by it,
particularly on production resources.

We strongly encourage users to use more secure alternatives to the
Globus Certificate Service
"

EOF


cat <<EOF > $PREP/others/README.txt

Version $version other root certificates

This area contains non-accredited root certificates -- you install 
them entirely at your own risk! But they could be quite good as well,
but just not fitting the current set of guidelines.

Examples of "other" CAs include the Fermilab KerberosCA root.

EOF

( cd .. ; tar zcvf $PREP/eugridpma-carep-$version.tar.gz \
	--exclude "carep/accredited" \
	--exclude "carep/others" \
	--exclude "carep/worthless" \
	--exclude "CVS" \
	carep
)

# build the tarball for distribution
TEMPDIR=`mktemp -d /tmp/eugridpma-dist-XXXXXX`
TARDIR=$TEMPDIR/$TARDISTNAME
mkdir $TARDIR
for i in `awk '{print $1}' accredited.in`
do
  # find the CA data to go with this (depends on .alias file)
  # and effectively expand the CVS structure
  for aliasfile in `find . -type f -a -name "*.alias"` 
  do
    s=`cat $aliasfile`
    if [ x"$s" = x"$i" ]; then
      f=`basename $aliasfile .alias`
      dir=`dirname $aliasfile`
      mkdir $TARDIR/$s
      cp -p $dir/$f.* $TARDIR/$s/
    fi
  done
done
cp -p dist-configure $TARDIR/configure
cp -p accredited.in $TARDIR/
( cd $TEMPDIR ; tar zcvf \
	$PREP/accredited/$TARDISTNAME.tar.gz \
	--exclude "CVS" \
	. 
)
rm -fr $TEMPDIR

cp -p accredited.in $PREP/accredited/
cp -p CHANGES $PREP/
cp -p GPG-KEY-EUGridPMA-RPM-3 $PREP/

# now copy the RPMs &c
cp -pr $BUILDROOT/* $PREP/

if [ $dummy -eq 0 ]; then
	( cd $PREP ; yum-arch . )
	( cd $PREP ; $RSYNC $PREP $DIST )
fi
