Created attachment 206731 [details] Patch that fixes some style issues, adds DIST_SUBDIR and clean the Makefile Cleaned up the Makefile by running portlint(1) and portfmt(1). Adds a DIST_SUBIR to prevent clutter of distfiles. Bumped PKGREVISION due to the addition of DIST_SUBDIR. Tested builds in 12.0-RELEASE-p9 (amd64). Would be nice if this can be applied to the ports tree.
Created attachment 206763 [details] Patch to upgrade the ports script to support cliqz-1.28.2 builds. (Also does the style fixes and clean up) Looks like www/cliqz got updated from 1.28.1 to 1.28.2. The patch has been regenerated to include the update, along with all the other changes described above.
Oops forgot to put in the change log. Changes since 1.28.1: * DB-2245: merge with Firefox 68.0.2 * DB-2245: Update to 1.28.2 * DB-2250: fixed about dialog license link * DB-2247: fix texts on Profile Downgrade dialog * DB-2246: fallback to textValue as url value https://github.com/cliqz-oss/browser-f/compare/1.28.1...1.28.2
Created attachment 206851 [details] Patch to upgrade the ports script to support cliqz-1.28.2 builds. (Also does the style fixes, clean up and fix build failures in 13-CURRENT)) In addition to the clean up and version update, build failures in 13.0-CURRENT are also fixed. For more information on the build failures see https://lists.freebsd.org/pipermail/svn-src-all/2019-August/184844.html Adds the following file files/patch-mozilla-release_media_mtransport_third__party_nICEr_src_stun_stun.h based on the above information
Thank you Santhosh. For future reference (and for this issue too if you like), its very preferable to separate version updates from bugfixes and any other port updates, so that the latter can be merged to the quarterly branch, which doesn't usually take version updates, unless they are either also security or bugfix releases
(In reply to Kubilay Kocak from comment #4) Apologies for cramming in multiple updates here. Since you mentioned about separating version updates from bug fixes like the build failure. This specific version update does address a security issue in cliqz-1.28.1 (based on Firefox 68.0.1) https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/ This has been fixed in cliqz-1.28.2 (now based on Firefox 68.0.2), which is why I thought of putting it together with the build breakage fix here. Hopefully this is not too much of a problem. Do let me know if you want me to separate out this ticket into multiple ones.
(In reply to Santhosh Raju from comment #5) That's fine, anything that is a candidate for merging is fine being bundled in with other updates, that being: anything that isn't a feature/version-only update, unless its also a security update. Thank you for clarifying, you can help by explicitly mentioning whether a version update is a bugfix/security release, or includes only bugfixes/security changes. The changelog list and github compare link wasn't clear about the security change If you could provide a security/vuxml entry for this that would be great.
Created attachment 206929 [details] Patch to update vuln.xml with msfa2019-24 (In reply to Kubilay Kocak from comment #6) I should have probably mentioned the bug fix in the update comment, will keep this in mind. I have prepared a vuln.xml about this security issue. Let me know if the patch looks good.
(In reply to Santhosh Raju from comment #7) Thank you for that Santhosh `make validate` in security/vuxml does most/all of the syntactical verifications that committers do, so if it passes, just let us know :) the package list for our firefox packages may need additions (i'm not completely sure of all the variations we have). Loop in gecko (and cc Jan) on the above question
(In reply to Kubilay Kocak from comment #8) `make validate` passes for the vuln.xml patch.
(In reply to Santhosh Raju from comment #3) > files/patch-mozilla-release_media_mtransport_third__party_nICEr_src_stun_stun.h Slightly different version landed upstream. https://bugzilla.mozilla.org/show_bug.cgi?id=1575876 (In reply to Kubilay Kocak from comment #8) > the package list for our firefox packages may need additions www/firefox and www/cliqz are structured differently, so changes in one does not necessary need to be copied to the other. > Loop in gecko (and cc Jan) on the above question What question?
(In reply to Jan Beich from comment #10) >> files/patch-mozilla-release_media_mtransport_third__party_nICEr_src_stun_stun.h > > Slightly different version landed upstream. > https://bugzilla.mozilla.org/show_bug.cgi?id=1575876 Since this fix won't be ported back to 68.x.y this patch needs to remain in www/cliqz until cliqz updates their Firefox core to 69. >(In reply to Kubilay Kocak from comment #8) >> the package list for our firefox packages may need additions > > www/firefox and www/cliqz are structured differently, so changes in one does not > necessary need to be copied to the other. I guess www/cliqz can share the <package> entry in vuln.xml with the same <topic> containing www/firefox since www/cliqz keep track of upstream www/firefox. Let me know if this is alright.
(In reply to Jan Beich from comment #10) Whether other firefox* package names should be added to the vuxml patch attached here, and/or whether cliqz package name should be added to any existing vuxml entry that has already been created for firefox for this security issue (or whethether its ok or better that the vuxml entries be separate)
(In reply to Santhosh Raju from comment #11) > Since this fix won't be ported back to 68.x.y ... 68.1.0 and 60.9.0 have the fix. 68.0.3 won't happen as 69.0 already has RC1 with release scheduled on 2019-09-03. (In reply to Kubilay Kocak from comment #12) Doesn't matter. Reviewing patches against security/vuxml is ports-secteam@ job. I'm strongly biased against that team for bloating VuXML with CVE copy-pasta and the crappy work they do with MFH approvals.
A commit references this bug: Author: jbeich Date: Wed Aug 28 14:29:41 UTC 2019 New revision: 510066 URL: https://svnweb.freebsd.org/changeset/ports/510066 Log: security/vuxml: mark cliqz < 1.28.2 as vulnerable PR: 239994 Submitted by: Santhosh Raju Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: jbeich Date: Wed Aug 28 14:30:02 UTC 2019 New revision: 510068 URL: https://svnweb.freebsd.org/changeset/ports/510068 Log: www/cliqz: update to 1.28.2 Changes: https://github.com/cliqz-oss/browser-f/compare/1.28.1...1.28.2 PR: 239994 Submitted by: Santhosh Raju (maintainer) Changes: head/www/cliqz/Makefile head/www/cliqz/distinfo head/www/cliqz/files/patch-mozilla-release_media_mtransport_third__party_nICEr_src_stun_stun.h
2019Q2 has 1.27.4. Do you still want MFH? If not close the bug.
(In reply to Jan Beich from comment #16) MFH would be nice, since the one contained in the quarterly branch does have security issues with it.
A commit references this bug: Author: jbeich Date: Tue Sep 3 02:56:41 UTC 2019 New revision: 510916 URL: https://svnweb.freebsd.org/changeset/ports/510916 Log: MFH: r507880 r507995 r508429 r510068 www/cliqz: update to 1.28.2 Changes: https://github.com/cliqz-oss/browser-f/compare/1.27.4...1.28.2 Changes: https://cliqz.com/en/magazine/cliqz-browser-release-notes-1-28-0-68-0-11-38-1 PR: 239994 Submitted by: Santhosh Raju (maintainer) Approved by: ports-secteam blanket Changes: _U branches/2019Q3/ branches/2019Q3/www/cliqz/Makefile branches/2019Q3/www/cliqz/distinfo branches/2019Q3/www/cliqz/files/patch-bug1530098 branches/2019Q3/www/cliqz/files/patch-mozilla-release_media_mtransport_third__party_nICEr_src_stun_stun.h