261340 – net-p2p/sonarr: Disable built-in updater and take maintainership

Bug 261340 - net-p2p/sonarr: Disable built-in updater and take maintainership

Summary: net-p2p/sonarr: Disable built-in updater and take maintainership

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Guangyuan Yang

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-19 16:38 UTC by Michiel van Baak Jansen
Modified:	2022-01-29 10:07 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch (21.22 KB, patch) 2022-01-19 16:38 UTC, Michiel van Baak Jansen	no flags	Details \| Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (21.19 KB, patch) 2022-01-25 12:41 UTC, Michiel van Baak Jansen	michiel: maintainer-approval+	Details \| Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (14.51 KB, patch) 2022-01-25 15:32 UTC, Michiel van Baak Jansen	michiel: maintainer-approval+	Details \| Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (14.51 KB, patch) 2022-01-25 16:28 UTC, Michiel van Baak Jansen	michiel: maintainer-approval+	Details \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michiel van Baak Jansen 2022-01-19 16:38:29 UTC

Created attachment 231166 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch

Use package_info file to disable the built-in updater for prowlarr.
Document it is disabled in pkg-message.

testport ok
runtest ok

Comment 1 Mark Felder freebsd_committer

2022-01-24 22:53:30 UTC

The ability to inject the message about using pkg upgrade to update the software is a really nice trick and we should do that.

However, I don't think chowning the binary so Sonarr can update itself should be included in the patch. Someone will find a way to exploit this software and replace itself with something malicious.

Comment 2 Michiel van Baak Jansen 2022-01-25 12:41:19 UTC

Created attachment 231309 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Dont chown binaries, take ownership.

Thanks for all the effort you put into the arrs feld@

Comment 3 Michiel van Baak Jansen 2022-01-25 15:32:09 UTC

Created attachment 231314 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Remove Sonarr.Update and use only version number for package_info (based on review from Taloth)

Comment 4 Michiel van Baak Jansen 2022-01-25 16:28:07 UTC

Created attachment 231317 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Add --debug to mono call. Fixes warning in logs and the sonarr devs state it should be added.

Comment 5 commit-hook freebsd_committer

2022-01-29 10:07:00 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e8162ac5393e1a1adb8e777e8314e13f1aab5d4a

commit e8162ac5393e1a1adb8e777e8314e13f1aab5d4a
Author:     Michiel van Baak Jansen <michiel@vanbaak.eu>
AuthorDate: 2022-01-29 10:06:24 +0000
Commit:     Guangyuan Yang <ygy@FreeBSD.org>
CommitDate: 2022-01-29 10:06:24 +0000

    net-p2p/sonarr: Disable built-in updater and take maintainership

    PR:             261340

 net-p2p/sonarr/Makefile                    |  24 +++-
 net-p2p/sonarr/files/package_info.in (new) |   5 +
 net-p2p/sonarr/files/pkg-message.in (new)  |  26 ++++
 net-p2p/sonarr/files/sonarr.in             |   3 +-
 net-p2p/sonarr/pkg-plist (new)             | 217 +++++++++++++++++++++++++++++
 5 files changed, 268 insertions(+), 7 deletions(-)