Bug 266345 - security/zeek: Fix plist issues and some improvements to port
Summary: security/zeek: Fix plist issues and some improvements to port
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Craig Leres
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-10 21:14 UTC by Daniel Engberg
Modified: 2022-09-20 00:05 UTC (History)
1 user (show)

See Also:


Attachments
Patch for zeek (15.17 KB, patch)
2022-09-10 21:14 UTC, Daniel Engberg
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer freebsd_triage 2022-09-10 21:14:51 UTC
Created attachment 236485 [details]
Patch for zeek

* Swig is now a hard dependency according to upstream and various other repos
* Use c-ares from ports rather than bundled version as recommended by Porters Handbook
* Define c++17 requirement
* Update CMake options, remove obsolete and make use of ports framework when possible
* Remove option for broker as it's always built
* Fix pkg-plist
* Remove a bunch of unneeded files and empty installed directories

Poudriere testport OK 12.3-RELEASE (amd64)
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2022-09-10 21:24:20 UTC
Forgot to add, this also strips a few files that Poudriere complained about not being stripped
Comment 2 Craig Leres freebsd_committer freebsd_triage 2022-09-13 00:06:36 UTC
A lot of good stuff here! I'm checking with my upstream contacts on a few things but here are my initial thoughts.

I'm not sure about using the ports version of c-ares, I had a lot of trouble with c-ares when I was updating the port for 5.0.0, I believe 1.7.6 was bundled but the FreeBSD port was 1.7.1 and it broke the build. Ultimately some upstream changes were needed to allow building with the bundled version when an older version was installed in /usr/local. I guess we could used the bundled version of it is different from the port version but I'm not sure it's worth the extra trouble?

INSTALL specifies flex 2.6 or higher and bison 3.3 or higher, these should be in the Makefile too.

Removing the BROKER option sounds right; along the same lines it occurs to me that we need to either always enable zeekctl (and remove the option) or else not install the rc.d script when ZEEKCTL is off. A colleague at work claims 99.5% of zeek users use zeekctl.
Comment 3 Craig Leres freebsd_committer freebsd_triage 2022-09-14 00:47:14 UTC
I received feedback from upstream.

Using c-areas from ports is probably ok. They bundled it because "we couldn’t guarantee it would be available as a package on all platforms." I'm thinking we should require a minimum version that's the same as the bundled version.

The BROKER option is likely a no-op left over from an earlier version of the port, I think what current happens is the equivalent of:

    append_cache_entry BROKER BOOL false

when the BROKER option is disabled.

The extra .h files and empty directories appear to all be related to spicy,
"these are test files that shouldn’t have been installed." I was asked to open a github issue to address this which I've done.
Comment 4 Daniel Engberg freebsd_committer freebsd_triage 2022-09-14 21:09:46 UTC
I don't think it makes much sense to add version dependencies for ancient versions. We imported flex 2.6.0 in 2015 and bison 3.3.2 in early 2019 but if you insist I'm not going to stop you.

Thanks for looking into issues with upstream!
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-09-15 00:54:23 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=095788766cc2d89548e39d49051999613680b72d

commit 095788766cc2d89548e39d49051999613680b72d
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2022-09-15 00:53:25 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2022-09-15 00:53:25 +0000

    security/zeek: Port improvements

     - Remove useless BROKER option.

     - Remove USES=ninja (now implied by USES=cmake).

     - Make bison, flex, and swig hard dependencies.

     - Strip several installed binaries.

     - Remove some test files and directories mistakenly installed by
       spicy.

     - While we're here, run portfmt.

    Thanks to @diizzy for the bulk of these changes.

    PR:             266345
    Reported by:    diizzy

 security/zeek/Makefile  | 108 ++++++++++++++------------
 security/zeek/pkg-plist | 198 +++++++++++++++++++++++-------------------------
 2 files changed, 151 insertions(+), 155 deletions(-)
Comment 6 Craig Leres freebsd_committer freebsd_triage 2022-09-15 00:55:11 UTC
Thanks for the updates!
Comment 7 Piotr Kubaj freebsd_committer freebsd_triage 2022-09-19 13:23:46 UTC
This fails to build without SPICY enabled, e.g. on powerpc64le:
rmdir: /wrkdirs/usr/ports/security/zeek/work/stage/usr/local/include/zeek/builtin-plugins/spicy-plugin/bin: No such file or directory

The problem are the new commands added to post-install step. They should be conditional to having SPICY enabled.
Comment 8 commit-hook freebsd_committer freebsd_triage 2022-09-20 00:03:40 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2f3600ba29635cc0d536f58f6feea755cc4c7c94

commit 2f3600ba29635cc0d536f58f6feea755cc4c7c94
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2022-09-20 00:02:32 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2022-09-20 00:02:32 +0000

    security/zeek: Update to 5.0.2

        https://github.com/zeek/zeek/releases/tag/v5.0.2

    Security fixes:

     - Fix a possible overflow and crash in the ICMP analyzer when
       receiving a specially crafted packet

     - Fix a possible overflow and crash in the IRC analyzer when
       receiving a specially crafted packet

     - Fix a possible overflow and crash in the SMB analyzer when
       receiving a specially crafted packet

     - Fix two possible crashes when converting IP headers for output
       via the raw_packet event

    Other changes:

     - Fix a bug that prevented Broker nodes to recover from OpenSSL errors.

     - Fix handling of buffer sizes that caused Broker to stall despite
       having sufficient capacity.

     - Fix an issue with signal handling that could prevent Zeek from
       exiting via ctrl-c when reading scripts from stdin.

    Also fix new PR 266345 issue reported by @pkubaj ("fails to build
    without SPICY enabled").

    PR:             266345
    Reported by:    Tim Wojtulewicz, pkubaj

 security/zeek/Makefile | 8 +++++---
 security/zeek/distinfo | 6 +++---
 2 files changed, 8 insertions(+), 6 deletions(-)
Comment 9 Craig Leres freebsd_committer freebsd_triage 2022-09-20 00:05:25 UTC
I included a fix for building without SPICY with the security update I did; thanks for the report!