Created attachment 236485 [details] Patch for zeek * Swig is now a hard dependency according to upstream and various other repos * Use c-ares from ports rather than bundled version as recommended by Porters Handbook * Define c++17 requirement * Update CMake options, remove obsolete and make use of ports framework when possible * Remove option for broker as it's always built * Fix pkg-plist * Remove a bunch of unneeded files and empty installed directories Poudriere testport OK 12.3-RELEASE (amd64)
Forgot to add, this also strips a few files that Poudriere complained about not being stripped
A lot of good stuff here! I'm checking with my upstream contacts on a few things but here are my initial thoughts. I'm not sure about using the ports version of c-ares, I had a lot of trouble with c-ares when I was updating the port for 5.0.0, I believe 1.7.6 was bundled but the FreeBSD port was 1.7.1 and it broke the build. Ultimately some upstream changes were needed to allow building with the bundled version when an older version was installed in /usr/local. I guess we could used the bundled version of it is different from the port version but I'm not sure it's worth the extra trouble? INSTALL specifies flex 2.6 or higher and bison 3.3 or higher, these should be in the Makefile too. Removing the BROKER option sounds right; along the same lines it occurs to me that we need to either always enable zeekctl (and remove the option) or else not install the rc.d script when ZEEKCTL is off. A colleague at work claims 99.5% of zeek users use zeekctl.
I received feedback from upstream. Using c-areas from ports is probably ok. They bundled it because "we couldn’t guarantee it would be available as a package on all platforms." I'm thinking we should require a minimum version that's the same as the bundled version. The BROKER option is likely a no-op left over from an earlier version of the port, I think what current happens is the equivalent of: append_cache_entry BROKER BOOL false when the BROKER option is disabled. The extra .h files and empty directories appear to all be related to spicy, "these are test files that shouldn’t have been installed." I was asked to open a github issue to address this which I've done.
I don't think it makes much sense to add version dependencies for ancient versions. We imported flex 2.6.0 in 2015 and bison 3.3.2 in early 2019 but if you insist I'm not going to stop you. Thanks for looking into issues with upstream!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=095788766cc2d89548e39d49051999613680b72d commit 095788766cc2d89548e39d49051999613680b72d Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2022-09-15 00:53:25 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2022-09-15 00:53:25 +0000 security/zeek: Port improvements - Remove useless BROKER option. - Remove USES=ninja (now implied by USES=cmake). - Make bison, flex, and swig hard dependencies. - Strip several installed binaries. - Remove some test files and directories mistakenly installed by spicy. - While we're here, run portfmt. Thanks to @diizzy for the bulk of these changes. PR: 266345 Reported by: diizzy security/zeek/Makefile | 108 ++++++++++++++------------ security/zeek/pkg-plist | 198 +++++++++++++++++++++++------------------------- 2 files changed, 151 insertions(+), 155 deletions(-)
Thanks for the updates!
This fails to build without SPICY enabled, e.g. on powerpc64le: rmdir: /wrkdirs/usr/ports/security/zeek/work/stage/usr/local/include/zeek/builtin-plugins/spicy-plugin/bin: No such file or directory The problem are the new commands added to post-install step. They should be conditional to having SPICY enabled.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2f3600ba29635cc0d536f58f6feea755cc4c7c94 commit 2f3600ba29635cc0d536f58f6feea755cc4c7c94 Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2022-09-20 00:02:32 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2022-09-20 00:02:32 +0000 security/zeek: Update to 5.0.2 https://github.com/zeek/zeek/releases/tag/v5.0.2 Security fixes: - Fix a possible overflow and crash in the ICMP analyzer when receiving a specially crafted packet - Fix a possible overflow and crash in the IRC analyzer when receiving a specially crafted packet - Fix a possible overflow and crash in the SMB analyzer when receiving a specially crafted packet - Fix two possible crashes when converting IP headers for output via the raw_packet event Other changes: - Fix a bug that prevented Broker nodes to recover from OpenSSL errors. - Fix handling of buffer sizes that caused Broker to stall despite having sufficient capacity. - Fix an issue with signal handling that could prevent Zeek from exiting via ctrl-c when reading scripts from stdin. Also fix new PR 266345 issue reported by @pkubaj ("fails to build without SPICY enabled"). PR: 266345 Reported by: Tim Wojtulewicz, pkubaj security/zeek/Makefile | 8 +++++--- security/zeek/distinfo | 6 +++--- 2 files changed, 8 insertions(+), 6 deletions(-)
I included a fix for building without SPICY with the security update I did; thanks for the report!