Bug 201709
| Summary: | [MAINTAINER-UPDATE]: www/magento: Update to 1.9.2.0 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Melvyn Sopacua <m.r.sopacua> | ||||||
| Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Some People | CC: | junovitch, miwi, pi, ports, rene, riggs | ||||||
| Priority: | --- | Keywords: | needs-qa, patch, security | ||||||
| Version: | Latest | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
|
Description
Melvyn Sopacua
2015-07-20 04:40:27 UTC
There a plist issues and portlint -ca reveals quite some points. Could you take a look? Created attachment 161558 [details]
Revision of patch to address some QA
We really need to get this patch in. This is a security release and I notice none of the past security releases have been properly documented in VuXML.
I've addressed a handful of the QA items. Can you please fix these last few as soon as possible? I'll look into the VuXML documentation in the next few days.
WARN: Makefile: [101]: possible direct use of command "patch" found. use ${PATCH} instead.
WARN: Makefile: possible use of absolute pathname "/var/tmp".
FATAL: Makefile: either PORTVERSION or DISTVERSION must be specified, not both.
WARN: Makefile: Consider defining LICENSE.
WARN: Makefile: no port directory /usr/ports/databases/php${PHP_VER}-redis found, even though it is listed in RUN_DEPENDS.
(In reply to Jason Unovitch from comment #2) There is already a new version 1.9.2.1 which includes the latest security patches. The patch should directly update to this version! If you need help with the upgrade, i could help you. But this week i'm short on time. (In reply to Torsten Zühlsdorff from comment #3) Thanks for pointing this out! Melvyn, Can you factor this in with the QA corrections noted above? A commit references this bug: Author: junovitch Date: Wed Oct 14 23:59:02 UTC 2015 New revision: 399322 URL: https://svnweb.freebsd.org/changeset/ports/399322 Log: Document multiple vulnerabilities in the Magento platform While here, update an older entry to reflect Magento was vulnerable PR: 201709 Security: https://vuxml.FreeBSD.org/freebsd/ea1d2530-72ce-11e5-a2a1-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/ec34d0c2-1799-11e2-b4ab-000c29033c32.html Security: CVE-2012-3363 Changes: head/security/vuxml/vuln.xml Melvyn, Any update on the QA issues noted above as well as version 1.9.2.1 noted by Torsten? "Severe" QA issues are mostly false positives, not fixing them to please a broken tool. Remains: - PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the 1.9.2.1 release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken. - snappy: even when fixed, portlint will still complain: the current default PHP_VER is 5 and that one is in the tree. The 55/56 ones didn't need a single change last time, so I was wondering what to do about that. - LICENSE, can do. Version 1.9.2.1 needs a bit of work as an undefined number of custom templates may need to be altered. I'll provide a script for it and an entry to run it in pkg-message, but I'm not confident the latter is read, so I'm leaning to do this in UPDATING. (In reply to melvyn from comment #7) > "Severe" QA issues are mostly false positives, > not fixing them to please a broken tool. If you name them i will have a look at it. I have also some work on portlint to do, because of false positives in another port. Please notice that there was a new release. The new version 1.9.2.2 fixed 10 more security issues: http://magento.com/security/patches/supee-6788 By the way: today magento 2.0 was released. Should we update to this directly? Hi, Any progress here? (In reply to melvyn from comment #7) > "Severe" QA issues are mostly false positives, not fixing them to please a broken tool. > PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the 1.9.2.1 release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken. It is broken as the PATCH_LEVEL release is treated as an older release. If we need to add patches and stay with the same major release then we can add and bump PORTREVISION. pkg version -t 1.9.2.0 1.9.2.0.P6285 > I notice the latest releases are on your mirror. Can we at least get a new patch with at least the PORTVERSION/DISTVERSION fixed that has the latest SUPEE patches? fetch: http://magemana.nl/ports/dist/magento-1.9.2.1.tar.bz2: Not Found fetch: http://magemana.nl/ports/dist/magento-1.9.2.2.tar.bz2: Not Found (In reply to Jason Unovitch from comment #12) Correction: I notice the latest releases are *NOT* on your mirror. I suggest updating the optional REDIS dependency to databases/php56-redis, as databases/php5-redis is for PHP 5.4 which expired this month. I will leave the rest of the port untouched. It looks like selecting the REDIS option does *not* pull in the redis port as a dependency? The REDIS option is not effective, as seen here:
[rene@acer] ~/freebsd/ports/head/www/magento% make showconfig
===> The following configuration options are available for magento-1.8.1.0:
EXAMPLES=on: Build and/or install examples
OAUTH=off: Depend on pecl-oauth for REST API
REDIS=on: Depend on php56-redis for faster redis backend
SESSIONS=off: Mark Cm/RedisSession module active
===> Use 'make config' to modify these settings
[rene@acer] ~/freebsd/ports/head/www/magento% make run-depends-list
/usr/home/rene/freebsd/ports/head/archivers/php56-zlib
/usr/home/rene/freebsd/ports/head/converters/php56-iconv
/usr/home/rene/freebsd/ports/head/databases/php56-mysql
/usr/home/rene/freebsd/ports/head/databases/php56-pdo_mysql
/usr/home/rene/freebsd/ports/head/devel/php56-json
/usr/home/rene/freebsd/ports/head/ftp/php56-curl
/usr/home/rene/freebsd/ports/head/graphics/php56-gd
/usr/home/rene/freebsd/ports/head/lang/php56
/usr/home/rene/freebsd/ports/head/net/php56-soap
/usr/home/rene/freebsd/ports/head/security/php56-hash
/usr/home/rene/freebsd/ports/head/security/php56-mcrypt
/usr/home/rene/freebsd/ports/head/textproc/php56-ctype
/usr/home/rene/freebsd/ports/head/textproc/php56-dom
/usr/home/rene/freebsd/ports/head/textproc/php56-simplexml
[rene@acer] ~/freebsd/ports/head/www/magento%
[rene@acer] ~/freebsd/ports/head/www/magento% svn diff
Index: Makefile
===================================================================
--- Makefile (revision 407342)
+++ Makefile (working copy)
@@ -18,7 +18,7 @@
OPTIONS_DEFINE= OAUTH SESSIONS REDIS EXAMPLES
OAUTH_DESC= Depend on pecl-oauth for REST API
SESSIONS_DESC= Mark Cm/RedisSession module active
-REDIS_DESC= Depend on php5-redis for faster redis backend
+REDIS_DESC= Depend on php56-redis for faster redis backend
#SNAPPY_DESC= Use google snappy for Redis Cache compression
NO_BUILD= yes
@@ -29,7 +29,7 @@
RUN_DEPENDS+= pecl-oauth>=1.2.3:${PORTSDIR}/net/pecl-oauth
.endif
.if !empty(${PORT_OPTIONS:MREDIS})
-RUN_DEPENDS+= php5-redis>=2.2.0:${PORTSDIR}/databases/php5-redis
+RUN_DEPENDS+= php56-redis>=2.2.0:${PORTSDIR}/databases/php56-redis
.endif
# First need to submit the port
#.if ${PORT_OPTIONS:MSNAPPY}
[rene@acer] ~/freebsd/ports/head/www/magento%
A commit references this bug: Author: rene Date: Sat Jan 30 16:32:16 UTC 2016 New revision: 407533 URL: https://svnweb.freebsd.org/changeset/ports/407533 Log: www/magento: use databases/php56-redis instead of expired databases/php5-redis for REDIS Both ports are at the same version of redis, and the option is off by default. PR: 201709 (comment #14 to #16) Approved by: portmgr (miwi) Changes: head/www/magento/Makefile No longer work with Magento. Maintainership already removed. |
