|Summary:||devel/libhtp: Update to 0.5.25|
|Product:||Ports & Packages||Reporter:||Franco Fichtner <franco>|
|Component:||Individual Port(s)||Assignee:||Kubilay Kocak <koobs>|
|Severity:||Affects Only Me||Flags:||koobs:
Description Franco Fichtner 2017-07-16 10:33:08 UTC
Created attachment 184386 [details] patch against head Hi, Suricata 3.2.3 requires this update. Since the two are intermingled, I would also like to ask the issue of reassigning maintainership to make upgrades atomic and/or avoid potential timeouts. In this update, the library version was bumped to 2, I also reordered pkg-plist alphabetically. Cheers, Franco
Comment 1 Franco Fichtner 2017-07-16 10:33:34 UTC
Created attachment 184387 [details] poudriere build log
Comment 2 Franco Fichtner 2017-07-16 10:37:07 UTC
The matching suricata update is here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220758 Thanks, Franco
Comment 3 Franco Fichtner 2017-07-16 10:56:52 UTC
Created attachment 184390 [details] updated patch Updated patch drops obsoleted PLIST_SUB and CONFLICTS_INSTALL, tab alignment for INSTALL_TARGET and TEST_TARGET
Comment 4 Kubilay Kocak 2017-07-16 11:06:40 UTC
(In reply to Franco Fichtner from comment #0) I think I recall reading in previous releases that suri has a libhtp dependency type of 'greater than or equal to X'. If this is still the case, then ensuring that libhtp is at that minimum version prior to committing an update of suricata is all that's needed, precluding combining two ports updates in a single commit. The changelog also looks like fixes only: - underscore in htp_validate_hostname [#149] - fix SONAME issue [#151] - remove unrelated docbook code from tree [#153] That aside, since the library name and (major) version has been changed, the diff should include a PORTREVISION bump of dependent ports (in this case, only security/suricata), and any LIB_DEPENDS name changes that are needed. Can you confirm whether or not QA of the suricata update in bug 220758 includes this change or not? If not, I'd suggest QA again with the change to ensure the library name/version changes are picked up OK by the suricata port.
Comment 5 Franco Fichtner 2017-07-16 11:23:56 UTC
Suricata 3.2.3 includes this libhtp bump. I mostly worry about security implications from not upgrading libhtp along with suricata, as any bug will cause issues in the Suricata binary. Whether or not an update has security implications is harder to assess, but shouldn't keep us from updating. In OPNsense, we've moved away from separating libhtp from suricata, as it's harder to test upgrades from the user end plus the upgrade is more precise. Maybe we should start bundling libhtp in a way that does not clash with the libhtp port? I mean this is the standard Suricata way so it cannot be that wrong?
Comment 6 Kubilay Kocak 2017-07-16 11:42:55 UTC
(In reply to Franco Fichtner from comment #5) The same worry/reason is why downstream OS's unbundle library dependencies in their packages. Otherwise, one would have to wait for N dependent statically-compiled consumers of that library to provide updates in order to resolve the security issue for your users. See Also: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#bundled-libs We don't need to go into upstream vs downstream perspectives and how their value propositions and operational characteristics differ here.
Comment 7 Kubilay Kocak 2017-07-16 11:44:07 UTC
@Franco, as per comment 4 (and so I dont forget), could you please update the patch to include a security/suricata: PORTREVISION bump
Comment 8 Franco Fichtner 2017-07-16 11:45:14 UTC
Ok, currently waiting for verify of suricata 3.2.3 build + libhtp 0.5.24 just to be sure.
Comment 9 Kubilay Kocak 2017-07-16 11:46:16 UTC
(In reply to Franco Fichtner from comment #8) Danke!
Comment 10 Franco Fichtner 2017-07-16 12:15:38 UTC
Created attachment 184392 [details] revised patch with revision bump for suricata So the SONAME change / version bump was purely to unbreak SONAME from changing its name, but building against < 0.5.25 from Suricata 3.2.3 is fine.
Comment 11 commit-hook 2017-07-17 05:52:29 UTC
A commit references this bug: Author: koobs Date: Mon Jul 17 05:52:20 UTC 2017 New revision: 446052 URL: https://svnweb.freebsd.org/changeset/ports/446052 Log: devel/libhtp: Update to 0.5.25 * Remove CONFLICTS_INSTALL (libhtp-suricata port deleted) * Remove unecessary PLIST_SUB * Update and sort pkg-plist * Bump security/suricata PORTREVISION, library name/version change Changelog: https://github.com/OISF/libhtp/blob/0.5.25/ChangeLog PR: 220757 Submitted by: Franco Fichtner (franco opnsense org) Changes: head/devel/libhtp/Makefile head/devel/libhtp/distinfo head/devel/libhtp/pkg-plist
Comment 12 Kubilay Kocak 2017-07-17 05:55:17 UTC
Committed, thank you Franco
Comment 13 Franco Fichtner 2017-07-17 05:56:29 UTC
Hmm, revision does not include suricata revision bump despite the message? https://svnweb.freebsd.org/ports?view=revision&revision=446052
Comment 14 commit-hook 2017-07-17 05:58:36 UTC
A commit references this bug: Author: koobs Date: Mon Jul 17 05:58:05 UTC 2017 New revision: 446053 URL: https://svnweb.freebsd.org/changeset/ports/446053 Log: security/suricata: Bump PORTREVISION Actually bump PORTREVISION mentioned but not committed in ports r446052 PR: 220757 Changes: head/security/suricata/Makefile
Comment 15 Kubilay Kocak 2017-07-17 05:58:56 UTC
Comment 16 Franco Fichtner 2017-07-17 06:04:56 UTC