Bug 244025

Summary: www/gitea: Update to 1.11.0 (fixes security vulnerabilities)
Product: Ports & Packages Reporter: stb
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed FIXED    
Severity: Affects Only Me CC: adamw, mail
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to update gitea port to 1.11.2
none
vuxml entry for fixed vulns
none
v2 of patch to update Gitea to 1.11.2 none

Description stb 2020-02-10 15:17:42 UTC
Update port to Gitea 1.9.5.

This release fixes six security issues, a large number of bugs, and adds a large number of features.

Release notes: https://github.com/go-gitea/gitea/releases/tag/v1.11.0
Comment 1 stb 2020-02-10 15:37:51 UTC
Patch forthcoming, but there is an issue with the simple upgrade to the new version that I need to investigate first. At least the web interface appears to be broken...
Comment 2 stb 2020-02-11 23:02:21 UTC
With 1.11, Gitea change the build from one that is more or less pure Go to a gmake based build that includes building JS and CSS using an NPM-based toolset. It might take me a moment to rework the port to support that.
Comment 3 stb 2020-02-12 17:43:47 UTC
I managed to convert the build from Go to gmake, but the npm install issue blocks progress. I've opened an issue upstream:
https://github.com/go-gitea/gitea/issues/10253
Comment 4 stb 2020-02-17 08:45:10 UTC
Version 1.11.1 has been released, with the source tarball containing the node modules and also a pre-built vresion of the CSS and JS files. I'll try and get a patch up for that in the next couple of days.

Since it's a bit easier and less disruptive, I might open a separate PR for the update to 1.10.4, which also was just released.

I don't think the two release lines merit separate ports, as Gitea is pretty quick to abandon the previous release line. I would not expect them to release another 1.10 release.
Comment 5 Adam Weinberger freebsd_committer 2020-02-27 13:16:12 UTC
I agree that there's no need for a gitea110 port.

At the end of the day, it may come down to needing to produce a tarball of the node deps ourselves. I don't know of any other way around it, if gitea goes back to not bundling pre-built stuff.

How's the 1.11.1 patch coming along?
Comment 6 stb 2020-02-27 13:29:52 UTC
Oh, upstream has already added the deps to their source tarball. I just haven't had a chance finish adjusting the port yet. I hope I can do that the next couple of days.
Comment 7 stb 2020-03-07 15:10:00 UTC
Created attachment 212219 [details]
Patch to update gitea port to 1.11.2
Comment 8 stb 2020-03-07 15:22:14 UTC
Created attachment 212220 [details]
vuxml entry for fixed vulns
Comment 9 stb 2020-03-07 15:24:37 UTC
Updated info:

Update port to Gitea 1.11.2

This release fixes fourteen security issues and numerous bugs, and adds many features.

Release notes:
* https://blog.gitea.io/2020/02/gitea-1.11.0-is-released/
* https://blog.gitea.io/2020/02/gitea-1.11.1-is-released/
* https://blog.gitea.io/2020/02/gitea-1.11.2-is-released/
Comment 10 Adam Weinberger freebsd_committer 2020-03-07 17:15:10 UTC
(In reply to stb from comment #9)

The `DEPENDS= git-lfs:devel/git-lfs` line won't do anything... there's no such variable. Do you intend for that to be a hard dependency or optional?

Instead of the BINDATA PLIST_SUB block, just set `OPTIONS_SUB= yes`.

You generally shouldn't be passing `-j1` in manually. Does `MAKE_JOBS_UNSAFE= yes` do what you want instead?

Instead of `if ! ${PORT_OPTIONS:MBINDATA}`, the proper construct is `if empty(PORT_OPTIONS:MBINDATA)`. But the most proper approach there is to put it in a `post-install-BINDATA-on:` target.
Comment 11 stb 2020-03-07 17:40:16 UTC
Thanks for the pointers, I'll work them in asap.

With respect to
> Instead of the BINDATA PLIST_SUB block, just set `OPTIONS_SUB= yes`.

The logic of the option is reversed: by activating BINDATA, the plist gets shortened, as the files are being built into the executable. Is there a way to express that, or should the meaning of the option be reversed to NOBINDATA to make the Makefile more readable?
Comment 12 Adam Weinberger freebsd_committer 2020-03-07 17:42:04 UTC
(In reply to stb from comment #11)

Ah, you're totally right! I'd missed that. You're correct, there's no other way to express that.
Comment 13 stb 2020-03-07 17:48:19 UTC
Then I'll stick to the current logic, since I find negative options really confusing.
Comment 14 stb 2020-03-07 17:58:23 UTC
Created attachment 212223 [details]
v2 of patch to update Gitea to 1.11.2
Comment 15 Adam Weinberger freebsd_committer 2020-03-07 18:03:04 UTC
The BINDATA stuff in do-install has been reversed. Now, those three dirs will get installed if BINDATA is *ON*. I think you want them only installed when it's off, correct?

I'll fix it up in the commit.
Comment 16 stb 2020-03-07 18:04:22 UTC
(In reply to Adam Weinberger from comment #15)

Yes, you are correct, thanks for spotting it!
Comment 17 commit-hook freebsd_committer 2020-03-07 18:31:04 UTC
A commit references this bug:

Author: adamw
Date: Sat Mar  7 18:30:05 UTC 2020
New revision: 527958
URL: https://svnweb.freebsd.org/changeset/ports/527958

Log:
  gitea: Update to 1.11.2, contains security fixes

  https://blog.gitea.io/2020/02/gitea-1.11.0-is-released
  https://blog.gitea.io/2020/02/gitea-1.11.1-is-released
  https://blog.gitea.io/2020/02/gitea-1.11.2-is-released

  PR:		244025
  Submitted by:	maintainer
  MFH:		2020Q1
  Security:	yes (see links above)

Changes:
  head/www/gitea/Makefile
  head/www/gitea/distinfo
  head/www/gitea/files/patch-vendor_golang.org_x_sys_unix_ztypes__freebsd__arm64.go
  head/www/gitea/pkg-plist
Comment 18 commit-hook freebsd_committer 2020-03-07 18:32:05 UTC
A commit references this bug:

Author: adamw
Date: Sat Mar  7 18:31:08 UTC 2020
New revision: 527959
URL: https://svnweb.freebsd.org/changeset/ports/527959

Log:
  Add entry for www/gitea

  PR:		244025
  Submitted by:	maintainer

Changes:
  head/security/vuxml/vuln.xml
Comment 19 commit-hook freebsd_committer 2020-03-07 18:43:08 UTC
A commit references this bug:

Author: adamw
Date: Sat Mar  7 18:42:57 UTC 2020
New revision: 527962
URL: https://svnweb.freebsd.org/changeset/ports/527962

Log:
  MFH: r526626 r527958

  www/gitea: Update to 1.10.4

  Changes:	https://github.com/go-gitea/gitea/releases/tag/v1.10.4
  PR:		244246
  Submitted by:	stb@lassitu.de (maintainer)

  gitea: Update to 1.11.2, contains security fixes

  https://blog.gitea.io/2020/02/gitea-1.11.0-is-released
  https://blog.gitea.io/2020/02/gitea-1.11.1-is-released
  https://blog.gitea.io/2020/02/gitea-1.11.2-is-released

  PR:		244025
  Submitted by:	maintainer
  Security:	yes (see links above)

  Approved by:	portmgr (with hat)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/www/gitea/Makefile
  branches/2020Q1/www/gitea/distinfo
  branches/2020Q1/www/gitea/files/patch-vendor_golang.org_x_sys_unix_ztypes__freebsd__arm64.go
  branches/2020Q1/www/gitea/pkg-plist
Comment 20 Adam Weinberger freebsd_committer 2020-03-07 18:46:42 UTC
Ok, everything's committed and it's been merged to quarterly (for the security fixes). Thanks for all your work on this!