Bug 244025
| Summary: | www/gitea: Update to 1.11.0 (fixes security vulnerabilities) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Stefan Bethke <stb> | ||||||||
| Component: | Individual Port(s) | Assignee: | Adam Weinberger <adamw> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Only Me | CC: | adamw, mail | ||||||||
| Priority: | --- | ||||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Stefan Bethke
2020-02-10 15:17:42 UTC
Patch forthcoming, but there is an issue with the simple upgrade to the new version that I need to investigate first. At least the web interface appears to be broken... With 1.11, Gitea change the build from one that is more or less pure Go to a gmake based build that includes building JS and CSS using an NPM-based toolset. It might take me a moment to rework the port to support that. I managed to convert the build from Go to gmake, but the npm install issue blocks progress. I've opened an issue upstream: https://github.com/go-gitea/gitea/issues/10253 Version 1.11.1 has been released, with the source tarball containing the node modules and also a pre-built vresion of the CSS and JS files. I'll try and get a patch up for that in the next couple of days. Since it's a bit easier and less disruptive, I might open a separate PR for the update to 1.10.4, which also was just released. I don't think the two release lines merit separate ports, as Gitea is pretty quick to abandon the previous release line. I would not expect them to release another 1.10 release. I agree that there's no need for a gitea110 port. At the end of the day, it may come down to needing to produce a tarball of the node deps ourselves. I don't know of any other way around it, if gitea goes back to not bundling pre-built stuff. How's the 1.11.1 patch coming along? Oh, upstream has already added the deps to their source tarball. I just haven't had a chance finish adjusting the port yet. I hope I can do that the next couple of days. Created attachment 212219 [details]
Patch to update gitea port to 1.11.2
Created attachment 212220 [details]
vuxml entry for fixed vulns
Updated info: Update port to Gitea 1.11.2 This release fixes fourteen security issues and numerous bugs, and adds many features. Release notes: * https://blog.gitea.io/2020/02/gitea-1.11.0-is-released/ * https://blog.gitea.io/2020/02/gitea-1.11.1-is-released/ * https://blog.gitea.io/2020/02/gitea-1.11.2-is-released/ (In reply to stb from comment #9) The `DEPENDS= git-lfs:devel/git-lfs` line won't do anything... there's no such variable. Do you intend for that to be a hard dependency or optional? Instead of the BINDATA PLIST_SUB block, just set `OPTIONS_SUB= yes`. You generally shouldn't be passing `-j1` in manually. Does `MAKE_JOBS_UNSAFE= yes` do what you want instead? Instead of `if ! ${PORT_OPTIONS:MBINDATA}`, the proper construct is `if empty(PORT_OPTIONS:MBINDATA)`. But the most proper approach there is to put it in a `post-install-BINDATA-on:` target. Thanks for the pointers, I'll work them in asap.
With respect to
> Instead of the BINDATA PLIST_SUB block, just set `OPTIONS_SUB= yes`.
The logic of the option is reversed: by activating BINDATA, the plist gets shortened, as the files are being built into the executable. Is there a way to express that, or should the meaning of the option be reversed to NOBINDATA to make the Makefile more readable?
(In reply to stb from comment #11) Ah, you're totally right! I'd missed that. You're correct, there's no other way to express that. Then I'll stick to the current logic, since I find negative options really confusing. Created attachment 212223 [details]
v2 of patch to update Gitea to 1.11.2
The BINDATA stuff in do-install has been reversed. Now, those three dirs will get installed if BINDATA is *ON*. I think you want them only installed when it's off, correct? I'll fix it up in the commit. (In reply to Adam Weinberger from comment #15) Yes, you are correct, thanks for spotting it! A commit references this bug: Author: adamw Date: Sat Mar 7 18:30:05 UTC 2020 New revision: 527958 URL: https://svnweb.freebsd.org/changeset/ports/527958 Log: gitea: Update to 1.11.2, contains security fixes https://blog.gitea.io/2020/02/gitea-1.11.0-is-released https://blog.gitea.io/2020/02/gitea-1.11.1-is-released https://blog.gitea.io/2020/02/gitea-1.11.2-is-released PR: 244025 Submitted by: maintainer MFH: 2020Q1 Security: yes (see links above) Changes: head/www/gitea/Makefile head/www/gitea/distinfo head/www/gitea/files/patch-vendor_golang.org_x_sys_unix_ztypes__freebsd__arm64.go head/www/gitea/pkg-plist A commit references this bug: Author: adamw Date: Sat Mar 7 18:31:08 UTC 2020 New revision: 527959 URL: https://svnweb.freebsd.org/changeset/ports/527959 Log: Add entry for www/gitea PR: 244025 Submitted by: maintainer Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: adamw Date: Sat Mar 7 18:42:57 UTC 2020 New revision: 527962 URL: https://svnweb.freebsd.org/changeset/ports/527962 Log: MFH: r526626 r527958 www/gitea: Update to 1.10.4 Changes: https://github.com/go-gitea/gitea/releases/tag/v1.10.4 PR: 244246 Submitted by: stb@lassitu.de (maintainer) gitea: Update to 1.11.2, contains security fixes https://blog.gitea.io/2020/02/gitea-1.11.0-is-released https://blog.gitea.io/2020/02/gitea-1.11.1-is-released https://blog.gitea.io/2020/02/gitea-1.11.2-is-released PR: 244025 Submitted by: maintainer Security: yes (see links above) Approved by: portmgr (with hat) Changes: _U branches/2020Q1/ branches/2020Q1/www/gitea/Makefile branches/2020Q1/www/gitea/distinfo branches/2020Q1/www/gitea/files/patch-vendor_golang.org_x_sys_unix_ztypes__freebsd__arm64.go branches/2020Q1/www/gitea/pkg-plist Ok, everything's committed and it's been merged to quarterly (for the security fixes). Thanks for all your work on this! |
