|Summary:||lang/python37: UPDATING entries without category/portname form result in missing entries in freshports (Example python, not lang/python)|
|Product:||Ports & Packages||Reporter:||Scott Aitken <freebsd-bugzilla>|
|Component:||Ports Framework||Assignee:||Port Management Team <portmgr>|
|Severity:||Affects Many People||CC:||dvl, linimon, ports-bugs|
Description Scott Aitken 2020-06-15 23:03:39 UTC
Freshports is missing the entry dated 20191216 in UPDATING. This is because the line: AFFECTS: users of python is missing the lang directory Please take a look at: https://github.com/FreshPorts/freshports/issues/155 As mentioned in the GitHub issue, there are multiple entries in UPDATING like this.
Comment 1 Mark Linimon 2020-06-15 23:08:50 UTC
I'll take a look.
Comment 2 Mark Linimon 2020-06-15 23:14:39 UTC
Well. This usage is certainly common in UPDATING: portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | grep -v '/' | wc -l 50 Of course, this is out of: portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | wc -l 931 I think this needs to be something that portmgr sets a policy on. (If it were one or two entries, I would just correct them myself.)
Comment 3 Kubilay Kocak 2020-06-16 04:11:14 UTC
I don't know how freshports parses vuxml, but perhaps it should be matching on <packagename> entries, rather than the summary. These package name entries are the canonical/authoritive and fully-structured way of being able to determine which set of packages are affected by a vulnerability. Note: This of course doesn't solve for answering the question 'what *ports* (port origins, not packages) are affected. This has come up in the past in a related form when I submitted a vulnerability entry  for www/py-requests, and used the following form: <package> <name>py*-requests</name> <range><lt>2.20.0</lt></range> </package>  https://svnweb.freebsd.org/changeset/ports/490936 I did this because EVERY possible package, for *any* Python version, past or future, not just the versions currently in the tree, would be vulnerable. `make validate` passed with this entry, but a different build process failed. See the thread in svn-ports-all: https://lists.freebsd.org/pipermail/svn-ports-all/2019-January/205691.html Note also that pkg audit also worked with the glob pattern (see thread above).
Comment 4 Dan Langille 2020-06-16 12:19:23 UTC
I believe the PR topic should say UPDATING not vuXML
Comment 5 Dan Langille 2020-06-16 12:32:22 UTC
(In reply to Mark Linimon from comment #2) I find the existing usage interesting. I will talk about the globs later. $ grep 'users of python' UPDATING AFFECTS: users of python and net/samba410, devel/talloc, devel/tevent, databases/tdb, databases/ldb* AFFECTS: users of python AFFECTS: users of python AFFECTS: users of python setuptools $ grep 'users of lang/python' UPDATING AFFECTS: users of lang/python3 AFFECTS: users of lang/python3 AFFECTS: users of lang/python* and ports AFFECTS: users of lang/python* AFFECTS: users of lang/python* AFFECTS: users of lang/python* and py-* AFFECTS: users of lang/python* and py-* From https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/moved-and-updating-files.html ### If upgrading the port requires special steps like changing configuration files or running a specific program, it must be documented in this file. The format of an entry in this file is: YYYYMMDD: AFFECTS: users of portcategory/portname AUTHOR: Your name <Your email address> Special instructions ### There is no mention of glob usage however, FreshPorts does detect and use it. For example: ### 20131003: AFFECTS: users of lang/python* and ports AUTHOR: mva@FreeBSD.org ### Does show up at https://www.freshports.org/lang/python37 It also affects all lang/python* ports such as https://www.freshports.org/lang/python-doc-html/ - this may be an unattended side-effect This is also useful on FreshPorts: Affects: */py* I think if the entry were changed from python to one of these, it would comply and match existing UPDATING entries. * lang/python* * lang/python36 lang/python37 lang/python38 I think the latter is more appropriate if it does indeed only affect the indicate ports.