Bug 247290

Summary: lang/python37: UPDATING entries without category/portname form result in missing entries in freshports (Example python, not lang/python)
Product: Ports & Packages Reporter: Scott Aitken <freebsd-bugzilla>
Component: Ports FrameworkAssignee: Port Management Team <portmgr>
Status: Open ---    
Severity: Affects Many People CC: dvl, linimon, ports-bugs
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://github.com/FreshPorts/freshports/issues/155

Description Scott Aitken 2020-06-15 23:03:39 UTC
Freshports is missing the entry dated 20191216 in UPDATING.

This is because the line:

   AFFECTS: users of python

is missing the lang directory

Please take a look at: https://github.com/FreshPorts/freshports/issues/155

As mentioned in the GitHub issue, there are multiple entries in UPDATING like this.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2020-06-15 23:08:50 UTC
I'll take a look.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2020-06-15 23:14:39 UTC
Well.  This usage is certainly common in UPDATING:

portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | grep -v '/' | wc -l

Of course, this is out of:

portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | wc -l

I think this needs to be something that portmgr sets a policy on.  (If it were one or two entries, I would just correct them myself.)
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-16 04:11:14 UTC
I don't know how freshports parses vuxml, but perhaps it should be matching on <packagename> entries, rather than the summary.

These package name entries are the canonical/authoritive and fully-structured way of being able to determine which set of packages are affected by a vulnerability.

Note: This of course doesn't solve for answering the question 'what *ports* (port origins, not packages) are affected.

This has come up in the past in a related form when I submitted a vulnerability entry [1]  for www/py-requests, and used the following form:


[1] https://svnweb.freebsd.org/changeset/ports/490936

I did this because EVERY possible package, for *any* Python version, past or future, not just the versions currently in the tree, would be vulnerable.

`make validate` passed with this entry, but a different build process failed. See the thread in svn-ports-all:


Note also that pkg audit also worked with the glob pattern (see thread above).
Comment 4 Dan Langille freebsd_committer 2020-06-16 12:19:23 UTC
I believe the PR topic should say UPDATING not vuXML
Comment 5 Dan Langille freebsd_committer 2020-06-16 12:32:22 UTC
(In reply to Mark Linimon from comment #2)

I find the existing usage interesting. I will talk about the globs later.

$ grep 'users of python' UPDATING
  AFFECTS: users of python and net/samba410, devel/talloc, devel/tevent, databases/tdb, databases/ldb*
  AFFECTS: users of python
  AFFECTS: users of python
  AFFECTS: users of python setuptools

$ grep 'users of lang/python' UPDATING
  AFFECTS: users of lang/python3
  AFFECTS: users of lang/python3
  AFFECTS: users of lang/python* and ports
  AFFECTS: users of lang/python*
  AFFECTS: users of lang/python*
  AFFECTS: users of lang/python* and py-*
  AFFECTS: users of lang/python* and py-*

From https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/moved-and-updating-files.html

If upgrading the port requires special steps like changing configuration files or running a specific program, it must be documented in this file. The format of an entry in this file is:

  AFFECTS: users of portcategory/portname
  AUTHOR: Your name <Your email address>

  Special instructions

There is no mention of glob usage however, FreshPorts does detect and use it.  For example:

  AFFECTS: users of lang/python* and ports
  AUTHOR: mva@FreeBSD.org

Does show up at https://www.freshports.org/lang/python37

It also affects all lang/python* ports such as https://www.freshports.org/lang/python-doc-html/ - this may be an unattended side-effect

This is also useful on FreshPorts: Affects: */py*

I think if the entry were changed from python to one of these, it would comply and match existing UPDATING entries.

* lang/python*
* lang/python36 lang/python37 lang/python38

I think the latter is more appropriate if it does indeed only affect the indicate ports.
Comment 6 Dan Langille freebsd_committer 2020-06-16 12:33:01 UTC
(In reply to Kubilay Kocak from comment #3)

Sorry, the topic mentions vuxml in error I think. This is about UPDATING.