Bug 261340

Summary: net-p2p/sonarr: Disable built-in updater and take maintainership
Product: Ports & Packages Reporter: Michiel van Baak Jansen <michiel>
Component: Individual Port(s)Assignee: Guangyuan Yang <ygy>
Status: Closed FIXED    
Severity: Affects Many People CC: mikael, ygy
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch
none
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch
michiel: maintainer-approval+
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch
michiel: maintainer-approval+
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch michiel: maintainer-approval+

Description Michiel van Baak Jansen 2022-01-19 16:38:29 UTC 
Created attachment 231166 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch

Use package_info file to disable the built-in updater for prowlarr.
Document it is disabled in pkg-message.

testport ok
runtest ok
Comment 1 Mark Felder freebsd_committer freebsd_triage 2022-01-24 22:53:30 UTC 
The ability to inject the message about using pkg upgrade to update the software is a really nice trick and we should do that.

However, I don't think chowning the binary so Sonarr can update itself should be included in the patch. Someone will find a way to exploit this software and replace itself with something malicious.
Comment 2 Michiel van Baak Jansen 2022-01-25 12:41:19 UTC 
Created attachment 231309 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Dont chown binaries, take ownership.

Thanks for all the effort you put into the arrs feld@
Comment 3 Michiel van Baak Jansen 2022-01-25 15:32:09 UTC 
Created attachment 231314 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Remove Sonarr.Update and use only version number for package_info (based on review from Taloth)
Comment 4 Michiel van Baak Jansen 2022-01-25 16:28:07 UTC 
Created attachment 231317 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Add --debug to mono call. Fixes warning in logs and the sonarr devs state it should be added.
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-01-29 10:07:00 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e8162ac5393e1a1adb8e777e8314e13f1aab5d4a

commit e8162ac5393e1a1adb8e777e8314e13f1aab5d4a
Author:     Michiel van Baak Jansen <michiel@vanbaak.eu>
AuthorDate: 2022-01-29 10:06:24 +0000
Commit:     Guangyuan Yang <ygy@FreeBSD.org>
CommitDate: 2022-01-29 10:06:24 +0000

    net-p2p/sonarr: Disable built-in updater and take maintainership

    PR:             261340

 net-p2p/sonarr/Makefile                    |  24 +++-
 net-p2p/sonarr/files/package_info.in (new) |   5 +
 net-p2p/sonarr/files/pkg-message.in (new)  |  26 ++++
 net-p2p/sonarr/files/sonarr.in             |   3 +-
 net-p2p/sonarr/pkg-plist (new)             | 217 +++++++++++++++++++++++++++++
 5 files changed, 268 insertions(+), 7 deletions(-)