Bug 220757 - devel/libhtp: Update to 0.5.25
Summary: devel/libhtp: Update to 0.5.25
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kubilay Kocak
Depends on:
Reported: 2017-07-16 10:33 UTC by Franco Fichtner
Modified: 2017-07-17 06:04 UTC (History)
0 users

See Also:
koobs: maintainer-feedback+

patch against head (1.79 KB, patch)
2017-07-16 10:33 UTC, Franco Fichtner
no flags Details | Diff
poudriere build log (69.61 KB, text/plain)
2017-07-16 10:33 UTC, Franco Fichtner
no flags Details
updated patch (2.13 KB, patch)
2017-07-16 10:56 UTC, Franco Fichtner
no flags Details | Diff
revised patch with revision bump for suricata (2.46 KB, patch)
2017-07-16 12:15 UTC, Franco Fichtner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Fichtner 2017-07-16 10:33:08 UTC
Created attachment 184386 [details]
patch against head


Suricata 3.2.3 requires this update.  Since the two are intermingled, I would also like to ask the issue of reassigning maintainership to make upgrades atomic and/or avoid potential timeouts.

In this update, the library version was bumped to 2, I also reordered pkg-plist alphabetically.

Comment 1 Franco Fichtner 2017-07-16 10:33:34 UTC
Created attachment 184387 [details]
poudriere build log
Comment 2 Franco Fichtner 2017-07-16 10:37:07 UTC
The matching suricata update is here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220758

Comment 3 Franco Fichtner 2017-07-16 10:56:52 UTC
Created attachment 184390 [details]
updated patch

Updated patch drops obsoleted PLIST_SUB and CONFLICTS_INSTALL, tab alignment for INSTALL_TARGET and TEST_TARGET
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-16 11:06:40 UTC
(In reply to Franco Fichtner from comment #0)

I think I recall reading in previous releases that suri has a libhtp dependency type of 'greater than or equal to X'. If this is still the case, then ensuring that libhtp is at that minimum version prior to committing an update of suricata is all that's needed, precluding combining two ports updates in a single commit.

The changelog also looks like fixes only:

- underscore in htp_validate_hostname [#149]
- fix SONAME issue [#151]
- remove unrelated docbook code from tree [#153]

That aside, since the library name and (major) version has been changed, the diff should include a PORTREVISION bump of dependent ports (in this case, only security/suricata), and any LIB_DEPENDS name changes that are needed.

Can you confirm whether or not QA of the suricata update in bug 220758 includes this change or not? If not, I'd suggest QA again with the change to ensure the library name/version changes are picked up OK by the suricata port.
Comment 5 Franco Fichtner 2017-07-16 11:23:56 UTC
Suricata 3.2.3 includes this libhtp bump. I mostly worry about security implications from not upgrading libhtp along with suricata, as any bug will cause issues in the Suricata binary. Whether or not an update has security implications is harder to assess, but shouldn't keep us from updating.

In OPNsense, we've moved away from separating libhtp from suricata, as it's harder to test upgrades from the user end plus the upgrade is more precise.

Maybe we should start bundling libhtp in a way that does not clash with the libhtp port?  I mean this is the standard Suricata way so it cannot be that wrong?
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-16 11:42:55 UTC
(In reply to Franco Fichtner from comment #5)

The same worry/reason is why downstream OS's unbundle library dependencies in their packages.

Otherwise, one would have to wait for N dependent statically-compiled consumers of that library to provide updates in order to resolve the security issue for your users.

See Also: https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#bundled-libs

We don't need to go into upstream vs downstream perspectives and how their value propositions and operational characteristics differ here.
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-16 11:44:07 UTC
@Franco, as per comment 4 (and so I dont forget), could you please update the patch to include a security/suricata: PORTREVISION bump
Comment 8 Franco Fichtner 2017-07-16 11:45:14 UTC
Ok, currently waiting for verify of suricata 3.2.3 build + libhtp 0.5.24 just to be sure.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-16 11:46:16 UTC
(In reply to Franco Fichtner from comment #8)

Comment 10 Franco Fichtner 2017-07-16 12:15:38 UTC
Created attachment 184392 [details]
revised patch with revision bump for suricata

So the SONAME change / version bump was purely to unbreak SONAME from changing its name, but building against < 0.5.25 from Suricata 3.2.3 is fine.
Comment 11 commit-hook freebsd_committer 2017-07-17 05:52:29 UTC
A commit references this bug:

Author: koobs
Date: Mon Jul 17 05:52:20 UTC 2017
New revision: 446052
URL: https://svnweb.freebsd.org/changeset/ports/446052

  devel/libhtp: Update to 0.5.25

   * Remove CONFLICTS_INSTALL (libhtp-suricata port deleted)
   * Remove unecessary PLIST_SUB
   * Update and sort pkg-plist
   * Bump security/suricata PORTREVISION, library name/version change



  PR:		220757
  Submitted by:	Franco Fichtner (franco opnsense org)

Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-17 05:55:17 UTC
Committed, thank you Franco
Comment 13 Franco Fichtner 2017-07-17 05:56:29 UTC
Hmm, revision does not include suricata revision bump despite the message?

Comment 14 commit-hook freebsd_committer 2017-07-17 05:58:36 UTC
A commit references this bug:

Author: koobs
Date: Mon Jul 17 05:58:05 UTC 2017
New revision: 446053
URL: https://svnweb.freebsd.org/changeset/ports/446053

  security/suricata: Bump PORTREVISION

  Actually bump PORTREVISION mentioned but not committed in ports r446052

  PR:	220757

Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-17 05:58:56 UTC
Comment 16 Franco Fichtner 2017-07-17 06:04:56 UTC
likewise :)