Bug 237632 - security/ossec-hids: Update to 3.3.0
Summary: security/ossec-hids: Update to 3.3.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-28 22:14 UTC by Dominik Lisiak
Modified: 2019-06-01 19:39 UTC (History)
2 users (show)

See Also:
pi: maintainer-feedback+


Attachments
ossec-hids-3.3.0.diff (44.32 KB, patch)
2019-04-28 22:14 UTC, Dominik Lisiak
no flags Details | Diff
ossec-hids-3.3.0.diff (47.18 KB, patch)
2019-05-06 21:49 UTC, Dominik Lisiak
dominik.lisiak: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dominik Lisiak 2019-04-28 22:14:00 UTC
Created attachment 204090 [details]
ossec-hids-3.3.0.diff

Update from 3.1.0 to 3.3.0. Obsoletes bug #236919.

Additional changes to ossec-hids-* ports:

1. Bug fixes:
  - Corrected file ownership when package was created and installed by different users.
  - "firewall-drop.sh" is no longer removed when package is deleted.
2. New features:
  - Added LUA option. Bundled Lua support is no longer compiled in by default.
  - pkgconf is now used to determine libinotify location as requested in bug #235240.


Additional changes to ossec-hids-*-config ports:

1. New features:
  - Added NOFW option. This is now the default and means no "firewall-drop.sh" script is created or deleted by the port.


The ossec-hids-3.3.0.diff should be applied on ports tree root.
Comment 1 Kurt Jaeger freebsd_committer 2019-05-03 17:55:59 UTC
ossec-hids-local fails with:

====> Running Q/A tests (stage-qa)
Error: '/bin/bash' is an invalid shebang you need USES=shebangfix for 'ossec-hids/active-response/bin/ossec-pagerduty.sh'
*** Error code 1
Comment 2 Kurt Jaeger freebsd_committer 2019-05-03 18:09:59 UTC
adding active-response/ossec-pagerduty.sh
to SHEBANG_FILES
causes this:

Error: Orphaned: ossec-hids/etc/client.keys
Error: Orphaned: ossec-hids/etc/ossec.conf
Error: Orphaned: ossec-hids/logs/active-responses.log
Error: Orphaned: ossec-hids/logs/ossec.log

so pkg-plist-local is not complete ?
Comment 3 Dominik Lisiak 2019-05-03 18:21:50 UTC
(In reply to Kurt Jaeger from comment #1)
This script is just a template, because it requires modification to work anyway. It is shipped this way with OSSEC.
Comment 4 Dominik Lisiak 2019-05-03 18:36:51 UTC
(In reply to Kurt Jaeger from comment #2)

The list is complete.

ossec-hids/etc/client.keys
ossec-hids/etc/ossec.conf
ossec-hids/logs/active-responses.log
ossec-hids/logs/ossec.log

These are configuration files and logs that are not installed intentionally. They are subject to change by the user (configuration files) or by running OSSEC (logs) so if they were included in the PLIST then the system would report wrong checksum of the files during daily report.
Comment 5 Dominik Lisiak 2019-05-03 18:40:39 UTC
(In reply to Dominik Lisiak from comment #3)

BTW the PLIST file is generated automatically by the script "scripts/plist.sh" (in the port's directory) and in it is the "skip_paths" variable listing paths we don't want intentionally.
Comment 6 Kurt Jaeger freebsd_committer 2019-05-03 18:42:09 UTC
(In reply to Dominik Lisiak from comment #4)
Did you testbuild in poudriere ? The missing SHEBANG_FILES entry and those
files cause the poudriere build to abort and this would cause the package builder to fail to build the package.

If you add the four files as 

@sample(,ossec,0640)

then, I guess, the daily job will not complain.
Comment 7 Dominik Lisiak 2019-05-03 18:59:12 UTC
(In reply to Kurt Jaeger from comment #6)

In fact I tested it with Poudriere and the build is ok. I guess it is a matter of additional setting (USE_PORTLINT=yes?).

I will not add empty files as samples (only the ossec.conf makes sense). It is pointless.

Are these missing files really cause the abort? As a port maintainer I am in no way obliged to install everything from the stage directory. That is why I created the "plist.sh" script to only select required files.
Comment 8 Kurt Jaeger freebsd_committer 2019-05-03 19:17:13 UTC
If the (In reply to Dominik Lisiak from comment #7)
The file seem to be copied to the STAGEDIR during install, and then
check-plist checks if there are files in STAGEDIR that are not listed
in pkg-plist. The problem is that an upgrade should not clobber
the files.

If user has the app installed, and an update comes in, the
clients.keys and the logs should not be removed during deinstall
and should not be overwritten on install. That's the goal here.

Is it possible to not skip those files, but to *not* install them to the
STAGEDIR ? Then it would not cause trouble in make check-plist.
Comment 9 Dominik Lisiak 2019-05-06 21:49:50 UTC
Created attachment 204241 [details]
ossec-hids-3.3.0.diff

Should silent mentioned false positives of "poudriere testport".
Comment 10 Dominik Lisiak 2019-05-30 13:55:03 UTC
(In reply to Kurt Jaeger from comment #8)

Hi. Any chance to commit this in near future? Anything else you need from me to be done?
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-01 12:17:05 UTC
(In reply to Dominik Lisiak from comment #10)

If you could please confirm the latest change passes QA (poudriere) that would be great. "should" is good, but explicit testing and confirmation is much better. 

And don't forget to set the maintainer-approval attachment flag (to "+") on attachments for ports you maintain. Attachment -> Details -> maintainer-approval [+] or select the flags value during attachment.

Thanks!
Comment 12 Dominik Lisiak 2019-06-01 12:57:50 UTC
(In reply to Kubilay Kocak from comment #11)

I confirm. Latest change passes "poudriere testport".
Comment 13 Kurt Jaeger freebsd_committer 2019-06-01 18:26:52 UTC
testbuilds@work
Comment 14 Kurt Jaeger freebsd_committer 2019-06-01 19:37:37 UTC
Committed, thanks!
Comment 15 commit-hook freebsd_committer 2019-06-01 19:39:54 UTC
A commit references this bug:

Author: pi
Date: Sat Jun  1 19:39:13 UTC 2019
New revision: 503254
URL: https://svnweb.freebsd.org/changeset/ports/503254

Log:
  security/ossec-hids: upgrade 3.1.0 -> 3.3.0
  security/ossec-hids-local: upgrade 3.1.0 -> 3.3.0
  security/ossec-hids-local-config: upgrade 3.1.0 -> 3.3.0

  - Added LUA option. Bundled Lua support is no longer compiled in by default

  PR:		237632
  Submitted by:	Dominik Lisiak <dominik.lisiak@bemsoft.pl> (maintainer)
  Relnotes:	https://github.com/ossec/ossec-hids/releases/tag/3.3.0
  		https://github.com/ossec/ossec-hids/releases/tag/3.2.0

Changes:
  head/security/ossec-hids/Makefile
  head/security/ossec-hids-local/Makefile
  head/security/ossec-hids-local/distinfo
  head/security/ossec-hids-local/files/ossec-hids.in
  head/security/ossec-hids-local/files/patch-src_Makefile
  head/security/ossec-hids-local/files/pkg-deinstall.in
  head/security/ossec-hids-local/files/pkg-install.in
  head/security/ossec-hids-local/pkg-plist-agent
  head/security/ossec-hids-local/pkg-plist-local
  head/security/ossec-hids-local/pkg-plist-server
  head/security/ossec-hids-local/scripts/plist.conf
  head/security/ossec-hids-local/scripts/plist.sh
  head/security/ossec-hids-local/scripts/sanitize-stage.sh
  head/security/ossec-hids-local-config/Makefile
  head/security/ossec-hids-local-config/distinfo
  head/security/ossec-hids-local-config/files/pkg-deinstall.in
  head/security/ossec-hids-local-config/files/pkg-install.in
  head/security/ossec-hids-local-config/files/template-rootcheck-basic.xml.in
  head/security/ossec-hids-local-config/files/template-rules-default.xml.in
  head/security/ossec-hids-local-config/scripts/plist.conf
  head/security/ossec-hids-local-config/scripts/plist.sh