Bug 240370 - www/node10: MFH requested but not done
Summary: www/node10: MFH requested but not done
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Bradley T. Hughes
URL: https://svnweb.freebsd.org/ports?view...
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-09-06 15:58 UTC by swegen
Modified: 2019-09-18 16:06 UTC (History)
2 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description swegen 2019-09-06 15:58:51 UTC
A merge from head request to www/node10 was made at 2019-08-20.

Why are these security MFH's to quarterly frequently overlooked on multiple ports during the lifetime of a quarterly branch? This makes following the quarterly branch quite unsafe and frustrating.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-06 22:31:25 UTC
Thank you for the report and request swegen.

Sometimes MFH's can take some time, particularly if there's conflicts or other commits that need to be merged along with the requested merge. I'm not sure if that's the case here.

In particular, security updates (in contract to other MFH candidates, like bugfixes) require explicit approval from ports-secteam, as opposed to implicitly approved, which can be merged without approval.

Having said that, you are generally right that we need to do better with regard to fulfilling the promise of the quarterly branch for our users, and we appreciate you raising your concerns
Comment 2 swegen 2019-09-14 07:05:10 UTC
Thank you for your informative reply. It has now been over a week since my report. Any update on merge difficulties from the maintainer or ports-secteam?

I have been receiving daily security status mails from periodic(8) about www/node10 being vulnerable for almost a month now. It's too long considering the quarterly branch being the default pkg(8) repository set in /etc/pkg/FreeBSD.conf.
Comment 3 swegen 2019-09-14 07:29:44 UTC
I just noticed that www/node8 (8.x LTS) was merged to quarterly at 2019-08-22, under two days from MFH request. But www/node10 (10.x LTS) and www/node (12.x Current) remain unmerged.
Comment 4 Bradley T. Hughes freebsd_committer 2019-09-17 19:46:29 UTC
I just merged the pending changes to www/node10 and www/node in quarterly. Thanks for the report, and your patience. :)
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-18 02:17:17 UTC
Author: bhughes
Date: Tue Sep 17 19:02:52 2019
New Revision: 512229
URL: https://svnweb.freebsd.org/changeset/ports/512229

Log:
  MFH: r507835 r509060 r509480
  
  www/node10: Update 10.16.0_1 => 10.16.1
  
  https://nodejs.org/en/blog/release/v10.16.1/
  
  While here, refresh patches with `make makepatch`.
  
  Sponsored by:	Miles AS
  
  www/node10: Update 10.16.1 -> 10.16.2
  
  https://nodejs.org/en/blog/release/v10.16.2/
  
  Sponsored by:	Miles AS
  
  www/node10: Update 10.16.2 -> 10.16.3
  
  This is a security release. All Node.js users should consult the security
  release summary at
  https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
  for details on patched vulnerabilities.
  
  Security:	c97a940b-c392-11e9-bb38-000d3ab229d6
  Sponsored by:	Miles AS
  
  Approved by:	ports-secteam (joneum)
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-18 02:17:30 UTC
Author: bhughes
Date: Tue Sep 17 19:06:01 2019
New Revision: 512231
URL: https://svnweb.freebsd.org/changeset/ports/512231

Log:
  MFH: r506491 r507478 r509122 r509481
  
  www/node: Update 12.4.0 -> 12.6.0
  
  https://nodejs.org/en/blog/release/v12.5.0/
  https://nodejs.org/en/blog/release/v12.6.0/
  
  Sponsored by:	Miles AS
  
  www/node: Update 12.6.0_1 -> 12.7.0
  
  https://nodejs.org/en/blog/release/v12.7.0/
  
  www/node: Update 12.7.0 -> 12.8.0
  
  https://nodejs.org/en/blog/release/v12.8.0/
  
  The bundled OpenSSL configuration now includes BSD-x86, which this port
  can now use. The build for i386 is still using the no-asm variant for
  the time being. Assembler errors in BSD-x86/asm-avx2 need to be
  investigated to be able to enable asm with the bundled OpenSSL.
  
  While here, regenerate all remaining patches with `make makepatch`.
  
  Sponsored by:	Miles AS
  
  www/node: Update 12.8.0 -> 12.8.1
  
  This is a security release. All Node.js users should consult the security
  release summary at
  https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
  for details on patched vulnerabilities.
  
  Security:	c97a940b-c392-11e9-bb38-000d3ab229d6
  Sponsored by:	Miles AS
  
  Approved by:	ports-secteam (joneum)
Comment 7 swegen 2019-09-18 16:06:30 UTC
Thanks for the merge.