Bug 247290 - lang/python37: UPDATING entries without category/portname form result in missing entries in freshports (Example python, not lang/python)
Summary: lang/python37: UPDATING entries without category/portname form result in miss...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Port Management Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-15 23:03 UTC by Scott Aitken
Modified: 2020-06-16 12:43 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Scott Aitken 2020-06-15 23:03:39 UTC
Freshports is missing the entry dated 20191216 in UPDATING.

This is because the line:

   AFFECTS: users of python

is missing the lang directory

Please take a look at: https://github.com/FreshPorts/freshports/issues/155

As mentioned in the GitHub issue, there are multiple entries in UPDATING like this.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2020-06-15 23:08:50 UTC
I'll take a look.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2020-06-15 23:14:39 UTC
Well.  This usage is certainly common in UPDATING:

portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | grep -v '/' | wc -l
      50

Of course, this is out of:

portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | wc -l
     931

I think this needs to be something that portmgr sets a policy on.  (If it were one or two entries, I would just correct them myself.)
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-16 04:11:14 UTC
I don't know how freshports parses vuxml, but perhaps it should be matching on <packagename> entries, rather than the summary.

These package name entries are the canonical/authoritive and fully-structured way of being able to determine which set of packages are affected by a vulnerability.

Note: This of course doesn't solve for answering the question 'what *ports* (port origins, not packages) are affected.

This has come up in the past in a related form when I submitted a vulnerability entry [1]  for www/py-requests, and used the following form:

      <package>
	<name>py*-requests</name>
	<range><lt>2.20.0</lt></range>
      </package>

[1] https://svnweb.freebsd.org/changeset/ports/490936

I did this because EVERY possible package, for *any* Python version, past or future, not just the versions currently in the tree, would be vulnerable.

`make validate` passed with this entry, but a different build process failed. See the thread in svn-ports-all:

https://lists.freebsd.org/pipermail/svn-ports-all/2019-January/205691.html

Note also that pkg audit also worked with the glob pattern (see thread above).
Comment 4 Dan Langille freebsd_committer 2020-06-16 12:19:23 UTC
I believe the PR topic should say UPDATING not vuXML
Comment 5 Dan Langille freebsd_committer 2020-06-16 12:32:22 UTC
(In reply to Mark Linimon from comment #2)

I find the existing usage interesting. I will talk about the globs later.

$ grep 'users of python' UPDATING
  AFFECTS: users of python and net/samba410, devel/talloc, devel/tevent, databases/tdb, databases/ldb*
  AFFECTS: users of python
  AFFECTS: users of python
  AFFECTS: users of python setuptools

$ grep 'users of lang/python' UPDATING
  AFFECTS: users of lang/python3
  AFFECTS: users of lang/python3
  AFFECTS: users of lang/python* and ports
  AFFECTS: users of lang/python*
  AFFECTS: users of lang/python*
  AFFECTS: users of lang/python* and py-*
  AFFECTS: users of lang/python* and py-*


From https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/moved-and-updating-files.html

###
If upgrading the port requires special steps like changing configuration files or running a specific program, it must be documented in this file. The format of an entry in this file is:

YYYYMMDD:
  AFFECTS: users of portcategory/portname
  AUTHOR: Your name <Your email address>

  Special instructions
###

There is no mention of glob usage however, FreshPorts does detect and use it.  For example:

###
20131003:
  AFFECTS: users of lang/python* and ports
  AUTHOR: mva@FreeBSD.org
###

Does show up at https://www.freshports.org/lang/python37

It also affects all lang/python* ports such as https://www.freshports.org/lang/python-doc-html/ - this may be an unattended side-effect

This is also useful on FreshPorts: Affects: */py*

I think if the entry were changed from python to one of these, it would comply and match existing UPDATING entries.

* lang/python*
* lang/python36 lang/python37 lang/python38

I think the latter is more appropriate if it does indeed only affect the indicate ports.
Comment 6 Dan Langille freebsd_committer 2020-06-16 12:33:01 UTC
(In reply to Kubilay Kocak from comment #3)

Sorry, the topic mentions vuxml in error I think. This is about UPDATING.