Freshports is missing the entry dated 20191216 in UPDATING. This is because the line: AFFECTS: users of python is missing the lang directory Please take a look at: https://github.com/FreshPorts/freshports/issues/155 As mentioned in the GitHub issue, there are multiple entries in UPDATING like this.
I'll take a look.
Well. This usage is certainly common in UPDATING: portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | grep -v '/' | wc -l 50 Of course, this is out of: portsjail% grep "AFFECTS: users of " UPDATING | sort | uniq | wc -l 931 I think this needs to be something that portmgr sets a policy on. (If it were one or two entries, I would just correct them myself.)
I don't know how freshports parses vuxml, but perhaps it should be matching on <packagename> entries, rather than the summary. These package name entries are the canonical/authoritive and fully-structured way of being able to determine which set of packages are affected by a vulnerability. Note: This of course doesn't solve for answering the question 'what *ports* (port origins, not packages) are affected. This has come up in the past in a related form when I submitted a vulnerability entry [1] for www/py-requests, and used the following form: <package> <name>py*-requests</name> <range><lt>2.20.0</lt></range> </package> [1] https://svnweb.freebsd.org/changeset/ports/490936 I did this because EVERY possible package, for *any* Python version, past or future, not just the versions currently in the tree, would be vulnerable. `make validate` passed with this entry, but a different build process failed. See the thread in svn-ports-all: https://lists.freebsd.org/pipermail/svn-ports-all/2019-January/205691.html Note also that pkg audit also worked with the glob pattern (see thread above).
I believe the PR topic should say UPDATING not vuXML
(In reply to Mark Linimon from comment #2) I find the existing usage interesting. I will talk about the globs later. $ grep 'users of python' UPDATING AFFECTS: users of python and net/samba410, devel/talloc, devel/tevent, databases/tdb, databases/ldb* AFFECTS: users of python AFFECTS: users of python AFFECTS: users of python setuptools $ grep 'users of lang/python' UPDATING AFFECTS: users of lang/python3 AFFECTS: users of lang/python3 AFFECTS: users of lang/python* and ports AFFECTS: users of lang/python* AFFECTS: users of lang/python* AFFECTS: users of lang/python* and py-* AFFECTS: users of lang/python* and py-* From https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/moved-and-updating-files.html ### If upgrading the port requires special steps like changing configuration files or running a specific program, it must be documented in this file. The format of an entry in this file is: YYYYMMDD: AFFECTS: users of portcategory/portname AUTHOR: Your name <Your email address> Special instructions ### There is no mention of glob usage however, FreshPorts does detect and use it. For example: ### 20131003: AFFECTS: users of lang/python* and ports AUTHOR: mva@FreeBSD.org ### Does show up at https://www.freshports.org/lang/python37 It also affects all lang/python* ports such as https://www.freshports.org/lang/python-doc-html/ - this may be an unattended side-effect This is also useful on FreshPorts: Affects: */py* I think if the entry were changed from python to one of these, it would comply and match existing UPDATING entries. * lang/python* * lang/python36 lang/python37 lang/python38 I think the latter is more appropriate if it does indeed only affect the indicate ports.
(In reply to Kubilay Kocak from comment #3) Sorry, the topic mentions vuxml in error I think. This is about UPDATING.
Moin moin Please reopen, if it is still relevant. mfg Tobias