Bug 259150 - ports-mgmt/pkg: pkg install does not check FreeBSD_version annotation
Summary: ports-mgmt/pkg: pkg install does not check FreeBSD_version annotation
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-pkg (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-13 18:35 UTC by R Williams
Modified: 2021-10-13 18:35 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (pkg)


Attachments
MANIFEST with FreeBSD_version from the future (608 bytes, text/plain)
2021-10-13 18:35 UTC, R Williams
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description R Williams 2021-10-13 18:35:18 UTC
Created attachment 228675 [details]
MANIFEST with FreeBSD_version from the future

Overview:

   Calling `pkg install $LOCAL_FILE`, where LOCAL_FILE is either a local path to
   a valid package file or a file scheme URI, never checks the `FreeBSD_version`
   metadata to see if the package file is from a future version of FreeBSD. This
   check is always performed when installing a local file with the `pkg add`
   command, unless the `IGNORE_OSVER` option is set.

Steps to Reproduce:

   1) Download the attached MANIFEST file.
   2) Create a test package by running:
      pkg create -M $PATH_TO_MANIFEST_FILE

      pkg-create will write a file in the current directory named
      `fromthefuture-0.pkg`
   3) Attempt to install using pkg-add:
      `pkg add fromthefuture-0.pkg`

      This will fail with the error:
      "pkg: Newer FreeBSD version for package fromthefuture"
   4) Attempt to install using pkg-install:
      `pkg install /absolute/path/to/fromthefuture-0.pkg`

      This will succeed, despite the FreeBSD version mismatch.
   5) Don't forget to remove this bogus package:
      `pkg remove -y fromthefuture`

Actual Results:

   `pkg install` succeeded where `pkg add` refused.

Expected Results:

   Both entrypoints to installing a package should perform the same checks
   on local package files.

Build Date & Hardware:

   pkg 1.17.2 on FreeBSD 13.0-STABLE

Additional Information:

   This behavior occurs due to the condition on line 1110 of pkg_add.c,
   in pkg_add_common():
   https://github.com/freebsd/pkg/blob/ef8e71553deb048004d40b70806867d6fa05b26b/libpkg/pkg_add.c#L1107-L1118

   `pkg install` reaches `pkg_add_common()` via the wrapper function
   `pkg_add_from_remote()`, while `pkg add` reaches it via the wrapper
   function `pkg_add()`. The latter NULLs the `remote` argument, while
   the former passes a `struct pkg` pointer.

   In either case, the effect is to install a package from a local file.
   I'm mulling over the right way to possibly fix this, because the job
   executor is involved in `pkg install`. Therefore, it's a question where
   the "local file" detection code should live. Food for thought.