Created attachment 228675 [details]
MANIFEST with FreeBSD_version from the future
Calling `pkg install $LOCAL_FILE`, where LOCAL_FILE is either a local path to
a valid package file or a file scheme URI, never checks the `FreeBSD_version`
metadata to see if the package file is from a future version of FreeBSD. This
check is always performed when installing a local file with the `pkg add`
command, unless the `IGNORE_OSVER` option is set.
Steps to Reproduce:
1) Download the attached MANIFEST file.
2) Create a test package by running:
pkg create -M $PATH_TO_MANIFEST_FILE
pkg-create will write a file in the current directory named
3) Attempt to install using pkg-add:
`pkg add fromthefuture-0.pkg`
This will fail with the error:
"pkg: Newer FreeBSD version for package fromthefuture"
4) Attempt to install using pkg-install:
`pkg install /absolute/path/to/fromthefuture-0.pkg`
This will succeed, despite the FreeBSD version mismatch.
5) Don't forget to remove this bogus package:
`pkg remove -y fromthefuture`
`pkg install` succeeded where `pkg add` refused.
Both entrypoints to installing a package should perform the same checks
on local package files.
Build Date & Hardware:
pkg 1.17.2 on FreeBSD 13.0-STABLE
This behavior occurs due to the condition on line 1110 of pkg_add.c,
`pkg install` reaches `pkg_add_common()` via the wrapper function
`pkg_add_from_remote()`, while `pkg add` reaches it via the wrapper
function `pkg_add()`. The latter NULLs the `remote` argument, while
the former passes a `struct pkg` pointer.
In either case, the effect is to install a package from a local file.
I'm mulling over the right way to possibly fix this, because the job
executor is involved in `pkg install`. Therefore, it's a question where
the "local file" detection code should live. Food for thought.