Bug 261340 - net-p2p/sonarr: Disable built-in updater and take maintainership
Summary: net-p2p/sonarr: Disable built-in updater and take maintainership
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Guangyuan Yang
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-19 16:38 UTC by Michiel van Baak Jansen
Modified: 2022-01-29 10:07 UTC (History)
2 users (show)

See Also:


Attachments
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch (21.22 KB, patch)
2022-01-19 16:38 UTC, Michiel van Baak Jansen
no flags Details | Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (21.19 KB, patch)
2022-01-25 12:41 UTC, Michiel van Baak Jansen
michiel: maintainer-approval+
Details | Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (14.51 KB, patch)
2022-01-25 15:32 UTC, Michiel van Baak Jansen
michiel: maintainer-approval+
Details | Diff
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch (14.51 KB, patch)
2022-01-25 16:28 UTC, Michiel van Baak Jansen
michiel: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michiel van Baak Jansen 2022-01-19 16:38:29 UTC
Created attachment 231166 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-tell-use.patch

Use package_info file to disable the built-in updater for prowlarr.
Document it is disabled in pkg-message.

testport ok
runtest ok
Comment 1 Mark Felder freebsd_committer 2022-01-24 22:53:30 UTC
The ability to inject the message about using pkg upgrade to update the software is a really nice trick and we should do that.

However, I don't think chowning the binary so Sonarr can update itself should be included in the patch. Someone will find a way to exploit this software and replace itself with something malicious.
Comment 2 Michiel van Baak Jansen 2022-01-25 12:41:19 UTC
Created attachment 231309 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Dont chown binaries, take ownership.

Thanks for all the effort you put into the arrs feld@
Comment 3 Michiel van Baak Jansen 2022-01-25 15:32:09 UTC
Created attachment 231314 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Remove Sonarr.Update and use only version number for package_info (based on review from Taloth)
Comment 4 Michiel van Baak Jansen 2022-01-25 16:28:07 UTC
Created attachment 231317 [details]
0001-net-p2p-sonarr-Disable-built-in-updater-and-take-mai.patch

Add --debug to mono call. Fixes warning in logs and the sonarr devs state it should be added.
Comment 5 commit-hook freebsd_committer 2022-01-29 10:07:00 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e8162ac5393e1a1adb8e777e8314e13f1aab5d4a

commit e8162ac5393e1a1adb8e777e8314e13f1aab5d4a
Author:     Michiel van Baak Jansen <michiel@vanbaak.eu>
AuthorDate: 2022-01-29 10:06:24 +0000
Commit:     Guangyuan Yang <ygy@FreeBSD.org>
CommitDate: 2022-01-29 10:06:24 +0000

    net-p2p/sonarr: Disable built-in updater and take maintainership

    PR:             261340

 net-p2p/sonarr/Makefile                    |  24 +++-
 net-p2p/sonarr/files/package_info.in (new) |   5 +
 net-p2p/sonarr/files/pkg-message.in (new)  |  26 ++++
 net-p2p/sonarr/files/sonarr.in             |   3 +-
 net-p2p/sonarr/pkg-plist (new)             | 217 +++++++++++++++++++++++++++++
 5 files changed, 268 insertions(+), 7 deletions(-)