Date: Sun, 3 Aug 2025 11:05:13 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: df2914ac4a - main - [phb][security]: Create VuXML checklist Message-ID: <202508031105.573B5DMV008921@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/doc/commit/?id=df2914ac4a93115b3200bcae194964d35f5f402e commit df2914ac4a93115b3200bcae194964d35f5f402e Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2025-08-01 17:46:45 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2025-08-03 10:56:49 +0000 [phb][security]: Create VuXML checklist Create a short checklist with some important points to check before committing. Prompted by a mail by mandree@. Reviewed by: bcr@ Differential Revision: https://reviews.freebsd.org/D51695 --- .../en/books/porters-handbook/security/_index.adoc | 35 ++++++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc index f4cffaac96..53a7a4b793 100644 --- a/documentation/content/en/books/porters-handbook/security/_index.adoc +++ b/documentation/content/en/books/porters-handbook/security/_index.adoc @@ -316,11 +316,34 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html The former version matches while the latter one does not. [[security-xcheck-vuxml]] -=== Cross-checking Derivatives - -If an upstream project has a known vulnerability, check whether derivatives or -forks of the project included in the ports tree are also affected. +=== VuXML new entry checklist + +* Check the name of the port. +Sometimes the upstream project name is not exactly the same as the port name. +* Add all flavors. +When a port has flavors all the package names need to be added as a `<package>` in +the entry. +Use the following script to generate all flavored package names: ++ +[source,shell] +.... +% for flavor in $(make -V FLAVORS); do FLAVOR="${flavor}" make -VPKGNAME;done +.... ++ +* Check if the port has `PORTEPOCH`. +The above script snippet helps with that. +If the port uses `PORTEPOCH` it is mandatory to add it to the `<range>` tag. +* Double check ranges. +In the case of ranges limited on both sides, make sure that the `<ge>` and +`<lt>` elements are inside the same `<range>` tag. +Otherwise the entry might end up defining an overlapping range. +* Cross-check derivatives. +Check whether derivatives or forks of the project included in the ports tree are also affected. For example, if a vulnerability is discovered in package:www/firefox[], assess whether derivatives like package:www/librewolf[], package:www/waterfox[] or -other similar projects share the same vulnerability. Include all affected -derivatives in the VuXML entry, ensuring that users of these ports are informed. +other similar projects share the same vulnerability. +Include all affected derivatives in the VuXML entry, ensuring that users of these ports are informed. +Also check if there are Linux versions of the same port in the tree. +For instance, package:databases/sqlite3[] vulnerabilities most likely affect packages like +package:databases/linux-c7-sqlite3[] too. +* Do not commit an entry without running `make validate` first.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202508031105.573B5DMV008921>