From nobody Sun Aug 3 11:05:13 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvxfx5xT9z63DB1 for ; Sun, 03 Aug 2025 11:05:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bvxfx5Q3vz40hB; Sun, 03 Aug 2025 11:05:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754219113; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NDnNCcd5BtYgFge2lO7wkN/hxV/My+8tA//NGfjLV64=; b=UvmrWgX9Ip7OZSKpT4cbxnFFZsVyW6Sjh0LGKuDzreVPTFmV75e4HoFDFrqoOKCRlF693H 3EBgl6hgEMdbiKh035x3ap61sNUqVVU4In3JR6JdN5bJiFo3SDozd0u6kfqfwk+Zd0sbJz BB8TB6q/lsgksldqQxO3SDRTKzgSMPZG3nasoKYCNzA5V1PoELC6kBxGyhkFGvU4pHlpKI 7FTHp5h0rNtkfywQ4Isu0P8Z4+s/A+FYoJMEqhxvcJnfAH//agjb3XShrCZ3vmFwyW/nXn DP8phc7r413GgjJjaPZ0D7lniTq3l7KJ6JS7YiQ0x8TbbBayNsbyObN8rvmMKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754219113; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NDnNCcd5BtYgFge2lO7wkN/hxV/My+8tA//NGfjLV64=; b=pNCrmjNbP1ZuPbM5a7NOcn+1g4j5dIUhIS6BcDISjvTn8YA3wiUFLcAc28SxuRgqDZa9Fz Mgb1CHBv0zdd2f+Sbs+dF9nXiVr3mijcKu0AfBix1OPGNlu/Wf4wGXDYGBJ3PLwgD3rbun szxj80v4qWg40LUJWq++klEsGa3yNeVkTA5T8FKhwD+ZHQtO42VlQ7W1vJisHEWVm5PgGS sA9P47nTgxxhK3SKYSNFdEkE/W9aNVwf72MEyK2JN8G520MNgqJzrNteMAdDnXkGGpxitF UI+ujQ5OVDmPoyMLe6eGWzJfVqyLRHdQgssZmpfFOxiaJ4cLHO4pOhynOvII+g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754219113; a=rsa-sha256; cv=none; b=B12kXZlYzpL0MJfTsWeziiTVNI9601tS3qMRdKnObSq2V+EWX+fdClZVLxlMu8ycy0lXqe wvyiJpmIEfI69tK7qbXCdSk6IQjpOudg2nU5FxQDxkj19hEdFVS/IAZqVewGsBrDhNAdFg c0XNIPab08izwYJWS05JpKnFoYChZ9fvpnPihIZzpEppvNXfO6gfVAeqVyOb2YlZ39bKb5 2fYIvxGOpc24Wq3qeuFvuvkFEQjImUodsCDpFYGQvWOCDQB1h1Gifd+nE5haLo0CSpsSX7 O95EI8lHKuASbFbZGvYopbzLyFCEXK3OuIu9D8njfdEP47okZRcbNHJOaZjT/w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bvxfx4x7dz11LS; Sun, 03 Aug 2025 11:05:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 573B5DNI008924; Sun, 3 Aug 2025 11:05:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 573B5DMV008921; Sun, 3 Aug 2025 11:05:13 GMT (envelope-from git) Date: Sun, 3 Aug 2025 11:05:13 GMT Message-Id: <202508031105.573B5DMV008921@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= Subject: git: df2914ac4a - main - [phb][security]: Create VuXML checklist List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: df2914ac4a93115b3200bcae194964d35f5f402e Auto-Submitted: auto-generated The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/doc/commit/?id=df2914ac4a93115b3200bcae194964d35f5f402e commit df2914ac4a93115b3200bcae194964d35f5f402e Author: Fernando ApesteguĂ­a AuthorDate: 2025-08-01 17:46:45 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2025-08-03 10:56:49 +0000 [phb][security]: Create VuXML checklist Create a short checklist with some important points to check before committing. Prompted by a mail by mandree@. Reviewed by: bcr@ Differential Revision: https://reviews.freebsd.org/D51695 --- .../en/books/porters-handbook/security/_index.adoc | 35 ++++++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc index f4cffaac96..53a7a4b793 100644 --- a/documentation/content/en/books/porters-handbook/security/_index.adoc +++ b/documentation/content/en/books/porters-handbook/security/_index.adoc @@ -316,11 +316,34 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html The former version matches while the latter one does not. [[security-xcheck-vuxml]] -=== Cross-checking Derivatives - -If an upstream project has a known vulnerability, check whether derivatives or -forks of the project included in the ports tree are also affected. +=== VuXML new entry checklist + +* Check the name of the port. +Sometimes the upstream project name is not exactly the same as the port name. +* Add all flavors. +When a port has flavors all the package names need to be added as a `` in +the entry. +Use the following script to generate all flavored package names: ++ +[source,shell] +.... +% for flavor in $(make -V FLAVORS); do FLAVOR="${flavor}" make -VPKGNAME;done +.... ++ +* Check if the port has `PORTEPOCH`. +The above script snippet helps with that. +If the port uses `PORTEPOCH` it is mandatory to add it to the `` tag. +* Double check ranges. +In the case of ranges limited on both sides, make sure that the `` and +`` elements are inside the same `` tag. +Otherwise the entry might end up defining an overlapping range. +* Cross-check derivatives. +Check whether derivatives or forks of the project included in the ports tree are also affected. For example, if a vulnerability is discovered in package:www/firefox[], assess whether derivatives like package:www/librewolf[], package:www/waterfox[] or -other similar projects share the same vulnerability. Include all affected -derivatives in the VuXML entry, ensuring that users of these ports are informed. +other similar projects share the same vulnerability. +Include all affected derivatives in the VuXML entry, ensuring that users of these ports are informed. +Also check if there are Linux versions of the same port in the tree. +For instance, package:databases/sqlite3[] vulnerabilities most likely affect packages like +package:databases/linux-c7-sqlite3[] too. +* Do not commit an entry without running `make validate` first.