Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Jun 2020 04:11:14 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 247290] lang/python37: VuXML entries without category/portname form result in missing entries in freshports (Example python, not lang/python)
Message-ID:  <bug-247290-7788-U9HlOpgN10@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-247290-7788@https.bugs.freebsd.org/bugzilla/>
References:  <bug-247290-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D247290

Kubilay Kocak <koobs@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://github.com/FreshPor
                   |                            |ts/freshports/issues/155
                 CC|                            |dvl@FreeBSD.org
             Status|New                         |Open
            Summary|lang/python37: entry (and   |lang/python37: VuXML
                   |others) in UPDATING needs   |entries without
                   |'lang/' added               |category/portname form
                   |                            |result in missing entries
                   |                            |in freshports (Example
                   |                            |python, not lang/python)

--- Comment #3 from Kubilay Kocak <koobs@FreeBSD.org> ---
I don't know how freshports parses vuxml, but perhaps it should be matching=
 on
<packagename> entries, rather than the summary.

These package name entries are the canonical/authoritive and fully-structur=
ed
way of being able to determine which set of packages are affected by a
vulnerability.

Note: This of course doesn't solve for answering the question 'what *ports*
(port origins, not packages) are affected.

This has come up in the past in a related form when I submitted a vulnerabi=
lity
entry [1]  for www/py-requests, and used the following form:

      <package>
        <name>py*-requests</name>
        <range><lt>2.20.0</lt></range>
      </package>

[1] https://svnweb.freebsd.org/changeset/ports/490936

I did this because EVERY possible package, for *any* Python version, past or
future, not just the versions currently in the tree, would be vulnerable.

`make validate` passed with this entry, but a different build process faile=
d.
See the thread in svn-ports-all:

https://lists.freebsd.org/pipermail/svn-ports-all/2019-January/205691.html

Note also that pkg audit also worked with the glob pattern (see thread abov=
e).

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-247290-7788-U9HlOpgN10>