NetBSD Problem Report #42172

From www@NetBSD.org  Sun Oct 11 13:14:50 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 3A52663BA6C
	for <gnats-bugs@gnats.netbsd.org>; Sun, 11 Oct 2009 13:14:50 +0000 (UTC)
Message-Id: <20091011131450.0645D63B8B6@www.NetBSD.org>
Date: Sun, 11 Oct 2009 13:14:50 +0000 (UTC)
From: bughunting@xs4all.nl
Reply-To: bughunting@xs4all.nl
To: gnats-bugs@NetBSD.org
Subject: pkgtools/lintpkgsrc contains incorrect path to pkg-vulnerabilities file (plus: no internal version check available)
X-Send-Pr-Version: www-1.0

>Number:         42172
>Category:       pkg
>Synopsis:       pkgtools/lintpkgsrc contains incorrect path to pkg-vulnerabilities file (plus: no internal version check available)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 11 13:15:00 +0000 2009
>Closed-Date:    Sat Mar 12 09:06:50 +0000 2016
>Last-Modified:  Sat Mar 12 09:10:01 +0000 2016
>Originator:     Bug Hunting
>Release:        
>Organization:
>Environment:
>Description:
pkgtools/lintpkgsrc (version 4.82, from pkgsrc-current) uses an incorrect (outdated) path to the pkg-vulnerabilities file, which is also mentioned in its manpage.

On a sidenote, the program has no ability to check its own version number, the way pkgtools/pkglint has (`-V' or `--version').  Perhaps this has been left out purposely though, and `-V' is in use already as well.  However, for example, `-v' or `--version' (being the first option with two dashes, though) could optionally be used for this.  To add this functionality, the `-V|--version' code from pkgtools/pkglint could be used as a base.
>How-To-Repeat:
$ lintpkgsrc -V
Unable to open '/usr/pkgsrc/distfiles/pkg-vulnerabilities': No such file or directory


Also:

"man lintpkgsrc | less -ppkg-vulnerabilities"
>Fix:
No complete fix provided, but the following files should be altered / regenerated:

pkgtools/pkglint/files/lintpkgsrc.pl (line 135, at the least)
pkgtools/pkglint/files/lintpkgsrc.1 (line 163)
pkgtools/pkglint/files/lintpkgsrc.0 (should be regenerated)
pkgtools/pkglint/files/makevars.map (unsure, but mentions `PKGVULNDIR')

>Release-Note:

>Audit-Trail:
From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/42172
Date: Tue, 8 Mar 2016 23:14:24 +0100

 This appears to be even worse than the pkg-vulnerabilities file simply
 moving, as it is now gzipped, which the perl script doesn=E2=80=99t seem =
 to
 handle. What functionality does "lintpkgsrc -V" provide that "pkg_admin =
 audit"
 does not? If there is not a strong need for that functionality (and it
 seems there must not be if it has been broken for years), then are there
 any objections to simply removing the "-V=E2=80=9D option? I=E2=80=99d =
 be happy to submit
 a diff for that.=

From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: Taylor Stearns <tstearns@pobox.com>
Subject: Re: pkg/42172
Date: Wed, 9 Mar 2016 10:59:32 +0100

 On Tue, Mar 08, 2016 at 10:15:01PM +0000, Taylor Stearns wrote:
 >  This appears to be even worse than the pkg-vulnerabilities file simply
 >  moving, as it is now gzipped, which the perl script doesn=E2=80=99t seem =
 >  to
 >  handle. What functionality does "lintpkgsrc -V" provide that "pkg_admin =
 >  audit"
 >  does not? If there is not a strong need for that functionality (and it
 >  seems there must not be if it has been broken for years), then are there
 >  any objections to simply removing the "-V=E2=80=9D option? I=E2=80=99d =
 >  be happy to submit
 >  a diff for that.=

 I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.

 Thank you,
  Thomas

From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc: wiz@NetBSD.org
Subject: Re: pkg/42172
Date: Wed, 9 Mar 2016 13:23:49 +0000

 --uZ3hkaAS1mZxFaxD
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 > I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.

 Patch attached. I'm not a perl expert, so would appreciate another pair
 of eyes. But existing commands (other than -V) do still work for me
 after the patch is applied. Changes are:

 * remove -V option from lintpkgsrc.pl
 * remove -V documentation from lintpkgsrc.{0,1}
 * don't special-case the vulnerabilities file in distfiles (.pl line
   1630) since it's not stored there anymore. 

 Regards,
 Taylor

 --uZ3hkaAS1mZxFaxD
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="lintpkgsrc.diff"
 Content-Transfer-Encoding: quoted-printable

 Index: Makefile
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/Makefile,v
 retrieving revision 1.23
 diff -r1.23 Makefile
 3c3
 < PKGNAME=3D	lintpkgsrc-4.91
 ---
 > PKGNAME=3D	lintpkgsrc-4.92
 Index: files/lintpkgsrc.0
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.0,v
 retrieving revision 1.3
 diff -r1.3 lintpkgsrc.0
 7c7
 <      l=08li=08in=08nt=08tp=08pk=08kg=08gs=08sr=08rc=08c [-=08-B=08BD=08Dd=
 =08dL=08Ll=08lm=08mO=08Oo=08op=08pR=08Rr=08rS=08Su=08uV=08Vy=08yz=08z] [-=
 =08-E=08E _=08f_=08i_=08l_=08e] [-=08-g=08g _=08p_=08k_=08g_=08s_=08r_=08c_=
 =08m_=08a_=08p] [-=08-I=08I _=08f_=08i_=08l_=08e]
 ---
 >      l=08li=08in=08nt=08tp=08pk=08kg=08gs=08sr=08rc=08c [-=08-B=08BD=08Dd=
 =08dL=08Ll=08lm=08mO=08Oo=08op=08pR=08Rr=08rS=08Su=08uy=08yz=08z] [-=08-E=
 =08E _=08f_=08i_=08l_=08e] [-=08-g=08g _=08p_=08k_=08g_=08s_=08r_=08c_=08m_=
 =08a_=08p] [-=08-I=08I _=08f_=08i_=08l_=08e]
 44c44
 <                    -=08-V=08V, -=08-d=08d, -=08-g=08g, -=08-i=08i, -=08-p=
 =08p, or -=08-u=08u.
 ---
 >                    -=08-d=08d, -=08-g=08g, -=08-i=08i, -=08-p=08p, or -=
 =08-u=08u.
 53c53
 <                    the pkgsrc build system.  -=08-p=08p, -=08-R=08R, and =
 -=08-V=08V check for binary
 ---
 >                    the pkgsrc build system.  -=08-p=08p and -=08-R=08R ch=
 eck for binary
 110,113d109
 <      -=08-V=08V            List any prebuilt packages in any subdirs of _=
 =08P_=08A_=08C_=08K_=08A_=08G_=08E_=08S with
 <                    known vulnerabilities, based on the data in
 <                    _=08$_=08{_=08P_=08K_=08G_=08S_=08R_=08C_=08D_=08I_=08=
 R_=08}_=08/_=08d_=08i_=08s_=08t_=08f_=08i_=08l_=08e_=08s_=08/_=08p_=08k_=08=
 g_=08-_=08v_=08u_=08l_=08n_=08e_=08r_=08a_=08b_=08i_=08l_=08i_=08t_=08i_=08=
 e_=08s.
 <=20
 123,125c119,121
 <      The -=08-R=08R, -=08-V=08V, and -=08-p=08p options default to using =
 _=08P_=08A_=08C_=08K_=08A_=08G_=08E_=08S as the base
 <      directory from which to search for binary packages.  If this include=
 s OS
 <      or architecture information then packages for other OS/architecture
 ---
 >      The -=08-R=08R and -=08-p=08p options default to using _=08P_=08A_=
 =08C_=08K_=08A_=08G_=08E_=08S as the base directory
 >      from which to search for binary packages.  If this includes OS or
 >      architecture information then packages for other OS/architecture
 Index: files/lintpkgsrc.1
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.1,v
 retrieving revision 1.4
 diff -r1.4 lintpkgsrc.1
 13c13
 < .Op Fl BDdLlmOopRrSuVyz
 ---
 > .Op Fl BDdLlmOopRrSuyz
 65d64
 < .Fl V ,
 84,85c83
 < .Fl p ,
 < .Fl R ,
 ---
 > .Fl p
 87c85
 < .Fl V
 ---
 > .Fl R
 160,164d157
 < .It Fl V
 < List any prebuilt packages in any subdirs of
 < .Em PACKAGES
 < with known vulnerabilities, based on the data in
 < .Pa ${PKGSRCDIR}/distfiles/pkg-vulnerabilities .
 175,176c168
 < .Fl R ,
 < .Fl V ,
 ---
 > .Fl R
 Index: files/lintpkgsrc.pl
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.pl,v
 retrieving revision 1.9
 diff -r1.9 lintpkgsrc.pl
 35d34
 <     %vuln,                        # vulnerability data
 61d59
 <         || defined $opt{V}
 256,273c254,255
 <     if ( $opt{p} || $opt{O} || $opt{R} || $opt{V} ) {
 <         if ( $opt{V} ) {
 <             my ($vuln) =3D "$pkgdistdir/pkg-vulnerabilities";
 <=20
 <             if ( !open( VULN, $vuln ) ) {
 <                 fail("Unable to open '$vuln': $!");
 <             }
 <             while (<VULN>) {
 <                 s/#.*//;
 <                 if (/([^*?[]+)(<|>|<=3D|>=3D)(\d\S+)/) {
 <                     my ( $pkg, $cmp, $ver ) =3D ( $1, $2, $3 );
 <                     push( @{ $vuln{$pkg} }, "$cmp $ver" );
 <                 }
 <             }
 <             close(VULN);
 <         }
 <=20
 <         if ( $opt{p} || $opt{O} || $opt{R} || $opt{V} ) {
 ---
 >     if ( $opt{p} || $opt{O} || $opt{R} ) {
 >         if ( $opt{p} || $opt{O} || $opt{R} ) {
 430,441d411
 <         if ( $opt{V} && $vuln{$pkg} ) {
 <             foreach my $chk ( @{ $vuln{$pkg} } ) {
 <                 my ( $test, $matchver ) =3D split( ' ', $chk );
 <=20
 <                 if ( deweycmp( $ver, $test, $matchver ) ) {
 <                     print "$File::Find::dir/$_\n";
 <                     push( @matched_prebuiltpackages, "$File::Find::dir/$_=
 " );
 <                     last;
 <                 }
 <             }
 <         }
 <=20
 1629,1634d1598
 <     # Do not mark the vulnerabilities file as unknown
 <     $distfiles{'pkg-vulnerabilities'} =3D {
 <         path =3D> 'pkg-vulnerabilities',
 <         sum  =3D> 'IGNORE'
 <     };
 <=20
 1742d1705
 <   -V : List known vulnerabilities

 --uZ3hkaAS1mZxFaxD--

From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/42172
Date: Thu, 10 Mar 2016 16:28:57 +0700

     Date:        Wed,  9 Mar 2016 10:00:02 +0000 (UTC)
     From:        Thomas Klausner <wiz@NetBSD.org>
     Message-ID:  <20160309100002.074717ACC3@mollari.NetBSD.org>

   |  On Tue, Mar 08, 2016 at 10:15:01PM +0000, Taylor Stearns wrote:
   |  >  What functionality does "lintpkgsrc -V" provide that "pkg_admin audit"

 I believe the difference is supposed to be that pkg_admin checks packages
 that have been installed, whereas lintpkgsrc -V is supposed to check binary
 package files (installed or not, but which could be installed) that have been
 compiled (or downloaded) sometime in the past.

 Whether it (linkpkgsrc -V) works or not, or is useful to anyone or not
 I couldn't say (I prefer to keep all my compiled binpkgs, vulnerable or not.)

 kre

From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/42172
Date: Fri, 11 Mar 2016 15:18:13 +0000

  > From: Robert Elz <kre@munnari.OZ.AU>
  > Date: Thu, 10 Mar 2016 16:28:57 +0700
  >
  > I believe the difference is supposed to be that pkg_admin checks packages
  > that have been installed, whereas lintpkgsrc -V is supposed to check binary
  > package files (installed or not, but which could be installed) that have been
  > compiled (or downloaded) sometime in the past.

 Thanks for the explanation! That's very helpful.

  > Whether it (linkpkgsrc -V) works or not, or is useful to anyone or not
  > I couldn't say (I prefer to keep all my compiled binpkgs, vulnerable or not.)

 So I'd argue that the functionality described above should be treated as
 a new feature request if anybody wants to resurrect it, and in the meantime
 we should remove the old (non-working) code and references to it in
 documentation. Any objections to that, in the above patch?

 -Taylor

State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sat, 12 Mar 2016 09:06:50 +0000
State-Changed-Why:
Removed -V using Taylor's patch, thanks for the PR!


From: "Thomas Klausner" <wiz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42172 CVS commit: pkgsrc/pkgtools/lintpkgsrc
Date: Sat, 12 Mar 2016 09:05:22 +0000

 Module Name:	pkgsrc
 Committed By:	wiz
 Date:		Sat Mar 12 09:05:22 UTC 2016

 Modified Files:
 	pkgsrc/pkgtools/lintpkgsrc: Makefile
 	pkgsrc/pkgtools/lintpkgsrc/files: lintpkgsrc.0 lintpkgsrc.1
 	    lintpkgsrc.pl

 Log Message:
 Remove non-working -V option from lintpkgsrc. Bump version.

 From Taylor Stearns <tstearns@pobox.com> in PR 42172.


 To generate a diff of this commit:
 cvs rdiff -u -r1.23 -r1.24 pkgsrc/pkgtools/lintpkgsrc/Makefile
 cvs rdiff -u -r1.3 -r1.4 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.0
 cvs rdiff -u -r1.4 -r1.5 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.1
 cvs rdiff -u -r1.9 -r1.10 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.pl

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Thomas Klausner <wiz@NetBSD.org>
To: Taylor Stearns <tstearns@pobox.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: pkg/42172
Date: Sat, 12 Mar 2016 10:07:00 +0100

 On Wed, Mar 09, 2016 at 01:23:49PM +0000, Taylor Stearns wrote:
 > > I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.
 > 
 > Patch attached. I'm not a perl expert, so would appreciate another pair
 > of eyes. But existing commands (other than -V) do still work for me
 > after the patch is applied. Changes are:
 > 
 > * remove -V option from lintpkgsrc.pl
 > * remove -V documentation from lintpkgsrc.{0,1}
 > * don't special-case the vulnerabilities file in distfiles (.pl line
 >   1630) since it's not stored there anymore. 

 Thank you, committed!
  Thomas

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.