NetBSD Problem Report #42172
From www@NetBSD.org Sun Oct 11 13:14:50 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 3A52663BA6C
for <gnats-bugs@gnats.netbsd.org>; Sun, 11 Oct 2009 13:14:50 +0000 (UTC)
Message-Id: <20091011131450.0645D63B8B6@www.NetBSD.org>
Date: Sun, 11 Oct 2009 13:14:50 +0000 (UTC)
From: bughunting@xs4all.nl
Reply-To: bughunting@xs4all.nl
To: gnats-bugs@NetBSD.org
Subject: pkgtools/lintpkgsrc contains incorrect path to pkg-vulnerabilities file (plus: no internal version check available)
X-Send-Pr-Version: www-1.0
>Number: 42172
>Category: pkg
>Synopsis: pkgtools/lintpkgsrc contains incorrect path to pkg-vulnerabilities file (plus: no internal version check available)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 11 13:15:00 +0000 2009
>Closed-Date: Sat Mar 12 09:06:50 +0000 2016
>Last-Modified: Sat Mar 12 09:10:01 +0000 2016
>Originator: Bug Hunting
>Release:
>Organization:
>Environment:
>Description:
pkgtools/lintpkgsrc (version 4.82, from pkgsrc-current) uses an incorrect (outdated) path to the pkg-vulnerabilities file, which is also mentioned in its manpage.
On a sidenote, the program has no ability to check its own version number, the way pkgtools/pkglint has (`-V' or `--version'). Perhaps this has been left out purposely though, and `-V' is in use already as well. However, for example, `-v' or `--version' (being the first option with two dashes, though) could optionally be used for this. To add this functionality, the `-V|--version' code from pkgtools/pkglint could be used as a base.
>How-To-Repeat:
$ lintpkgsrc -V
Unable to open '/usr/pkgsrc/distfiles/pkg-vulnerabilities': No such file or directory
Also:
"man lintpkgsrc | less -ppkg-vulnerabilities"
>Fix:
No complete fix provided, but the following files should be altered / regenerated:
pkgtools/pkglint/files/lintpkgsrc.pl (line 135, at the least)
pkgtools/pkglint/files/lintpkgsrc.1 (line 163)
pkgtools/pkglint/files/lintpkgsrc.0 (should be regenerated)
pkgtools/pkglint/files/makevars.map (unsure, but mentions `PKGVULNDIR')
>Release-Note:
>Audit-Trail:
From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/42172
Date: Tue, 8 Mar 2016 23:14:24 +0100
This appears to be even worse than the pkg-vulnerabilities file simply
moving, as it is now gzipped, which the perl script doesn=E2=80=99t seem =
to
handle. What functionality does "lintpkgsrc -V" provide that "pkg_admin =
audit"
does not? If there is not a strong need for that functionality (and it
seems there must not be if it has been broken for years), then are there
any objections to simply removing the "-V=E2=80=9D option? I=E2=80=99d =
be happy to submit
a diff for that.=
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: Taylor Stearns <tstearns@pobox.com>
Subject: Re: pkg/42172
Date: Wed, 9 Mar 2016 10:59:32 +0100
On Tue, Mar 08, 2016 at 10:15:01PM +0000, Taylor Stearns wrote:
> This appears to be even worse than the pkg-vulnerabilities file simply
> moving, as it is now gzipped, which the perl script doesn=E2=80=99t seem =
> to
> handle. What functionality does "lintpkgsrc -V" provide that "pkg_admin =
> audit"
> does not? If there is not a strong need for that functionality (and it
> seems there must not be if it has been broken for years), then are there
> any objections to simply removing the "-V=E2=80=9D option? I=E2=80=99d =
> be happy to submit
> a diff for that.=
I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.
Thank you,
Thomas
From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc: wiz@NetBSD.org
Subject: Re: pkg/42172
Date: Wed, 9 Mar 2016 13:23:49 +0000
--uZ3hkaAS1mZxFaxD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.
Patch attached. I'm not a perl expert, so would appreciate another pair
of eyes. But existing commands (other than -V) do still work for me
after the patch is applied. Changes are:
* remove -V option from lintpkgsrc.pl
* remove -V documentation from lintpkgsrc.{0,1}
* don't special-case the vulnerabilities file in distfiles (.pl line
1630) since it's not stored there anymore.
Regards,
Taylor
--uZ3hkaAS1mZxFaxD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="lintpkgsrc.diff"
Content-Transfer-Encoding: quoted-printable
Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/Makefile,v
retrieving revision 1.23
diff -r1.23 Makefile
3c3
< PKGNAME=3D lintpkgsrc-4.91
---
> PKGNAME=3D lintpkgsrc-4.92
Index: files/lintpkgsrc.0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.0,v
retrieving revision 1.3
diff -r1.3 lintpkgsrc.0
7c7
< l=08li=08in=08nt=08tp=08pk=08kg=08gs=08sr=08rc=08c [-=08-B=08BD=08Dd=
=08dL=08Ll=08lm=08mO=08Oo=08op=08pR=08Rr=08rS=08Su=08uV=08Vy=08yz=08z] [-=
=08-E=08E _=08f_=08i_=08l_=08e] [-=08-g=08g _=08p_=08k_=08g_=08s_=08r_=08c_=
=08m_=08a_=08p] [-=08-I=08I _=08f_=08i_=08l_=08e]
---
> l=08li=08in=08nt=08tp=08pk=08kg=08gs=08sr=08rc=08c [-=08-B=08BD=08Dd=
=08dL=08Ll=08lm=08mO=08Oo=08op=08pR=08Rr=08rS=08Su=08uy=08yz=08z] [-=08-E=
=08E _=08f_=08i_=08l_=08e] [-=08-g=08g _=08p_=08k_=08g_=08s_=08r_=08c_=08m_=
=08a_=08p] [-=08-I=08I _=08f_=08i_=08l_=08e]
44c44
< -=08-V=08V, -=08-d=08d, -=08-g=08g, -=08-i=08i, -=08-p=
=08p, or -=08-u=08u.
---
> -=08-d=08d, -=08-g=08g, -=08-i=08i, -=08-p=08p, or -=
=08-u=08u.
53c53
< the pkgsrc build system. -=08-p=08p, -=08-R=08R, and =
-=08-V=08V check for binary
---
> the pkgsrc build system. -=08-p=08p and -=08-R=08R ch=
eck for binary
110,113d109
< -=08-V=08V List any prebuilt packages in any subdirs of _=
=08P_=08A_=08C_=08K_=08A_=08G_=08E_=08S with
< known vulnerabilities, based on the data in
< _=08$_=08{_=08P_=08K_=08G_=08S_=08R_=08C_=08D_=08I_=08=
R_=08}_=08/_=08d_=08i_=08s_=08t_=08f_=08i_=08l_=08e_=08s_=08/_=08p_=08k_=08=
g_=08-_=08v_=08u_=08l_=08n_=08e_=08r_=08a_=08b_=08i_=08l_=08i_=08t_=08i_=08=
e_=08s.
<=20
123,125c119,121
< The -=08-R=08R, -=08-V=08V, and -=08-p=08p options default to using =
_=08P_=08A_=08C_=08K_=08A_=08G_=08E_=08S as the base
< directory from which to search for binary packages. If this include=
s OS
< or architecture information then packages for other OS/architecture
---
> The -=08-R=08R and -=08-p=08p options default to using _=08P_=08A_=
=08C_=08K_=08A_=08G_=08E_=08S as the base directory
> from which to search for binary packages. If this includes OS or
> architecture information then packages for other OS/architecture
Index: files/lintpkgsrc.1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.1,v
retrieving revision 1.4
diff -r1.4 lintpkgsrc.1
13c13
< .Op Fl BDdLlmOopRrSuVyz
---
> .Op Fl BDdLlmOopRrSuyz
65d64
< .Fl V ,
84,85c83
< .Fl p ,
< .Fl R ,
---
> .Fl p
87c85
< .Fl V
---
> .Fl R
160,164d157
< .It Fl V
< List any prebuilt packages in any subdirs of
< .Em PACKAGES
< with known vulnerabilities, based on the data in
< .Pa ${PKGSRCDIR}/distfiles/pkg-vulnerabilities .
175,176c168
< .Fl R ,
< .Fl V ,
---
> .Fl R
Index: files/lintpkgsrc.pl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.pl,v
retrieving revision 1.9
diff -r1.9 lintpkgsrc.pl
35d34
< %vuln, # vulnerability data
61d59
< || defined $opt{V}
256,273c254,255
< if ( $opt{p} || $opt{O} || $opt{R} || $opt{V} ) {
< if ( $opt{V} ) {
< my ($vuln) =3D "$pkgdistdir/pkg-vulnerabilities";
<=20
< if ( !open( VULN, $vuln ) ) {
< fail("Unable to open '$vuln': $!");
< }
< while (<VULN>) {
< s/#.*//;
< if (/([^*?[]+)(<|>|<=3D|>=3D)(\d\S+)/) {
< my ( $pkg, $cmp, $ver ) =3D ( $1, $2, $3 );
< push( @{ $vuln{$pkg} }, "$cmp $ver" );
< }
< }
< close(VULN);
< }
<=20
< if ( $opt{p} || $opt{O} || $opt{R} || $opt{V} ) {
---
> if ( $opt{p} || $opt{O} || $opt{R} ) {
> if ( $opt{p} || $opt{O} || $opt{R} ) {
430,441d411
< if ( $opt{V} && $vuln{$pkg} ) {
< foreach my $chk ( @{ $vuln{$pkg} } ) {
< my ( $test, $matchver ) =3D split( ' ', $chk );
<=20
< if ( deweycmp( $ver, $test, $matchver ) ) {
< print "$File::Find::dir/$_\n";
< push( @matched_prebuiltpackages, "$File::Find::dir/$_=
" );
< last;
< }
< }
< }
<=20
1629,1634d1598
< # Do not mark the vulnerabilities file as unknown
< $distfiles{'pkg-vulnerabilities'} =3D {
< path =3D> 'pkg-vulnerabilities',
< sum =3D> 'IGNORE'
< };
<=20
1742d1705
< -V : List known vulnerabilities
--uZ3hkaAS1mZxFaxD--
From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/42172
Date: Thu, 10 Mar 2016 16:28:57 +0700
Date: Wed, 9 Mar 2016 10:00:02 +0000 (UTC)
From: Thomas Klausner <wiz@NetBSD.org>
Message-ID: <20160309100002.074717ACC3@mollari.NetBSD.org>
| On Tue, Mar 08, 2016 at 10:15:01PM +0000, Taylor Stearns wrote:
| > What functionality does "lintpkgsrc -V" provide that "pkg_admin audit"
I believe the difference is supposed to be that pkg_admin checks packages
that have been installed, whereas lintpkgsrc -V is supposed to check binary
package files (installed or not, but which could be installed) that have been
compiled (or downloaded) sometime in the past.
Whether it (linkpkgsrc -V) works or not, or is useful to anyone or not
I couldn't say (I prefer to keep all my compiled binpkgs, vulnerable or not.)
kre
From: Taylor Stearns <tstearns@pobox.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/42172
Date: Fri, 11 Mar 2016 15:18:13 +0000
> From: Robert Elz <kre@munnari.OZ.AU>
> Date: Thu, 10 Mar 2016 16:28:57 +0700
>
> I believe the difference is supposed to be that pkg_admin checks packages
> that have been installed, whereas lintpkgsrc -V is supposed to check binary
> package files (installed or not, but which could be installed) that have been
> compiled (or downloaded) sometime in the past.
Thanks for the explanation! That's very helpful.
> Whether it (linkpkgsrc -V) works or not, or is useful to anyone or not
> I couldn't say (I prefer to keep all my compiled binpkgs, vulnerable or not.)
So I'd argue that the functionality described above should be treated as
a new feature request if anybody wants to resurrect it, and in the meantime
we should remove the old (non-working) code and references to it in
documentation. Any objections to that, in the above patch?
-Taylor
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sat, 12 Mar 2016 09:06:50 +0000
State-Changed-Why:
Removed -V using Taylor's patch, thanks for the PR!
From: "Thomas Klausner" <wiz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42172 CVS commit: pkgsrc/pkgtools/lintpkgsrc
Date: Sat, 12 Mar 2016 09:05:22 +0000
Module Name: pkgsrc
Committed By: wiz
Date: Sat Mar 12 09:05:22 UTC 2016
Modified Files:
pkgsrc/pkgtools/lintpkgsrc: Makefile
pkgsrc/pkgtools/lintpkgsrc/files: lintpkgsrc.0 lintpkgsrc.1
lintpkgsrc.pl
Log Message:
Remove non-working -V option from lintpkgsrc. Bump version.
From Taylor Stearns <tstearns@pobox.com> in PR 42172.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/pkgtools/lintpkgsrc/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.0
cvs rdiff -u -r1.4 -r1.5 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.1
cvs rdiff -u -r1.9 -r1.10 pkgsrc/pkgtools/lintpkgsrc/files/lintpkgsrc.pl
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Thomas Klausner <wiz@NetBSD.org>
To: Taylor Stearns <tstearns@pobox.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: pkg/42172
Date: Sat, 12 Mar 2016 10:07:00 +0100
On Wed, Mar 09, 2016 at 01:23:49PM +0000, Taylor Stearns wrote:
> > I don't think anyone should use lintpkgsrc -V. Please send the suggested patches.
>
> Patch attached. I'm not a perl expert, so would appreciate another pair
> of eyes. But existing commands (other than -V) do still work for me
> after the patch is applied. Changes are:
>
> * remove -V option from lintpkgsrc.pl
> * remove -V documentation from lintpkgsrc.{0,1}
> * don't special-case the vulnerabilities file in distfiles (.pl line
> 1630) since it's not stored there anymore.
Thank you, committed!
Thomas
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.