| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | <!-- $NetBSD: fixes.xml,v 1.162 2021/07/06 16:57:09 schmonz Exp $ --> | | 1 | <!-- $NetBSD: fixes.xml,v 1.163 2021/08/22 16:27:50 wiz Exp $ --> |
2 | | | 2 | |
3 | <chapter id="fixes"> <?dbhtml filename="fixes.html"?> | | 3 | <chapter id="fixes"> <?dbhtml filename="fixes.html"?> |
4 | <title>Making your package work</title> | | 4 | <title>Making your package work</title> |
5 | | | 5 | |
6 | <sect1 id="general-operation"> | | 6 | <sect1 id="general-operation"> |
7 | <title>General operation</title> | | 7 | <title>General operation</title> |
8 | | | 8 | |
9 | <para>One appealing feature of pkgsrc is that it runs on many | | 9 | <para>One appealing feature of pkgsrc is that it runs on many |
10 | different platforms. As a result, it is important to ensure, | | 10 | different platforms. As a result, it is important to ensure, |
11 | where possible, that packages in pkgsrc are portable. This | | 11 | where possible, that packages in pkgsrc are portable. This |
12 | chapter mentions some particular details you should pay | | 12 | chapter mentions some particular details you should pay |
13 | attention to while working on pkgsrc.</para> | | 13 | attention to while working on pkgsrc.</para> |
14 | | | 14 | |
| @@ -557,41 +557,76 @@ CONFLICTS= libXaw3d-[0-9]* | | | @@ -557,41 +557,76 @@ CONFLICTS= libXaw3d-[0-9]* |
557 | installed, the <varname>PKG_PRESERVE</varname> definition should | | 557 | installed, the <varname>PKG_PRESERVE</varname> definition should |
558 | be set in the package Makefile. This will be carried into any | | 558 | be set in the package Makefile. This will be carried into any |
559 | binary package that is made from this pkgsrc entry. A | | 559 | binary package that is made from this pkgsrc entry. A |
560 | <quote>preserved</quote> package will | | 560 | <quote>preserved</quote> package will |
561 | not be deleted using &man.pkg.delete.1; unless the | | 561 | not be deleted using &man.pkg.delete.1; unless the |
562 | <quote>-f</quote> option is used.</para> | | 562 | <quote>-f</quote> option is used.</para> |
563 | </sect2> | | 563 | </sect2> |
564 | | | 564 | |
565 | | | 565 | |
566 | <sect2 id="security-handling"> | | 566 | <sect2 id="security-handling"> |
567 | <title>Handling packages with security problems</title> | | 567 | <title>Handling packages with security problems</title> |
568 | | | 568 | |
569 | <para>When a vulnerability is found, this should be noted in | | 569 | <para>When a vulnerability is found, this should be noted in |
570 | <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>, | | 570 | <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>. |
571 | and after committing that file, ask pkgsrc-security@NetBSD.org to | | 571 | Entries in that file consist of three parts:</para> |
| | | 572 | <itemizedlist> |
| | | 573 | <listitem><para>package version pattern</para></listitem> |
| | | 574 | <listitem><para>type of vulnerability (please cut'n'paste an existing one where possible)</para></listitem> |
| | | 575 | <listitem><para>URL providing additional information about the issue</para></listitem> |
| | | 576 | </itemizedlist> |
| | | 577 | |
| | | 578 | <para>For the package version pattern please always use `<' to |
| | | 579 | mark an upper bound (not `<='!). This will avoid possible |
| | | 580 | problems due unrelated <varname>PKGREVISION</varname> bumps not |
| | | 581 | related to security fixes. Lower bounds can be added too, using |
| | | 582 | '>' or '>='. For example, |
| | | 583 | <quote><literal>foo>'=1<1.2</literal></quote> would mark |
| | | 584 | versions 1.0 (included) to 1.2 (excluded) of |
| | | 585 | <quote><literal>foo</literal></quote> as affected by the security |
| | | 586 | issue.</para> |
| | | 587 | |
| | | 588 | <para>Entries should always be added at the bottom of the file.</para> |
| | | 589 | |
| | | 590 | <para>When fixing packages, please modify the upper bound of the |
| | | 591 | corresponding entry. To continue the previous example, if a fix |
| | | 592 | was backported to version 1.1nb2, change the previous pattern to |
| | | 593 | <quote><literal>foo>'=1<1.1nb2</literal></quote>.</para> |
| | | 594 | |
| | | 595 | <para>To locally test a package version pattern against a |
| | | 596 | <varname>PKGNAME</varname> you can use the <command>pkg_admin |
| | | 597 | pmatch</command> command.</para> |
| | | 598 | |
| | | 599 | <para>The URL should be as permanent as possible and provide as |
| | | 600 | much information about the issue as possible. CVE entries are |
| | | 601 | preferred.</para> |
| | | 602 | |
| | | 603 | <para>After committing that file, ask pkgsrc-security@NetBSD.org to |
572 | update the file on ftp.NetBSD.org.</para> | | 604 | update the file on ftp.NetBSD.org.</para> |
573 | | | 605 | |
574 | <para>After fixing the vulnerability by a patch, its | | 606 | <para>After fixing the vulnerability by a patch, its |
575 | <varname>PKGREVISION</varname> should be increased (this is of | | 607 | <varname>PKGREVISION</varname> should be increased (this is of |
576 | course not necessary if the problem is fixed by using a newer | | 608 | course not necessary if the problem is fixed by using a newer |
577 | release of the software), and the pattern in the | | 609 | release of the software), and the pattern in the |
578 | pkg-vulnerabilities file must be updated.</para> | | 610 | pkg-vulnerabilities file must be updated.</para> |
579 | | | 611 | |
580 | <para>Also, if the fix should be applied to the stable pkgsrc | | 612 | <para>Also, if the fix should be applied to the stable pkgsrc |
581 | branch, be sure to submit a pullup request!</para> | | 613 | branch, be sure to submit a pullup request!</para> |
582 | | | 614 | |
583 | <para>Binary packages already on ftp.NetBSD.org will be handled | | 615 | <para>Binary packages already on ftp.NetBSD.org will be handled |
584 | semi-automatically by a weekly cron job.</para> | | 616 | semi-automatically by a weekly cron job.</para> |
| | | 617 | |
| | | 618 | <para>In case a security issue is disputed, please contact |
| | | 619 | pkgsrc-security@NetBSD.org.</para> |
585 | </sect2> | | 620 | </sect2> |
586 | | | 621 | |
587 | | | 622 | |
588 | <sect2 id="bumping-pkgrevision"> | | 623 | <sect2 id="bumping-pkgrevision"> |
589 | <title>How to handle incrementing versions when fixing an existing package</title> | | 624 | <title>How to handle incrementing versions when fixing an existing package</title> |
590 | | | 625 | |
591 | <para>When making fixes to an existing package it can be useful | | 626 | <para>When making fixes to an existing package it can be useful |
592 | to change the version number in <varname>PKGNAME</varname>. To | | 627 | to change the version number in <varname>PKGNAME</varname>. To |
593 | avoid conflicting with future versions by the original author, a | | 628 | avoid conflicting with future versions by the original author, a |
594 | <quote>nb1</quote>, <quote>nb2</quote>, ... suffix can be used | | 629 | <quote>nb1</quote>, <quote>nb2</quote>, ... suffix can be used |
595 | on package versions by setting <varname>PKGREVISION=1</varname> | | 630 | on package versions by setting <varname>PKGREVISION=1</varname> |
596 | (2, ...). The <quote>nb</quote> is treated like a | | 631 | (2, ...). The <quote>nb</quote> is treated like a |
597 | <quote>.</quote> by the package tools. e.g.</para> | | 632 | <quote>.</quote> by the package tools. e.g.</para> |