pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc-2017Q1 released

Thanks for the update on how to proceed and the insight into the inner workings of pkg.

Am 11.04.2017 um 03:07 schrieb Greg Troxel <>:
> pkgsrc tries hard to keep track of versions that are affected by various
> issues (usually captured by a CVE code).  When a package is patched for
> that CVE, we adjust the entry in pkg-vulnerabilities.  To help keep
> track of which are patched and which are not, we try to have comments in
> the patch files (before the diff hunks) that say 1) what the patch does,
> and for security patches to give the CVE ref and 2) where the patch came
> from.  Often a patch is taken from upstream svn/git/etc., and has been
> applied to head or a release branch after the latest release.
OK, I did not know that.  So my patch is not completely in line with that.
Hopefully I can recontruct the sources (probably from the arc mailinglist and some linux repository).

> Also, I wonder how you are making patches.  If you use mkpatches (from
> pkgtools/pkgdiff), it will create files with our more recent naming
> convention based on files names instead of -aa.

Thanks for this information.  I wasn’t aware of that, so I just used cvs diff…
It was intended to prevent local issues until someone else fixes it officially.  
Now this turns out not to be the best plan in a community driven effort ;-)
> The two current entries are
> arc<5.21enb2            insecure-temp-files   
> arc-[0-9]*              directory-traversal   
> I'm guessing your fix is for the directory traversal issue.

Your guess is correct.
> In general, if you have changes to pkgsrc that can just be applied after
> review, sending a patch to pkgsrc to this list is a good plan.
> Do you know if arc has released a fixed version?  Might you be able to
> poke them to do that?

I will try to find out, but it seems that no newer version exists (sourceforge, at least).  All the linux distros i have seen so far have individual patched versions of 5.21p.  So I guess we’ll have to live with a patched 5.21p for the forseeable future.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Home | Main Index | Thread Index | Old Index