tech-pkg: Re: xpm and builtin

Subject: Re: xpm and builtin
To: None <tech-pkg@netbsd.org>
From: Christopher W. Richardson <cwr@nexthop.com>
List: tech-pkg
Date: 01/03/2005 13:19:38
Hi,

xpm-3.4knb2 appears to have had a security vulnerability for a
while now (ok, not a very long while, but longer than I'm used to
seeing these things stay around in packages).  Since it hasn't
been fixes, I'm wondering if there might be a reason for that.
The only thing (related to xpm, not necessarily the security
vulnerability) I can find in the mailing list is this:

"Jeremy C. Reed" <reed@reedmedia.net> writes:

> I was building wv and it failed:
> 
> ...
> ===> Required package xpm>=3.4knb2: NOT found
> ===> Verifying package for ../../graphics/xpm
> ===> xpm is part of your X11 distribution
> ===> Returning to build of wv-1.0.2nb1
> ...
> ===> Creating toolchain wrappers for wv-1.0.2nb1
> xpm is not installed; can't buildlink files.
> *** Error code 1
> 
> I have libXpm installed from xorg-libs-6.8.1nb2 package.
> 
> I have defined:
> PREFER_PKGSRC+= Xft2
> PREFER_PKGSRC+= ncurses
> PREFER.iconv=native
> PREFER_PKGSRC=  YES
> PREFER_NATIVE+= iconv
> 
> Any suggestions on how to improve graphics/xpm/builtin.mk so
> that Xaw-Xpm, xpm, xorg-libs or XFree86-libs will be fine for
> Xpm?
> 
> And should the PKG_SKIP_REASON in graphics/xpm/Makefile be
> removed or fixed?

To which I was unable to find any responses. So, my first
question is, should I be using something other than the
graphics/xpm package?

Second, the reason for xpm is that xlockmore is requiring it.
So, whilst I resolve this issue, rather than leave my desktop
laying around unlocked, I figured it was less of a risk to leave
the security vulnerability in xpm.  However, when I define
ALLOW_VULNERABLE_PACKAGES and make graphics/xpm, I get the
following:

=> Checksum OK for xpm-3.4k.tar.gz.
===> Extracting for xpm-3.4knb2
===> Required installed package xpkgwedge>=1.5: xpkgwedge-1.10
found
===> Required installed package x11-links>=0.23: x11-links-0.23
found
===> Patching for xpm-3.4knb2
===> Applying pkgsrc patches for xpm-3.4knb2
===> Overriding tools for xpm-3.4knb2
===> Creating toolchain wrappers for xpm-3.4knb2
===> Configuring for xpm-3.4knb2
imake -DUseInstalled -I/usr/pkg/lib/X11/config -I/usr/X11R6/lib/X11/config
In file included from /usr/X11R6/lib/X11/config/site.def:44,
                 from /usr/X11R6/lib/X11/config/Imake.tmpl:41,
                 from Imakefile.c:8:
/usr/pkg/lib/X11/config/host.def:3: OpenMotif.def: No such file or directory
In file included from /usr/X11R6/lib/X11/config/site.def:132,
                 from /usr/X11R6/lib/X11/config/Imake.tmpl:96,
                 from Imakefile.c:8:
/usr/pkg/lib/X11/config/host.def:3: OpenMotif.def: No such file or directory
/usr/X11R6/bin/imake: Exit code 33.
  Stop.
*** Error code 1

Stop.
make: stopped in /usr/pkgsrc/graphics/xpm
*** Error code 1

Stop.
make: stopped in /usr/pkgsrc/graphics/xpm


Any thoughts or suggestions are more than welcome.  This is on

NetBSD achilles 1.6.2_STABLE NetBSD 1.6.2_STABLE (ACHILLES) #7: Mon Jan  3 11:05:50 EST 2005 cwr@achilles:/usr/src/sys/arch/i386/compile/ACHILLES i386

with sources for kernel and userland updated slightly before that
timestamp (and an updated userland), and with current pkgsrc.

Thanks,
Chris