CVS commit: pkgsrc/doc/guide/files

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/doc/guide/files
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Sun, 22 Aug 2021 16:27:50 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun Aug 22 16:27:50 UTC 2021

Modified Files:
        pkgsrc/doc/guide/files: fixes.xml

Log Message:
guide: expand section on editing the pkg-vulnerabilities file

Requested by kim@


To generate a diff of this commit:
cvs rdiff -u -r1.162 -r1.163 pkgsrc/doc/guide/files/fixes.xml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/doc/guide/files/fixes.xml
diff -u pkgsrc/doc/guide/files/fixes.xml:1.162 pkgsrc/doc/guide/files/fixes.xml:1.163
--- pkgsrc/doc/guide/files/fixes.xml:1.162      Tue Jul  6 16:57:09 2021
+++ pkgsrc/doc/guide/files/fixes.xml    Sun Aug 22 16:27:50 2021
@@ -1,4 +1,4 @@
-<!-- $NetBSD: fixes.xml,v 1.162 2021/07/06 16:57:09 schmonz Exp $ -->
+<!-- $NetBSD: fixes.xml,v 1.163 2021/08/22 16:27:50 wiz Exp $ -->
 
 <chapter id="fixes"> <?dbhtml filename="fixes.html"?>
 <title>Making your package work</title>
@@ -567,8 +567,40 @@ CONFLICTS=      libXaw3d-[0-9]*
     <title>Handling packages with security problems</title>
 
     <para>When a vulnerability is found, this should be noted in
-    <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>,
-    and after committing that file, ask pkgsrc-security%NetBSD.org@localhost to
+    <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>.
+    Entries in that file consist of three parts:</para>
+    <itemizedlist>
+      <listitem><para>package version pattern</para></listitem>
+      <listitem><para>type of vulnerability (please cut'n'paste an existing one where possible)</para></listitem>
+      <listitem><para>URL providing additional information about the issue</para></listitem>
+    </itemizedlist>
+
+    <para>For the package version pattern please always use `&lt;' to
+    mark an upper bound (not `&lt;='!). This will avoid possible
+    problems due unrelated <varname>PKGREVISION</varname> bumps not
+    related to security fixes. Lower bounds can be added too, using
+    '&gt;' or '&gt;='. For example,
+    <quote><literal>foo&gt;'=1&lt;1.2</literal></quote> would mark
+    versions 1.0 (included) to 1.2 (excluded) of
+    <quote><literal>foo</literal></quote> as affected by the security
+    issue.</para>
+
+    <para>Entries should always be added at the bottom of the file.</para>
+
+    <para>When fixing packages, please modify the upper bound of the
+    corresponding entry. To continue the previous example, if a fix
+    was backported to version 1.1nb2, change the previous pattern to
+    <quote><literal>foo&gt;'=1&lt;1.1nb2</literal></quote>.</para>
+
+    <para>To locally test a package version pattern against a
+    <varname>PKGNAME</varname> you can use the <command>pkg_admin
+    pmatch</command> command.</para>
+
+    <para>The URL should be as permanent as possible and provide as
+    much information about the issue as possible.  CVE entries are
+    preferred.</para>
+
+    <para>After committing that file, ask pkgsrc-security%NetBSD.org@localhost to
     update the file on ftp.NetBSD.org.</para>
 
     <para>After fixing the vulnerability by a patch, its
@@ -582,6 +614,9 @@ CONFLICTS=      libXaw3d-[0-9]*
 
     <para>Binary packages already on ftp.NetBSD.org will be handled
     semi-automatically by a weekly cron job.</para>
+
+    <para>In case a security issue is disputed, please contact
+    pkgsrc-security%NetBSD.org@localhost.</para>
   </sect2>

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index