Subject: A slight difficulty with package version numbering
To: None <tech-pkg@netbsd.org>
From: Jon Buller <jon@bullers.net>
List: tech-pkg
Date: 09/20/2004 22:22:33
devel/tla has a slightly odd package numbering scheme, and it
seems to be interacting badly with audit-packages...

pkg-vulnerabilities has the following entry:

     tla<1.2.1pre1	remote-code-execution	http://.....

and the Makefile starts with:

     # $NetBSD: Makefile,v 1.12 2004/09/02 11:54:56 recht Exp $
     #

     DISTNAME=       tla-1.2.1
     PKGREVISION=    2
     CATEGORIES=     devel
     MASTER_SITES=   ${MASTER_SITE_GNU:=gnu-arch/}           \

So when make package is run in devel/tla, you get this:

     $ make package
     ===> Checking for vulnerabilities in tla-1.2.1nb2
     *** WARNING - remote-code-execution vulnerability in tla-1.2.1nb2 - see http://marc.theaimsgroup.com/?l=openpkg-announce&m=108213423102539&w=2 for more information ***
     or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
     *** Error code 1

     Stop.

tla numbers it versions starting with 1.2.1pre1, 1.2.1pre2, etc.
until finishing the process off with 1.2.1.  So preX is just an
odd way of writing rcX.  My suspicion is that it's being interpreted
as a minor version number by mistake in the vulnerability check.

Can anyone confirm or deny my suspicions?

Jon