diff options
author | wiz <wiz@pkgsrc.org> | 2021-08-22 16:27:50 +0000 |
---|---|---|
committer | wiz <wiz@pkgsrc.org> | 2021-08-22 16:27:50 +0000 |
commit | 4807e63e1e4fcf33ca1ad40cb405af2f5c069681 (patch) | |
tree | 16bd1f78b179a53fc27b5272224890322e5bc743 /doc/guide | |
parent | 97a5339cd1098dda44a0f91650ac5886d2bec9b1 (diff) | |
download | pkgsrc-4807e63e1e4fcf33ca1ad40cb405af2f5c069681.tar.gz |
guide: expand section on editing the pkg-vulnerabilities file
Requested by kim@
Diffstat (limited to 'doc/guide')
-rw-r--r-- | doc/guide/files/fixes.xml | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/doc/guide/files/fixes.xml b/doc/guide/files/fixes.xml index 14ce76ecdf2..a820d76d290 100644 --- a/doc/guide/files/fixes.xml +++ b/doc/guide/files/fixes.xml @@ -1,4 +1,4 @@ -<!-- $NetBSD: fixes.xml,v 1.162 2021/07/06 16:57:09 schmonz Exp $ --> +<!-- $NetBSD: fixes.xml,v 1.163 2021/08/22 16:27:50 wiz Exp $ --> <chapter id="fixes"> <?dbhtml filename="fixes.html"?> <title>Making your package work</title> @@ -567,8 +567,40 @@ CONFLICTS= libXaw3d-[0-9]* <title>Handling packages with security problems</title> <para>When a vulnerability is found, this should be noted in - <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>, - and after committing that file, ask pkgsrc-security@NetBSD.org to + <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>. + Entries in that file consist of three parts:</para> + <itemizedlist> + <listitem><para>package version pattern</para></listitem> + <listitem><para>type of vulnerability (please cut'n'paste an existing one where possible)</para></listitem> + <listitem><para>URL providing additional information about the issue</para></listitem> + </itemizedlist> + + <para>For the package version pattern please always use `<' to + mark an upper bound (not `<='!). This will avoid possible + problems due unrelated <varname>PKGREVISION</varname> bumps not + related to security fixes. Lower bounds can be added too, using + '>' or '>='. For example, + <quote><literal>foo>'=1<1.2</literal></quote> would mark + versions 1.0 (included) to 1.2 (excluded) of + <quote><literal>foo</literal></quote> as affected by the security + issue.</para> + + <para>Entries should always be added at the bottom of the file.</para> + + <para>When fixing packages, please modify the upper bound of the + corresponding entry. To continue the previous example, if a fix + was backported to version 1.1nb2, change the previous pattern to + <quote><literal>foo>'=1<1.1nb2</literal></quote>.</para> + + <para>To locally test a package version pattern against a + <varname>PKGNAME</varname> you can use the <command>pkg_admin + pmatch</command> command.</para> + + <para>The URL should be as permanent as possible and provide as + much information about the issue as possible. CVE entries are + preferred.</para> + + <para>After committing that file, ask pkgsrc-security@NetBSD.org to update the file on ftp.NetBSD.org.</para> <para>After fixing the vulnerability by a patch, its @@ -582,6 +614,9 @@ CONFLICTS= libXaw3d-[0-9]* <para>Binary packages already on ftp.NetBSD.org will be handled semi-automatically by a weekly cron job.</para> + + <para>In case a security issue is disputed, please contact + pkgsrc-security@NetBSD.org.</para> </sect2> |