bin/56961: [PATCH] pkg_install: match package version numbers with relational operators

Oliver Eikemeier eikemeier at fillmore-labs.com
Wed Sep 17 10:30:23 PDT 2003 

>Number:         56961
>Category:       bin
>Synopsis:       [PATCH] pkg_install: match package version numbers with relational operators
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 17 10:30:18 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 5.1-CURRENT

>Description:

The overall idea is to have something like NetBSD's security/audit-packages
  http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060

it uses commands like
  pkg_info -E 'apache>=2.0<2.0.45 && echo "  vulnurable: see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132"

to test for installed vulnurable packages. The following features have been added:

* patterns can have relational operators (<, >, <=, >=, ==, !=) with a version number
appended, if they do the pattern matches only the base name, and the versions will be
compared according to the relational operator. Multiple operator can be used, they
have to match all (logical and).

i.e. a glob pattern 'openldap-*>2.0<2.1' matches:
openldap-server-2.0.27_2
openldap-client-2.0.27

it does not match:
openldap-server-2.1.22 (version number mismatch)
openldap-2.0.27 (glob pattern does not match)

* flag -E (pkg_info):
list matching package names only (mainly for scripts),
return 0 if any packages match, 1 otherwise.
  pkg_info -E 'openssh<3.6.1_2' && echo "  vulnurable: http://www.openssh.com/txt/buffer.adv"

* flag -T (pkg_version)
test if a given name matches a given pattern (mainly for scripts)

pkg_version -T 'unzip-5.50' 'unzip<5.50_3' && \
echo "before installing, please upgrade your port collection: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282"

* flag -X (pkg_info, pkg_delete, pkg_version):
interpret arguments as extended regular expressions (instead of regular expressions):

  pkg_info -Ix '^openldap-\(client\)\{0,1\}\(server\)\{0,1\}-'
=>
  pkg_info -IX '^openldap-(client|server)-'

* to get a more robust version number sorting, the version compare routines have been
completely rewritten. The follwing structure of FreeBSD version numbers is assumed:

- FreeBSD version numbers are composed of components separated by dots. A component
  consists of a version number, a letter and a patchlevel number (number letter number),
  where the either the version number or the letter is optional, the patchlevel may only
  be present if it is preceeded by a letter.
  This does not conform to the porter's handbook, but let us formulate rules that
  fit the current practice and are far simpler than to make decisions
  based on the order of nutters and lembers. Besides, people use versions
  like 10b2 in the ports...
- characters !~ [a-zA-z0-9.] are treated as separators (1.0+2003.09.16 = 1.0.2003.09.16)
  this may not be what you expect: 1.0.1+2003.09.16 < 1.0+2003.09.16
- consecutive separators are collapsed (10..1 = 10.1)
- missing separators are inserted, letter number letter => letter number . letter (10a1b2 = 10a1.b2)
- only the first letter is significant (except for the special string "pl"),
  and case is ignored (1.a2 = 1.alpha2 = 1.Anything2)
- the letter sort order is: pl, a, b, ..., z
- missing letters sort like "pl" (5 = 5pl0, 10 < 10a)
- missing version numbers sort as -1 (a2 < 0.1, 10.a2 < 10.0)
- missing components are assumed to be 0 (10 = 10.0 = 10.0.0)

In case anybody is interested, this gives the following sort orders:
  10.a = 10.a.0 = 10.a0 < 10 = 10.0 < 10a = 10a.0 = 10a0
  11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1
  6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 = 6r3b2 < 6r3
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3

the perl pkg_version on 4.x is nearly identical:
  10.a < 10.a.0 < 10.a0 < 10 < 10.0 < 10a < 10a.0 < 10a0
  11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1
  6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3

whereas pkg_version on 5.x has:
  10.a.0 < 10.a < 10.a0 < 10 < 10.0 < 10a0 < 10a.0 < 10a
  11.b.1 < 11.b < 11.b1 < 11 < 11.1 < 11b.1 < 11b < 11b1
  6.r2b3 = 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a2+1.15 < 2.a2+10.3 < 2.a+10.3
and is not transitive:
  10.a.0 < 10.a < 10.a0, but 10.a.0 > 10.a0
  10a0 < 10a.0 < 10a, but 10a0 > 10a
  8.pl3 < 8.0 < 8.0pl3, but 8.0pl3 == 8.pl3

portsversion from portupgrade follows the 4.x perl script with the exception of:
  2.a2+1.15 < 2.a2+10.3 < 2.a+1.15 < 2.a+10.3

besides, a bug has been fixed that allows to parse version numbers on ports with
a number following an underscore (currently thx_1138, pips750_2000 and ruby-cast_256)
ruby-cast_256-1.0 < ruby-cast_256-1.0_1
(its ruby-cast_256-1.0 > ruby-cast_256-1.0_1 on 5.x and ruby-cast_256-1.0 = ruby-cast_256-1.0_1 on 4.x)

* pkg_version uses /usr/ports/INDEX-5 on 5.x and /usr/ports/INDEX on 4.x
  (important for the port sysutils/pkg_install and a MFC)

>How-To-Repeat:
>Fix:

A patch is on ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz
MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43

*** FreeBSD 5.X ***

Apply it to your source tree (replaces base tools):
# fetch ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz
# md5 patch-pkg_install-20030917.gz
# gzcat patch-pkg_install-20030917.gz | patch -p0 -d /usr/src/usr.sbin/pkg_install
# cd /usr/src/usr.sbin/pkg_install; make clean all install

Test with:
# pkg_info -P
Package tools revision: 20030917

*** FreeBSD 4.X ***

Apply the following patch to port sysutils/pkg_install:

--- pkg_install.patch begins here ---
diff -Nur pkg_install/Makefile.orig pkg_install/Makefile
--- pkg_install/Makefile.orig	Thu Sep  4 18:40:45 2003
+++ pkg_install/Makefile	Wed Sep 17 16:43:46 2003
@@ -12,6 +12,10 @@
 MASTER_SITES=		${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	marcus
 
+PATCH_SITES=		ftp://ftp.fillmore-labs.com/pub/FreeBSD/%SUBDIR%/
+PATCH_SITE_SUBDIR=	patches
+PATCHFILES=		patch-pkg_install-20030917.gz
+
 MAINTAINER=		portmgr at freebsd.org
 COMMENT=		FreeBSD 5.x version of the package tools for older system releases
 
diff -Nur pkg_install/distinfo.orig pkg_install/distinfo
--- pkg_install/distinfo.orig	Wed Sep  3 18:11:20 2003
+++ pkg_install/distinfo	Wed Sep 17 17:00:56 2003
@@ -1 +1,2 @@
 MD5 (pkg_install-20030714.tar.gz) = 183bed34c5427aeaf2025d9e2176e9ed
+MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43
--- pkg_install.patch ends here ---

Test with:
# /usr/local/sbin/pkg_info -P
Package tools revision: 20030917


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list