git: df2914ac4a - main - [phb][security]: Create VuXML checklist

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Sun, 03 Aug 2025 11:05:13 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/doc/commit/?id=df2914ac4a93115b3200bcae194964d35f5f402e

commit df2914ac4a93115b3200bcae194964d35f5f402e
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2025-08-01 17:46:45 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2025-08-03 10:56:49 +0000

    [phb][security]: Create VuXML checklist
    
    Create a short checklist with some important points to check before committing.
    Prompted by a mail by mandree@.
    
    Reviewed by:            bcr@
    Differential Revision:  https://reviews.freebsd.org/D51695
---
 .../en/books/porters-handbook/security/_index.adoc | 35 ++++++++++++++++++----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc
index f4cffaac96..53a7a4b793 100644
--- a/documentation/content/en/books/porters-handbook/security/_index.adoc
+++ b/documentation/content/en/books/porters-handbook/security/_index.adoc
@@ -316,11 +316,34 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
 The former version matches while the latter one does not.
 
 [[security-xcheck-vuxml]]
-=== Cross-checking Derivatives
-
-If an upstream project has a known vulnerability, check whether derivatives or
-forks of the project included in the ports tree are also affected.
+=== VuXML new entry checklist
+
+* Check the name of the port.
+Sometimes the upstream project name is not exactly the same as the port name.
+* Add all flavors.
+When a port has flavors all the package names need to be added as a `<package>` in
+the entry.
+Use the following script to generate all flavored package names:
++
+[source,shell]
+....
+% for flavor in $(make -V FLAVORS); do FLAVOR="${flavor}" make -VPKGNAME;done
+....
++
+* Check if the port has `PORTEPOCH`.
+The above script snippet helps with that.
+If the port uses `PORTEPOCH` it is mandatory to add it to the `<range>` tag.
+* Double check ranges.
+In the case of ranges limited on both sides, make sure that the `<ge>` and
+`<lt>` elements are inside the same `<range>` tag.
+Otherwise the entry might end up defining an overlapping range.
+* Cross-check derivatives.
+Check whether derivatives or forks of the project included in the ports tree are also affected.
 For example, if a vulnerability is discovered in package:www/firefox[], assess
 whether derivatives like package:www/librewolf[], package:www/waterfox[] or
-other similar projects share the same vulnerability. Include all affected
-derivatives in the VuXML entry, ensuring that users of these ports are informed.
+other similar projects share the same vulnerability.
+Include all affected derivatives in the VuXML entry, ensuring that users of these ports are informed.
+Also check if there are Linux versions of the same port in the tree.
+For instance, package:databases/sqlite3[] vulnerabilities most likely affect packages like
+package:databases/linux-c7-sqlite3[] too.
+* Do not commit an entry without running `make validate` first.