Re: FreeBSD Errata Notice FreeBSD-EN-26:07.pkgbase [Some notes/reminders about pkgbase /usr/src content and such]

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Millard <marklmi_at_yahoo.com>
Date: Tue, 21 Apr 2026 18:57:59 UTC
Since this one is about pkgbase contexts . . .

On 4/21/26 10:02, FreeBSD Errata Notices wrote:
> =============================================================================
> FreeBSD-EN-26:07.pkgbase                                        Errata Notice
>                                                           The FreeBSD Project
> 
> Topic:          Base packages fail to build with newer versions of libucl
> 
> Category:       core
> Module:         packages
> Announced:      2026-04-21
> Affects:        FreeBSD 15.0
> Corrected:      2026-04-07 11:27:02 UTC (stable/15, 15.0-STABLE)
>                 2026-04-21 15:44:26 UTC (releng/15.0, 15.0-RELEASE-p6)
> 
> For general information regarding FreeBSD Errata Notices and Security
> Advisories, including descriptions of the fields above, security
> branches, and the following sections, please visit
> <URL:https://security.FreeBSD.org/>.
> 
> I.   Background
> 
> The libucl library is used for parsing documents in the UCL markup format.  
> The base system private Lua (flua) exposes libucl to Lua applications via
> the "ucl" module.
> 
> II.  Problem Description
> 
> In libucl version 0.9.3, an API change was made in the Lua ucl module
> to prohibit the use of certain syntax by default, specifically the
> ".include" directive.  This change causes the base system package build
> ("make update-packages") to fail when the host system is using libucl
> 0.9.3 or later.
> 
> III. Impact
> 
> Future versions of FreeBSD, which include libucl 0.9.3 or later, will
> be unable to build FreeBSD 15.0 base system packages from source.
> 
> IV.  Workaround
> 
> No workaround is available.
> 
> V.   Solution
> 
> Update the base system source tree to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
> 
> No action is required on the host (build) system.
> 
> To update your system via a source code patch:
> 
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch
> # fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch.asc
> # gpg --verify pkgbase.patch.asc
> 
> b) Apply the patch.  Execute the following commands as root:
> 
> # cd /usr/src

If /usr/src is from a pkgbase install/upgrade, it is not set up for use
with git. That is relevant later below.

> # patch < /path/to/patch

For folks that do not build their own pkgbase, normally the technique
would be to do a normal binary pkgbase update. In this case, using
aarch64 as an example context, if that activity included FreeBSD-src-sys
and FreeBSD-src (at or later than shown below):

FreeBSD-src-sys-15.snap20260421090558.pkg
    FreeBSD-src-15.snap20260421100537.pkg

that should have updated to have source files were based on having had
the patch applied. (Snapshot date/time naming will vary across platforms.)

> 
> VI.  Correction details
> 
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
> 
> Branch/path                             Hash                     Revision
> -------------------------------------------------------------------------
> stable/15/                              976b2ebf4309    stable/15-n282865
> releng/15.0/                            f3bbb238daa1  releng/15.0-n281021
> -------------------------------------------------------------------------
> 
> Run the following command to see which files were modified by a
> particular commit:
> 
> # git show --stat <commit hash>

/usr/src supplied by pkgbase does not have normal/easy traceability to
git hashes so far as I know. (For example, establish a git comparison
tree and then recursive diff that and the pkgbase /usr/src --ignoring
git infrastructure files that are not in /usr/src/ .)

For pkgbase's base_latest distributions (so: stable/15 based in this
context) the git hash that would be accurate for /usr/src/sys/ (which
has its own .pkg file) might not be an exact match to what would match
all of the rest of /usr/src/ (which has its own .pkg file): a commit can
occur between the two separate source grabs and make the two hashes
distinct. (main also has this property.)

Looking at the appropriate (say, * being aarch64):

https://pkg.freebsd.org/FreeBSD:15:*/base_latest/?C=M&O=D

can help confirm things are in place. Similarly for looking at
appropriate base_latest rows in:

https://people.freebsd.org/~dbaio/pkg-master-report.html

For example: For a while after the announcements went out,
freebsd:14:aarch64:64 in pkg-master-report's display showed as "missing"
(20 for % Synched) when I looked. (Now it shows 100.)

> 
> Or visit the following URL, replacing NNNNNN with the hash:
> 
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
> 
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
> 
> # git rev-list --count --first-parent HEAD
> 
> VII. References
> 
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:07.pkgbase.asc>
> 
> 

-- 
===
Mark Millard
marklmi at yahoo.com