Re: Issues with security/step-cli

Reply: Markus Wipp : "Re: Issues with security/step-cli"
In reply to: Markus Wipp : "Re: Issues with security/step-cli"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Gmelin <freebsd_at_grem.de>
Date: Tue, 03 Aug 2021 13:31:41 UTC

On Tue, 3 Aug 2021 14:53:07 +0200
Markus Wipp <mw@wipp.bayern> wrote:

> > On 3. Aug 2021, at 14:34, Michael Gmelin <freebsd@grem.de> wrote:
> > 
> > 
> > 
> > On Tue, 3 Aug 2021 13:41:42 +0200
> > Markus Wipp <mw@wipp.bayern> wrote:
> >   
> >> Sure. I attached you the diff.
> >> 
> >>   
> >>> On 3. Aug 2021, at 13:35, Michael Gmelin <freebsd@grem.de> wrote:
> >>> 
> >>> 
> >>>   
> >>>> On 3. Aug 2021, at 13:29, Markus Wipp <mw@wipp.bayern> wrote:
> >>>> 
> >>>> Hi all, 
> >>>> 
> >>>> I’m the maintainer of the security/step-cli port and I’m
> >>>> currently facing some issues, I seem to be unable to fix.
> >>>> 
> >>>> I currently try to create the patch for the latest version 0.16.1
> >>>> 
> >>>> I did the following:
> >>>> 
> >>>> 1) I removed all files in /usr/ports/distfiles
> >>>> 2) I did a make clean makesum stage (which ran fine)
> >>>> 3) I did a make clean package (which always runs into the
> >>>> following error: => Attempting to fetch
> >>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz
> >>>> fetch: 4020010: No such file or directory fetch: 4020010: No such
> >>>> file or directory fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory
> >>>> fetch:
> >>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz:
> >>>> size unknown fetch:
> >>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz:
> >>>> size of remote file is not known etcd-io-etcd-v3.5.0_GH0.tar.gz
> >>>>                    3925 kB   10 MBps    00s => Attempting to
> >>>> fetch
> >>>> http://distcache.FreeBSD.org/ports-distfiles/etcd-io-etcd-v3.5.0_GH0.tar.gz
> >>>> fetch: 4020010: No such file or directory fetch: 4020010: No such
> >>>> file or directory fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory fetch: 4020010: No
> >>>> such file or directory fetch: 4020010: No such file or directory
> >>>> fetch: 4020010: No such file or directory fetch: 4020010: No
> >>>> such file or directory fetch: 4020010: No such file or directory
> >>>> fetch:
> >>>> http://distcache.FreeBSD.org/ports-distfiles/etcd-io-etcd-v3.5.0_GH0.tar.gz:
> >>>> Not Found => Couldn't fetch it - please try to retrieve this =>
> >>>> port manually into /usr/ports/distfiles/ and try again. ***
> >>>> Error code 1
> >>>> 
> >>>> Is there anything I did wrong? Anything I can do to fix this
> >>>> issue? 
> >>> 
> >>> Unless someone else knows what’s wrong anyway: Could you share
> >>> your port skeleton? (at least the files that changed or the
> >>> output of `git diff’)
> >>> 
> >>>   
> >>>> Thanks in advance
> >>>> Markus    
> >>   
> > 
> > distinfo contains the entry for etcd-io-etcd-v3.5.0_GH0.tar.gz
> > multiple times (due to it being listed multiple times in GH_TUPLE).
> > 
> > It seems to build okay when getting rid of the duplicates in
> > distinfo. I don't know if what you're doing is officially
> > supported, but if it is, we should probably adapt tooling. Also,
> > portlint didn't complain and `make makesum' re-creates the
> > duplicates.
> > 
> > @portmgr Please find attached an example of a patch that dedups
> > distinfo on `make makesum', it might more sense to fix this
> > somewhere else in the framework (so that e.g., checksums aren't
> > validated multiple times etc.), up to you.  
> 
> Ok, then this is one more thing I should take care of! I did not add
> it multiple times on purpose. The GH_TUPLE was just built with go mod
> vendor and modules2tuple. Could it be that there the duplicates need
> to be fixed?

Well, it seems like they are unpacked in multiple places. I don't know
the software well enough if this is required or not. If it is, you
could leave things as they are now and modify distinfo manually (if this
is actually allowed by the framework).

It would be nicer though to create a post-extract target that moves
things into place explicitly (either by copying them, or simply by
creating symbolic links, if this is supported by the software you're
porting).

-m

> 
> 
> > 
> > Cheers,
> > Michael
> > 
> > -- 
> > Michael Gmelin
> > <makesum_dedup.diff>  



-- 
Michael Gmelin