From nobody Sun Feb 09 14:08:25 2025 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YrV1M0dz6z5mSgS for ; Sun, 09 Feb 2025 14:08:39 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YrV1L5pzjz3t3L for ; Sun, 09 Feb 2025 14:08:38 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3ce85545983so10977935ab.0 for ; Sun, 09 Feb 2025 06:08:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739110117; x=1739714917; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=573QSzlMABlmo+EWfzKrmOHXs2ZxrlHy6gV1Dbj2brQ=; b=E1rciLuk0EAaJSWHVcV2FNh6BaxptScmbdclbKLd4IVBwS/kcAPksKUcn/AoL0GqD5 0qmH59S+axeUshlxdol+QGjAAh0ut9eGIDsJqIQ+M5YwBnDX16BKuVQuRs3g4L5qJphc ZH+JYnCs6AlUo8Jy8Kb0Ay1vj6icfspphZxkdWEFBpTMFcAyVC2ShcbssJ4JlgCIellV WBIIFbS6Ph4K8i0XAYxw8q4XuCUm1dP1YvsnGDhyvFE6FQ+lXpgzFTebxOf7uTZlzYt7 BQyEpyAZa9oRxoFDWsYeCzaHLmfDecUYMiIoQ2YUTQEmY2uVMS3FqQiXdyDgV0bcibz+ neSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739110117; x=1739714917; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=573QSzlMABlmo+EWfzKrmOHXs2ZxrlHy6gV1Dbj2brQ=; b=OYlItY8ryNF+QD8RY1a3BY4bdeGQhoWZfN6GyBjDL5vTsTmoUiLwgWhLJ5yJ4rJPTh /TM15QBHiR8WCDtPlqc6+oR46UxX2zKQPRCqWI1n6NUADcdf/vtp43qiNEelLtw49jip d3aGPIz4PeomlJh/2Qdv3L6eam7ve42MM7GAWPzJGJPvSKfFoYnHAMMVRa7WEfVvRpJ7 jo5DHDvRPyk4WONGRUScKSiM8YyGEsKpcU0faKODlEzL584Zsy+yOHVwpRee1rqNy6DF BJzyNWIeLrAnU8YFMqcZcA7fYwir3jsGxxObVj2vn9yZ3/Oz5Cz/AYX5VNGDIqq7qHNX YpLw== X-Gm-Message-State: AOJu0Yxfl0aLzkkHrxwADcKUJ5ytm+WWaJuOBx/WBZVuX4hf9uRp4vqb ki4LGdD3tRmZbQcRHdaS/tE3sLUPbv2qAmFfXFJzyc9Y22rl2TdombUIu/kW03hOoAOoLPNm32A dYCaA4py6GZ3Gh/rygOf28Ih5y+2fTg== X-Gm-Gg: ASbGncu7HYSaT1P28Eg3ZmsXVBwMmdH3U+U9LQHg7Wn2xYHvIGns/2V+NDlLY9HVztp wPgqJTS06a6qUVHm4u4l0PmIXMf04tnqBR2okuOh31eUBcm+LSA2MuWErSo1gdLjJvF5R1taqCi wUS99yeAX/O11uoUCjKhPvKELIMTBHAw== X-Google-Smtp-Source: AGHT+IGeJGLgo3lqYif7oucgrcRr1GDRxQG5nk2tr7ZJV6HGd3nfP8rJ7qYv1nzyC4X4er+MElfnq0//bhw4E7SQBdg= X-Received: by 2002:a05:6e02:10d4:b0:3d1:5037:c97a with SMTP id e9e14a558f8ab-3d15037dc85mr35930925ab.3.1739110117151; Sun, 09 Feb 2025 06:08:37 -0800 (PST) List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports@freebsd.org Sender: owner-freebsd-ports@FreeBSD.org MIME-Version: 1.0 References: <728F3215-E162-4467-B460-0BF003A9402B@lassitu.de> <20250209124307.488cfd4b@daleth.home> In-Reply-To: <20250209124307.488cfd4b@daleth.home> From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= Date: Sun, 9 Feb 2025 15:08:25 +0100 X-Gm-Features: AWEUYZlbHs6LWdSYx5TheyLwHgFVnHVfDPQlnkSgy4YNMwlMaUEinyaeGNsRybQ Message-ID: Subject: Re: Port has a security update to compile with golang 1.23.6, but we only have 1.23.3 To: Piotr Smyrak Cc: ports FreeBSD , Stefan Bethke Content-Type: multipart/alternative; boundary="000000000000c21e33062db620ad" X-Rspamd-Queue-Id: 4YrV1L5pzjz3t3L X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] --000000000000c21e33062db620ad Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable El dom, 9 feb 2025, 12:43, Piotr Smyrak escribi=C3=B3= : > On Sun, 9 Feb 2025 09:47:52 +0100 > Moin Rahman wrote: > > > > On Feb 9, 2025, at 09:43, Stefan Bethke wrote: > > > > > > Gitea has released their version 1.23.3, which includes this in the > > > release notes > > > (https://github.com/go-gitea/gitea/releases/tag/v1.23.3) > > > > > > * Build Gitea with Golang v1.23.6 to fix security bugs > > > > > > As far as I can tell, the newest Golang package is: > > > go123-1.23.3 Go programming language > > > and the port has 1.23.5. > > > > > > As a port maintainer, how should I go about updating Gitea? Simply > > > bumping the version likely will not incorporate the fixes that have > > > been included in Go 1.23.6? Should I monitor the go123 port and > > > send in the update patch for Gitea once the Go port has been > > > updated? Or send the patch now, and bump port revision once go is > > > at (at least) 1.23.6? > > > > > > > As a non-committer you will eventually submit a PR or Review. So > > notify in the PR/Review that the gitea update should take place after > > Go has been updated to 1.23.6. > > Well, an entry in security/vuxml database is needed. To let people > running the software they shall take their decission whether to stop > running it publicly, to extra protect it, etc. > Can you provide such an entry? If not, where is the specific security bug information to be found? > -- > Piotr Smyrak > > --000000000000c21e33062db620ad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


El dom, 9 feb 2025, 12:43, Piotr= Smyrak <ps.ports@smyrak.com&= gt; escribi=C3=B3:
On Sun, 9 Feb 20= 25 09:47:52 +0100
Moin Rahman <bofh@freebsd.org> wrote:

> > On Feb 9, 2025, at 09:43, Stefan Bethke <stb@lassitu.de> wr= ote:
> >
> > Gitea has released their version 1.23.3, which includes this in t= he
> > release notes
> > (https://github.com/go-gi= tea/gitea/releases/tag/v1.23.3)
> >
> > * Build Gitea with Golang v1.23.6 to fix security bugs
> >
> > As far as I can tell, the newest Golang package is:
> > go123-1.23.3=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0Go programming language
> > and the port has 1.23.5.
> >
> > As a port maintainer, how should I go about updating Gitea? Simpl= y
> > bumping the version likely will not incorporate the fixes that ha= ve
> > been included in Go 1.23.6? Should I monitor the go123 port and > > send in the update patch for Gitea once the Go port has been
> > updated? Or send the patch now, and bump port revision once go is=
> > at (at least) 1.23.6?
> >
>
> As a non-committer you will eventually submit a PR or Review. So
> notify in the PR/Review that the gitea update should take place after<= br> > Go has been updated to 1.23.6.

Well, an entry in security/vuxml database is needed. To let people
running the software they shall take their decission whether to stop
running it publicly, to extra protect it, etc.
=

Can you provide such an entry= ?
If not, where is the specific security bug informa= tion to be found?


--
=C2=A0Piotr Smyrak

--000000000000c21e33062db620ad--