www/dotproject out of date and vulnerable

Fred Cox sailorfred at yahoo.com
Tue Sep 19 17:16:35 PDT 2006


--- Kris Kennaway <kris at obsecurity.org> wrote:

> On Tue, Sep 19, 2006 at 04:19:23PM -0700, Fred Cox
> wrote:
> 
> > > No, I guess you've still misunderstood.  I don't
> > > know how many times I
> > > can say this, but let me try to explain once
> more:
> > > your port should be
> > > buildable with the default settings of all ports
> > > involved.
> > > 
> > > This means that you can't place special
> requirements
> > > like "you have to
> > > first install mysql 3.x, then install the
> php4-mysql
> > > port, then
> > > install this port", because that is too
> non-generic
> > > and will not be
> > > true on systems that already have php4-mysql
> > > installed with the
> > > default mysql client.
> > > 
> > > The solution, which I explained several messages
> > > ago, is to make an
> > > alternative php4-mysql3 port, which always
> depends
> > > on mysql 3.x, and
> > > use that instead of php4-mysql (it may need to
> > > conflict with
> > > php4-mysql, I don't know).  This really isn't
> very
> > > hard and you
> > > perhaps could have done it already by now :)
> > > 
> > 
> > When I was trying to install this in first place,
> I
> > couldn't install mysql323-client when
> mysql5-client
> > was already installed.  It refused to install.  I
> had
> > to install it into a jail by itself with msyql323
> and
> > php4.
> 
> Right, they conflict.  There's nothing you can do
> about that; they
> want to install files on top of each other, breaking
> one or the other
> installation.
> 
> > I assume that will break the requirement that it
> be
> > buildable with defaults, assuming that some other
> port
> > that requires mysql has already been built.  Is
> that a
> > bad assumption?
> 
> Yes, with the above solution mysql 4.x or 5.x do not
> get installed
> when you build your port on a clean system (no ports
> installed, and no
> non-default settings), only mysql 3.x, so there's no
> conflict.
> 
> If someone has mysql 4.x or 5.x installed already,
> they get a warning
> from the conflict checking telling them it's
> impossible to install the
> port without first deinstalling mysql 4.x and 5.x,
> which is true and
> unavoidable.
> 
> With your proposed version, a conflicting mysql
> version would first be
> installed by php4-mysql and the build of your port
> will subsequently
> fail when it tries to install mysql3 (or vice versa,
> depending on
> which happens first), which is precisely the
> problem.
> 

Actually, it doesn't.  It goes ahead and installs it,
even though I specified these:

WITH_MYSQL=     yes
WANT_MYSQL_VER= 323
IGNORE_WITH_MYSQL=5

Starting with a system that had no MySQL or PHP
installed on it, I did a make install in the
dotproject port with the Makefile and distinfo I
specified earlier.

It seems to look for mysql.so, and if that's found, it
doesn't worry about the version.

See the log at http://fcox.net/dp.log, when no mysql
or php was installed on the system.

Perhaps this is a bug in the dependencies system.

> Hope this has clarified things sufficiently now,

It certainly presents a certain model, but my
experience doesn't match up with it.

That's why I was confused,

Fred

> Kris
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the freebsd-ports mailing list