Broken ports cause vuln problems

I noticed this today. First, I apologise for highlighting the errors of others, but it is relevant to the topic.

FreshPorts has a number of sanity tests that it performs on each commit to a port. It does simple things like:


If an error occurs during any sanity test, FreshPorts records and reports the error. If the committer in question has chosen to receive sanity test failures, the committer is emailed directly. If not, I get the email. Tonight I got such an email, and I told the committer. When he fixed the commit, I ran the refresh ports script which refreshes errors. This is standard procedure. FreshPorts has the commit data, but cannot refresh the port because the make -V mechanism is broken. By running the script, the ports touched by that commit are refreshed and updated.

In the port in question, games/quake2forge, a vulnerablity has been recorded against (quake2 — multiple critical vulnerabilities) it.

FreshPorts will mark each commit with regards to whether or not it is vulnerable. That is provided no errors are encountered. This is because the PORTVERSION cannot be determined. Thus, it is left up to the refresh script to set the vulnerability code.

If you look at the BETA site you’ll see the anomoly, at least for a few days after this post. The commit on 09 Apr 2006 13:08:16 has a skull, as does the 12 Apr 2006 22:06:20 commit. However, the one between those two commits does not. It should.

I’m not sure how complex this should be to fix. I could take the approach of just deleting the old commit and reprocessing it. That option is available now but I’m not sure it would work in all cases. I’m sure there’s a reason why I create a refresh script….

Unfortunately, the refresh code is rather old and does not invoke the same code as used for processing a new commit. I suspect I should change this approach.

Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top