[pkgsrc/trunk]: pkgsrc/doc/guide/files guide: expand section on editing the p...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/doc/guide/files guide: expand section on editing the p...
From: wiz <wiz%pkgsrc.org@localhost>
Date: Sun, 22 Aug 2021 17:25:38 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/48c5328523a3
branches:  trunk
changeset: 457307:48c5328523a3
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Sun Aug 22 16:27:50 2021 +0000

description:
guide: expand section on editing the pkg-vulnerabilities file

Requested by kim@

diffstat:

 doc/guide/files/fixes.xml |  41 ++++++++++++++++++++++++++++++++++++++---
 1 files changed, 38 insertions(+), 3 deletions(-)

diffs (62 lines):

diff -r 1b2876cecfaf -r 48c5328523a3 doc/guide/files/fixes.xml
--- a/doc/guide/files/fixes.xml Sun Aug 22 14:53:58 2021 +0000
+++ b/doc/guide/files/fixes.xml Sun Aug 22 16:27:50 2021 +0000
@@ -1,4 +1,4 @@
-<!-- $NetBSD: fixes.xml,v 1.162 2021/07/06 16:57:09 schmonz Exp $ -->
+<!-- $NetBSD: fixes.xml,v 1.163 2021/08/22 16:27:50 wiz Exp $ -->
 
 <chapter id="fixes"> <?dbhtml filename="fixes.html"?>
 <title>Making your package work</title>
@@ -567,8 +567,40 @@
     <title>Handling packages with security problems</title>
 
     <para>When a vulnerability is found, this should be noted in
-    <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>,
-    and after committing that file, ask pkgsrc-security%NetBSD.org@localhost to
+    <filename>localsrc/security/advisories/pkg-vulnerabilities</filename>.
+    Entries in that file consist of three parts:</para>
+    <itemizedlist>
+      <listitem><para>package version pattern</para></listitem>
+      <listitem><para>type of vulnerability (please cut'n'paste an existing one where possible)</para></listitem>
+      <listitem><para>URL providing additional information about the issue</para></listitem>
+    </itemizedlist>
+
+    <para>For the package version pattern please always use `&lt;' to
+    mark an upper bound (not `&lt;='!). This will avoid possible
+    problems due unrelated <varname>PKGREVISION</varname> bumps not
+    related to security fixes. Lower bounds can be added too, using
+    '&gt;' or '&gt;='. For example,
+    <quote><literal>foo&gt;'=1&lt;1.2</literal></quote> would mark
+    versions 1.0 (included) to 1.2 (excluded) of
+    <quote><literal>foo</literal></quote> as affected by the security
+    issue.</para>
+
+    <para>Entries should always be added at the bottom of the file.</para>
+
+    <para>When fixing packages, please modify the upper bound of the
+    corresponding entry. To continue the previous example, if a fix
+    was backported to version 1.1nb2, change the previous pattern to
+    <quote><literal>foo&gt;'=1&lt;1.1nb2</literal></quote>.</para>
+
+    <para>To locally test a package version pattern against a
+    <varname>PKGNAME</varname> you can use the <command>pkg_admin
+    pmatch</command> command.</para>
+
+    <para>The URL should be as permanent as possible and provide as
+    much information about the issue as possible.  CVE entries are
+    preferred.</para>
+
+    <para>After committing that file, ask pkgsrc-security%NetBSD.org@localhost to
     update the file on ftp.NetBSD.org.</para>
 
     <para>After fixing the vulnerability by a patch, its
@@ -582,6 +614,9 @@
 
     <para>Binary packages already on ftp.NetBSD.org will be handled
     semi-automatically by a weekly cron job.</para>
+
+    <para>In case a security issue is disputed, please contact
+    pkgsrc-security%NetBSD.org@localhost.</para>
   </sect2>

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated finance/ruby-braintree to 4.4.0
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc/pkgsrc.*: regen
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated finance/ruby-braintree to 4.4.0
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc/pkgsrc.*: regen
Indexes:

Home | Main Index | Thread Index | Old Index