aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--documentation/content/en/books/porters-handbook/security/_index.adoc35
1 files changed, 29 insertions, 6 deletions
diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc
index f4cffaac96..53a7a4b793 100644
--- a/documentation/content/en/books/porters-handbook/security/_index.adoc
+++ b/documentation/content/en/books/porters-handbook/security/_index.adoc
@@ -316,11 +316,34 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
The former version matches while the latter one does not.
[[security-xcheck-vuxml]]
-=== Cross-checking Derivatives
-
-If an upstream project has a known vulnerability, check whether derivatives or
-forks of the project included in the ports tree are also affected.
+=== VuXML new entry checklist
+
+* Check the name of the port.
+Sometimes the upstream project name is not exactly the same as the port name.
+* Add all flavors.
+When a port has flavors all the package names need to be added as a `<package>` in
+the entry.
+Use the following script to generate all flavored package names:
++
+[source,shell]
+....
+% for flavor in $(make -V FLAVORS); do FLAVOR="${flavor}" make -VPKGNAME;done
+....
++
+* Check if the port has `PORTEPOCH`.
+The above script snippet helps with that.
+If the port uses `PORTEPOCH` it is mandatory to add it to the `<range>` tag.
+* Double check ranges.
+In the case of ranges limited on both sides, make sure that the `<ge>` and
+`<lt>` elements are inside the same `<range>` tag.
+Otherwise the entry might end up defining an overlapping range.
+* Cross-check derivatives.
+Check whether derivatives or forks of the project included in the ports tree are also affected.
For example, if a vulnerability is discovered in package:www/firefox[], assess
whether derivatives like package:www/librewolf[], package:www/waterfox[] or
-other similar projects share the same vulnerability. Include all affected
-derivatives in the VuXML entry, ensuring that users of these ports are informed.
+other similar projects share the same vulnerability.
+Include all affected derivatives in the VuXML entry, ensuring that users of these ports are informed.
+Also check if there are Linux versions of the same port in the tree.
+For instance, package:databases/sqlite3[] vulnerabilities most likely affect packages like
+package:databases/linux-c7-sqlite3[] too.
+* Do not commit an entry without running `make validate` first.