diff options
-rw-r--r-- | documentation/content/en/books/porters-handbook/security/_index.adoc | 35 |
1 files changed, 29 insertions, 6 deletions
diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc index f4cffaac96..53a7a4b793 100644 --- a/documentation/content/en/books/porters-handbook/security/_index.adoc +++ b/documentation/content/en/books/porters-handbook/security/_index.adoc @@ -316,11 +316,34 @@ WWW: https://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html The former version matches while the latter one does not. [[security-xcheck-vuxml]] -=== Cross-checking Derivatives - -If an upstream project has a known vulnerability, check whether derivatives or -forks of the project included in the ports tree are also affected. +=== VuXML new entry checklist + +* Check the name of the port. +Sometimes the upstream project name is not exactly the same as the port name. +* Add all flavors. +When a port has flavors all the package names need to be added as a `<package>` in +the entry. +Use the following script to generate all flavored package names: ++ +[source,shell] +.... +% for flavor in $(make -V FLAVORS); do FLAVOR="${flavor}" make -VPKGNAME;done +.... ++ +* Check if the port has `PORTEPOCH`. +The above script snippet helps with that. +If the port uses `PORTEPOCH` it is mandatory to add it to the `<range>` tag. +* Double check ranges. +In the case of ranges limited on both sides, make sure that the `<ge>` and +`<lt>` elements are inside the same `<range>` tag. +Otherwise the entry might end up defining an overlapping range. +* Cross-check derivatives. +Check whether derivatives or forks of the project included in the ports tree are also affected. For example, if a vulnerability is discovered in package:www/firefox[], assess whether derivatives like package:www/librewolf[], package:www/waterfox[] or -other similar projects share the same vulnerability. Include all affected -derivatives in the VuXML entry, ensuring that users of these ports are informed. +other similar projects share the same vulnerability. +Include all affected derivatives in the VuXML entry, ensuring that users of these ports are informed. +Also check if there are Linux versions of the same port in the tree. +For instance, package:databases/sqlite3[] vulnerabilities most likely affect packages like +package:databases/linux-c7-sqlite3[] too. +* Do not commit an entry without running `make validate` first. |