[Bug 259150] ports-mgmt/pkg: pkg install does not check FreeBSD_version annotation

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 13 Oct 2021 18:35:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259150

            Bug ID: 259150
           Summary: ports-mgmt/pkg: pkg install does not check
                    FreeBSD_version annotation
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: pkg@FreeBSD.org
          Reporter: ross@ross-williams.net
          Assignee: pkg@FreeBSD.org
             Flags: maintainer-feedback?(pkg@FreeBSD.org)

Created attachment 228675
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228675&action=edit
MANIFEST with FreeBSD_version from the future

Overview:

   Calling `pkg install $LOCAL_FILE`, where LOCAL_FILE is either a local path
to
   a valid package file or a file scheme URI, never checks the
`FreeBSD_version`
   metadata to see if the package file is from a future version of FreeBSD.
This
   check is always performed when installing a local file with the `pkg add`
   command, unless the `IGNORE_OSVER` option is set.

Steps to Reproduce:

   1) Download the attached MANIFEST file.
   2) Create a test package by running:
      pkg create -M $PATH_TO_MANIFEST_FILE

      pkg-create will write a file in the current directory named
      `fromthefuture-0.pkg`
   3) Attempt to install using pkg-add:
      `pkg add fromthefuture-0.pkg`

      This will fail with the error:
      "pkg: Newer FreeBSD version for package fromthefuture"
   4) Attempt to install using pkg-install:
      `pkg install /absolute/path/to/fromthefuture-0.pkg`

      This will succeed, despite the FreeBSD version mismatch.
   5) Don't forget to remove this bogus package:
      `pkg remove -y fromthefuture`

Actual Results:

   `pkg install` succeeded where `pkg add` refused.

Expected Results:

   Both entrypoints to installing a package should perform the same checks
   on local package files.

Build Date & Hardware:

   pkg 1.17.2 on FreeBSD 13.0-STABLE

Additional Information:

   This behavior occurs due to the condition on line 1110 of pkg_add.c,
   in pkg_add_common():
  
https://github.com/freebsd/pkg/blob/ef8e71553deb048004d40b70806867d6fa05b26b/libpkg/pkg_add.c#L1107-L1118

   `pkg install` reaches `pkg_add_common()` via the wrapper function
   `pkg_add_from_remote()`, while `pkg add` reaches it via the wrapper
   function `pkg_add()`. The latter NULLs the `remote` argument, while
   the former passes a `struct pkg` pointer.

   In either case, the effect is to install a package from a local file.
   I'm mulling over the right way to possibly fix this, because the job
   executor is involved in `pkg install`. Therefore, it's a question where
   the "local file" detection code should live. Food for thought.

-- 
You are receiving this mail because:
You are the assignee for the bug.