Re: Issues with security/step-cli

In reply to: Michael Gmelin : "Re: Issues with security/step-cli"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Markus Wipp <mw_at_wipp.bayern>
Date: Tue, 03 Aug 2021 13:43:36 UTC

> On 3. Aug 2021, at 15:31, Michael Gmelin <freebsd@grem.de> wrote:
> 
> 
> 
> On Tue, 3 Aug 2021 14:53:07 +0200
> Markus Wipp <mw@wipp.bayern <mailto:mw@wipp.bayern>> wrote:
> 
>>> On 3. Aug 2021, at 14:34, Michael Gmelin <freebsd@grem.de> wrote:
>>> 
>>> 
>>> 
>>> On Tue, 3 Aug 2021 13:41:42 +0200
>>> Markus Wipp <mw@wipp.bayern> wrote:
>>> 
>>>> Sure. I attached you the diff.
>>>> 
>>>> 
>>>>> On 3. Aug 2021, at 13:35, Michael Gmelin <freebsd@grem.de> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 3. Aug 2021, at 13:29, Markus Wipp <mw@wipp.bayern> wrote:
>>>>>> 
>>>>>> Hi all, 
>>>>>> 
>>>>>> I’m the maintainer of the security/step-cli port and I’m
>>>>>> currently facing some issues, I seem to be unable to fix.
>>>>>> 
>>>>>> I currently try to create the patch for the latest version 0.16.1
>>>>>> 
>>>>>> I did the following:
>>>>>> 
>>>>>> 1) I removed all files in /usr/ports/distfiles
>>>>>> 2) I did a make clean makesum stage (which ran fine)
>>>>>> 3) I did a make clean package (which always runs into the
>>>>>> following error: => Attempting to fetch
>>>>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz
>>>>>> fetch: 4020010: No such file or directory fetch: 4020010: No such
>>>>>> file or directory fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory
>>>>>> fetch:
>>>>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz:
>>>>>> size unknown fetch:
>>>>>> https://codeload.github.com/etcd-io/etcd/tar.gz/v3.5.0?dummy=/etcd-io-etcd-v3.5.0_GH0.tar.gz:
>>>>>> size of remote file is not known etcd-io-etcd-v3.5.0_GH0.tar.gz
>>>>>>                   3925 kB   10 MBps    00s => Attempting to
>>>>>> fetch
>>>>>> http://distcache.FreeBSD.org/ports-distfiles/etcd-io-etcd-v3.5.0_GH0.tar.gz
>>>>>> fetch: 4020010: No such file or directory fetch: 4020010: No such
>>>>>> file or directory fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory fetch: 4020010: No
>>>>>> such file or directory fetch: 4020010: No such file or directory
>>>>>> fetch: 4020010: No such file or directory fetch: 4020010: No
>>>>>> such file or directory fetch: 4020010: No such file or directory
>>>>>> fetch:
>>>>>> http://distcache.FreeBSD.org/ports-distfiles/etcd-io-etcd-v3.5.0_GH0.tar.gz:
>>>>>> Not Found => Couldn't fetch it - please try to retrieve this =>
>>>>>> port manually into /usr/ports/distfiles/ and try again. ***
>>>>>> Error code 1
>>>>>> 
>>>>>> Is there anything I did wrong? Anything I can do to fix this
>>>>>> issue? 
>>>>> 
>>>>> Unless someone else knows what’s wrong anyway: Could you share
>>>>> your port skeleton? (at least the files that changed or the
>>>>> output of `git diff’)
>>>>> 
>>>>> 
>>>>>> Thanks in advance
>>>>>> Markus    
>>>> 
>>> 
>>> distinfo contains the entry for etcd-io-etcd-v3.5.0_GH0.tar.gz
>>> multiple times (due to it being listed multiple times in GH_TUPLE).
>>> 
>>> It seems to build okay when getting rid of the duplicates in
>>> distinfo. I don't know if what you're doing is officially
>>> supported, but if it is, we should probably adapt tooling. Also,
>>> portlint didn't complain and `make makesum' re-creates the
>>> duplicates.
>>> 
>>> @portmgr Please find attached an example of a patch that dedups
>>> distinfo on `make makesum', it might more sense to fix this
>>> somewhere else in the framework (so that e.g., checksums aren't
>>> validated multiple times etc.), up to you.  
>> 
>> Ok, then this is one more thing I should take care of! I did not add
>> it multiple times on purpose. The GH_TUPLE was just built with go mod
>> vendor and modules2tuple. Could it be that there the duplicates need
>> to be fixed?
> 
> Well, it seems like they are unpacked in multiple places. I don't know
> the software well enough if this is required or not. If it is, you
> could leave things as they are now and modify distinfo manually (if this
> is actually allowed by the framework).
> 
> It would be nicer though to create a post-extract target that moves
> things into place explicitly (either by copying them, or simply by
> creating symbolic links, if this is supported by the software you're
> porting).

Ok, I will for now remove it manually from the distinfo file.
I’m not sure whether it is supported and whether it is worth the effort, but will have a look at it later and try to understand what you’re suggesting.

Thanks for your quick help!
Markus
> 
> -m
> 
>> 
>> 
>>> 
>>> Cheers,
>>> Michael
>>> 
>>> -- 
>>> Michael Gmelin
>>> <makesum_dedup.diff>  
> 
> 
> 
> -- 
> Michael Gmelin