Re: dns/knot-resolver security update to 5.7.1 (was: dns/knot3 update to 3.3.4)

Reply: Michael Grimm : "Re: dns/knot-resolver security update to 5.7.1"
In reply to: Michael Grimm : "dns/knot-resolver security update to 5.7.1 (was: dns/knot3 update to 3.3.4)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Moin Rahman <bofh_at_freebsd.org>
Date: Sun, 25 Feb 2024 17:28:27 UTC


> On Feb 25, 2024, at 6:15 PM, Michael Grimm <trashcan@ellael.org> wrote:
> 
> Moin Rahman <bofh@FreeBSD.org> wrote:
> 
>>> On Feb 25, 2024, at 5:04 PM, Michael Grimm <trashcan@ellael.org> wrote:
>>> 
>>> a new version of this port has been released two month ago.
>>> 
>>> The maintainer normally updates knot3 shortly after the release of a new version. He didn't react on a mail of mine. No pun intended, there are numerous reasons for that.
>>> 
>>> I do have a git-diff patch at hand, successfully compiling with poudriere, and running well for 1 month now.
>>> 
>>> What can I do to get this patch committed?
>>> Shall I create a PR like https://cgit.freebsd.org/ports/commit/?id=11f44f375254e07a262455aaf8311bfd4bbedb67
> 
>> It's best to create a PR and awaiting for maintainer-timeout.
> 
> Done, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277305
I will let time take it's course of action.

>> However on certain cases like security or vulnerability issues the update
>> can be committed without the maintainer-approval. So if this is a release
>> related to the recent dnssec security issue let me know.
> 
> dns/knot3 as an authoritative DNS server isn't affected by CVE-2023-50868, if I am not mistaken. Ain't no DNS expert …
> 
> BUT, dns/knot-resolver is affected: https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
> 
> I do not use that port, yet.
> But I opened another PR on that security update to dns/knot-resolver: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277306
> 
> All I can say is: dns/knot-resolver 5.7.1 compiles with poudriere.
I will commit this soonish.

> HTH,
> Michael
> 
> P.S. Please forgive my lack in experience with PRs ;-)
>     Please let me know, what to correct if neccessary

Well as a starter:
1. You do not need PORTREVISION when you already bumping PORTVERSION or updating versions. I will fix it while committing.
2. Follow this process:
   a. Initially create the PR with synopsis and description.
   b. Create git-formatted patch
   c. Read this section of the documentation:
      https://docs.freebsd.org/en/articles/committers-guide/#git-mini-daily-use
   d. Specially the git hook part and try to use the hook from here:
      https://cgit.freebsd.org/ports/tree/.hooks/prepare-commit-msg
   e. Now make a commit to your local branch with the description, PR etc whatever is relevant.
   f. Create a git formatted patch and attach it to the PR.

While people think this is difficult workflow it actually makes our life easier as we also have to do the same and also helps us attributing external developers more easily.

Kind regards,
Moin