From eikemeier@fillmore-labs.com Wed Sep 17 10:27:03 2003 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68ECA16A4BF for ; Wed, 17 Sep 2003 10:26:56 -0700 (PDT) Received: from mx2.fillmore-labs.com (lima.fillmore-labs.com [62.138.193.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7945843F85 for ; Wed, 17 Sep 2003 10:26:55 -0700 (PDT) (envelope-from eikemeier@fillmore-labs.com) Received: from atlantis.wireless.fillmore-labs.com ([192.168.161.242] helo=fillmore-labs.com) by mx2.fillmore-labs.com with asmtp (TLSv1:AES256-SHA:256) (Exim 4.22) id 19zg4s-0009HG-ST for FreeBSD-gnats-submit@FreeBSD.org; Wed, 17 Sep 2003 19:26:54 +0200 Message-Id: <3F68995E.90702@fillmore-labs.com> Date: Wed, 17 Sep 2003 19:26:54 +0200 From: Oliver Eikemeier To: FreeBSD-gnats-submit@FreeBSD.org Subject: [PATCH] pkg_install: match package version numbers with relational operators >Number: 56961 >Category: bin >Synopsis: [PATCH] pkg_install: match package version numbers with relational operators >Confidential: no >Severity: non-critical >Priority: medium >Responsible: eik >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Sep 17 10:30:18 PDT 2003 >Closed-Date: Fri Aug 13 17:10:53 GMT 2004 >Last-Modified: Fri Aug 13 17:10:53 GMT 2004 >Originator: Oliver Eikemeier >Release: FreeBSD 5.1-CURRENT i386 >Organization: Fillmore Labs - http://www.fillmore-labs.com >Environment: System: FreeBSD nuuk.fillmore-labs.com 5.1-CURRENT >Description: The overall idea is to have something like NetBSD's security/audit-packages http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060 it uses commands like pkg_info -E 'apache>=2.0<2.0.45 && echo " vulnurable: see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132" to test for installed vulnurable packages. The following features have been added: * patterns can have relational operators (<, >, <=, >=, ==, !=) with a version number appended, if they do the pattern matches only the base name, and the versions will be compared according to the relational operator. Multiple operator can be used, they have to match all (logical and). i.e. a glob pattern 'openldap-*>2.0<2.1' matches: openldap-server-2.0.27_2 openldap-client-2.0.27 it does not match: openldap-server-2.1.22 (version number mismatch) openldap-2.0.27 (glob pattern does not match) * flag -E (pkg_info): list matching package names only (mainly for scripts), return 0 if any packages match, 1 otherwise. pkg_info -E 'openssh<3.6.1_2' && echo " vulnurable: http://www.openssh.com/txt/buffer.adv" * flag -T (pkg_version) test if a given name matches a given pattern (mainly for scripts) pkg_version -T 'unzip-5.50' 'unzip<5.50_3' && \ echo "before installing, please upgrade your port collection: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282" * flag -X (pkg_info, pkg_delete, pkg_version): interpret arguments as extended regular expressions (instead of regular expressions): pkg_info -Ix '^openldap-\(client\)\{0,1\}\(server\)\{0,1\}-' => pkg_info -IX '^openldap-(client|server)-' * to get a more robust version number sorting, the version compare routines have been completely rewritten. The follwing structure of FreeBSD version numbers is assumed: - FreeBSD version numbers are composed of components separated by dots. A component consists of a version number, a letter and a patchlevel number (number letter number), where the either the version number or the letter is optional, the patchlevel may only be present if it is preceeded by a letter. This does not conform to the porter's handbook, but let us formulate rules that fit the current practice and are far simpler than to make decisions based on the order of nutters and lembers. Besides, people use versions like 10b2 in the ports... - characters !~ [a-zA-z0-9.] are treated as separators (1.0+2003.09.16 = 1.0.2003.09.16) this may not be what you expect: 1.0.1+2003.09.16 < 1.0+2003.09.16 - consecutive separators are collapsed (10..1 = 10.1) - missing separators are inserted, letter number letter => letter number . letter (10a1b2 = 10a1.b2) - only the first letter is significant (except for the special string "pl"), and case is ignored (1.a2 = 1.alpha2 = 1.Anything2) - the letter sort order is: pl, a, b, ..., z - missing letters sort like "pl" (5 = 5pl0, 10 < 10a) - missing version numbers sort as -1 (a2 < 0.1, 10.a2 < 10.0) - missing components are assumed to be 0 (10 = 10.0 = 10.0.0) In case anybody is interested, this gives the following sort orders: 10.a = 10.a.0 = 10.a0 < 10 = 10.0 < 10a = 10a.0 = 10a0 11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1 6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 = 6r3b2 < 6r3 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3 the perl pkg_version on 4.x is nearly identical: 10.a < 10.a.0 < 10.a0 < 10 < 10.0 < 10a < 10a.0 < 10a0 11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1 6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3 whereas pkg_version on 5.x has: 10.a.0 < 10.a < 10.a0 < 10 < 10.0 < 10a0 < 10a.0 < 10a 11.b.1 < 11.b < 11.b1 < 11 < 11.1 < 11b.1 < 11b < 11b1 6.r2b3 = 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2 8.pl3 < 8.0 < 8.0pl3 < 8pl3 2.a+1.15 < 2.a2+1.15 < 2.a2+10.3 < 2.a+10.3 and is not transitive: 10.a.0 < 10.a < 10.a0, but 10.a.0 > 10.a0 10a0 < 10a.0 < 10a, but 10a0 > 10a 8.pl3 < 8.0 < 8.0pl3, but 8.0pl3 == 8.pl3 portsversion from portupgrade follows the 4.x perl script with the exception of: 2.a2+1.15 < 2.a2+10.3 < 2.a+1.15 < 2.a+10.3 besides, a bug has been fixed that allows to parse version numbers on ports with a number following an underscore (currently thx_1138, pips750_2000 and ruby-cast_256) ruby-cast_256-1.0 < ruby-cast_256-1.0_1 (its ruby-cast_256-1.0 > ruby-cast_256-1.0_1 on 5.x and ruby-cast_256-1.0 = ruby-cast_256-1.0_1 on 4.x) * pkg_version uses /usr/ports/INDEX-5 on 5.x and /usr/ports/INDEX on 4.x (important for the port sysutils/pkg_install and a MFC) >How-To-Repeat: >Fix: A patch is on ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43 *** FreeBSD 5.X *** Apply it to your source tree (replaces base tools): # fetch ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz # md5 patch-pkg_install-20030917.gz # gzcat patch-pkg_install-20030917.gz | patch -p0 -d /usr/src/usr.sbin/pkg_install # cd /usr/src/usr.sbin/pkg_install; make clean all install Test with: # pkg_info -P Package tools revision: 20030917 *** FreeBSD 4.X *** Apply the following patch to port sysutils/pkg_install: --- pkg_install.patch begins here --- diff -Nur pkg_install/Makefile.orig pkg_install/Makefile --- pkg_install/Makefile.orig Thu Sep 4 18:40:45 2003 +++ pkg_install/Makefile Wed Sep 17 16:43:46 2003 @@ -12,6 +12,10 @@ MASTER_SITES= ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= marcus +PATCH_SITES= ftp://ftp.fillmore-labs.com/pub/FreeBSD/%SUBDIR%/ +PATCH_SITE_SUBDIR= patches +PATCHFILES= patch-pkg_install-20030917.gz + MAINTAINER= portmgr@freebsd.org COMMENT= FreeBSD 5.x version of the package tools for older system releases diff -Nur pkg_install/distinfo.orig pkg_install/distinfo --- pkg_install/distinfo.orig Wed Sep 3 18:11:20 2003 +++ pkg_install/distinfo Wed Sep 17 17:00:56 2003 @@ -1 +1,2 @@ MD5 (pkg_install-20030714.tar.gz) = 183bed34c5427aeaf2025d9e2176e9ed +MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43 --- pkg_install.patch ends here --- Test with: # /usr/local/sbin/pkg_info -P Package tools revision: 20030917 >Release-Note: >Audit-Trail: From: Sergey Matveychuk To: freebsd-gnats-submit@FreeBSD.org, eikemeier@fillmore-labs.com Cc: Subject: Re: bin/56961: [PATCH] pkg_install: match package version numbers with relational operators Date: Wed, 10 Dec 2003 15:46:47 +0300 Patch is unfetchable. Host unresolved. Fix please. -- Sem. From: Oliver Eikemeier To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: bin/56961: [PATCH] pkg_install: match package version numbers with relational operators Date: Wed, 12 May 2004 22:20:01 +0200 Just for the record: This and other features have been integrated into port sysutils/pkg_install-devel, which is used to compare version numbers in portaudit. The version number sort and matching rules have silghtly changed from those cited above (as of pkg_install-devel version 20040512): - version numbers using `+' now sort as expected - a missing patchlevel number now sorts as -1 for consistency with missing version numbers, giving 10.a < 10.a0, which is in line with the existing tools - a component `*' has been introduced, which is guaranteed to sort *before* every other number, so that >=2.* <3.* will match *all* 2.x releases (Even 2.alpha) - csh style {} glob pattern can be used -Oliver State-Changed-From-To: open->patched State-Changed-By: eik State-Changed-When: Tue Jun 29 21:27:18 CEST 2004 State-Changed-Why: Awaiting MFC Responsible-Changed-From-To: freebsd-bugs->eik Responsible-Changed-By: eik Responsible-Changed-When: Tue Jun 29 21:27:18 CEST 2004 Responsible-Changed-Why: Handle my own PRs http://www.freebsd.org/cgi/query-pr.cgi?pr=56961 State-Changed-From-To: patched->closed State-Changed-By: eik State-Changed-When: Fri Aug 13 19:10:38 CEST 2004 State-Changed-Why: MFCed http://www.freebsd.org/cgi/query-pr.cgi?pr=56961 >Unformatted: