From eikemeier@fillmore-labs.com  Wed Sep 17 10:27:03 2003
Return-Path: <eikemeier@fillmore-labs.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 68ECA16A4BF
	for <FreeBSD-gnats-submit@FreeBSD.org>; Wed, 17 Sep 2003 10:26:56 -0700 (PDT)
Received: from mx2.fillmore-labs.com (lima.fillmore-labs.com [62.138.193.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7945843F85
	for <FreeBSD-gnats-submit@FreeBSD.org>; Wed, 17 Sep 2003 10:26:55 -0700 (PDT)
	(envelope-from eikemeier@fillmore-labs.com)
Received: from atlantis.wireless.fillmore-labs.com ([192.168.161.242] helo=fillmore-labs.com)
	by mx2.fillmore-labs.com with asmtp (TLSv1:AES256-SHA:256)
	(Exim 4.22)
	id 19zg4s-0009HG-ST
	for FreeBSD-gnats-submit@FreeBSD.org; Wed, 17 Sep 2003 19:26:54 +0200
Message-Id: <3F68995E.90702@fillmore-labs.com>
Date: Wed, 17 Sep 2003 19:26:54 +0200
From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: [PATCH] pkg_install: match package version numbers with relational
 operators

>Number:         56961
>Category:       bin
>Synopsis:       [PATCH] pkg_install: match package version numbers with relational operators
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    eik
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 17 10:30:18 PDT 2003
>Closed-Date:    Fri Aug 13 17:10:53 GMT 2004
>Last-Modified:  Fri Aug 13 17:10:53 GMT 2004
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 5.1-CURRENT

>Description:

The overall idea is to have something like NetBSD's security/audit-packages
  http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060

it uses commands like
  pkg_info -E 'apache>=2.0<2.0.45 && echo "  vulnurable: see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132"

to test for installed vulnurable packages. The following features have been added:

* patterns can have relational operators (<, >, <=, >=, ==, !=) with a version number
appended, if they do the pattern matches only the base name, and the versions will be
compared according to the relational operator. Multiple operator can be used, they
have to match all (logical and).

i.e. a glob pattern 'openldap-*>2.0<2.1' matches:
openldap-server-2.0.27_2
openldap-client-2.0.27

it does not match:
openldap-server-2.1.22 (version number mismatch)
openldap-2.0.27 (glob pattern does not match)

* flag -E (pkg_info):
list matching package names only (mainly for scripts),
return 0 if any packages match, 1 otherwise.
  pkg_info -E 'openssh<3.6.1_2' && echo "  vulnurable: http://www.openssh.com/txt/buffer.adv"

* flag -T (pkg_version)
test if a given name matches a given pattern (mainly for scripts)

pkg_version -T 'unzip-5.50' 'unzip<5.50_3' && \
echo "before installing, please upgrade your port collection: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282"

* flag -X (pkg_info, pkg_delete, pkg_version):
interpret arguments as extended regular expressions (instead of regular expressions):

  pkg_info -Ix '^openldap-\(client\)\{0,1\}\(server\)\{0,1\}-'
=>
  pkg_info -IX '^openldap-(client|server)-'

* to get a more robust version number sorting, the version compare routines have been
completely rewritten. The follwing structure of FreeBSD version numbers is assumed:

- FreeBSD version numbers are composed of components separated by dots. A component
  consists of a version number, a letter and a patchlevel number (number letter number),
  where the either the version number or the letter is optional, the patchlevel may only
  be present if it is preceeded by a letter.
  This does not conform to the porter's handbook, but let us formulate rules that
  fit the current practice and are far simpler than to make decisions
  based on the order of nutters and lembers. Besides, people use versions
  like 10b2 in the ports...
- characters !~ [a-zA-z0-9.] are treated as separators (1.0+2003.09.16 = 1.0.2003.09.16)
  this may not be what you expect: 1.0.1+2003.09.16 < 1.0+2003.09.16
- consecutive separators are collapsed (10..1 = 10.1)
- missing separators are inserted, letter number letter => letter number . letter (10a1b2 = 10a1.b2)
- only the first letter is significant (except for the special string "pl"),
  and case is ignored (1.a2 = 1.alpha2 = 1.Anything2)
- the letter sort order is: pl, a, b, ..., z
- missing letters sort like "pl" (5 = 5pl0, 10 < 10a)
- missing version numbers sort as -1 (a2 < 0.1, 10.a2 < 10.0)
- missing components are assumed to be 0 (10 = 10.0 = 10.0.0)

In case anybody is interested, this gives the following sort orders:
  10.a = 10.a.0 = 10.a0 < 10 = 10.0 < 10a = 10a.0 = 10a0
  11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1
  6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 = 6r3b2 < 6r3
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3

the perl pkg_version on 4.x is nearly identical:
  10.a < 10.a.0 < 10.a0 < 10 < 10.0 < 10a < 10a.0 < 10a0
  11.b < 11.b.1 < 11.b1 < 11 < 11.1 < 11b < 11b.1 < 11b1
  6.r2b3 < 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a+10.3 < 2.a2+1.15 < 2.a2+10.3

whereas pkg_version on 5.x has:
  10.a.0 < 10.a < 10.a0 < 10 < 10.0 < 10a0 < 10a.0 < 10a
  11.b.1 < 11.b < 11.b1 < 11 < 11.1 < 11b.1 < 11b < 11b1
  6.r2b3 = 6.0r2b3 < 6r.3b.2 < 6r.3b2 < 6r3.b2 < 6r3 < 6r3b2
  8.pl3 < 8.0 < 8.0pl3 < 8pl3
  2.a+1.15 < 2.a2+1.15 < 2.a2+10.3 < 2.a+10.3
and is not transitive:
  10.a.0 < 10.a < 10.a0, but 10.a.0 > 10.a0
  10a0 < 10a.0 < 10a, but 10a0 > 10a
  8.pl3 < 8.0 < 8.0pl3, but 8.0pl3 == 8.pl3

portsversion from portupgrade follows the 4.x perl script with the exception of:
  2.a2+1.15 < 2.a2+10.3 < 2.a+1.15 < 2.a+10.3

besides, a bug has been fixed that allows to parse version numbers on ports with
a number following an underscore (currently thx_1138, pips750_2000 and ruby-cast_256)
ruby-cast_256-1.0 < ruby-cast_256-1.0_1
(its ruby-cast_256-1.0 > ruby-cast_256-1.0_1 on 5.x and ruby-cast_256-1.0 = ruby-cast_256-1.0_1 on 4.x)

* pkg_version uses /usr/ports/INDEX-5 on 5.x and /usr/ports/INDEX on 4.x
  (important for the port sysutils/pkg_install and a MFC)

>How-To-Repeat:
>Fix:

A patch is on ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz
MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43

*** FreeBSD 5.X ***

Apply it to your source tree (replaces base tools):
# fetch ftp://ftp.fillmore-labs.com/pub/FreeBSD/patches/patch-pkg_install-20030917.gz
# md5 patch-pkg_install-20030917.gz
# gzcat patch-pkg_install-20030917.gz | patch -p0 -d /usr/src/usr.sbin/pkg_install
# cd /usr/src/usr.sbin/pkg_install; make clean all install

Test with:
# pkg_info -P
Package tools revision: 20030917

*** FreeBSD 4.X ***

Apply the following patch to port sysutils/pkg_install:

--- pkg_install.patch begins here ---
diff -Nur pkg_install/Makefile.orig pkg_install/Makefile
--- pkg_install/Makefile.orig	Thu Sep  4 18:40:45 2003
+++ pkg_install/Makefile	Wed Sep 17 16:43:46 2003
@@ -12,6 +12,10 @@
 MASTER_SITES=		${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	marcus
 
+PATCH_SITES=		ftp://ftp.fillmore-labs.com/pub/FreeBSD/%SUBDIR%/
+PATCH_SITE_SUBDIR=	patches
+PATCHFILES=		patch-pkg_install-20030917.gz
+
 MAINTAINER=		portmgr@freebsd.org
 COMMENT=		FreeBSD 5.x version of the package tools for older system releases
 
diff -Nur pkg_install/distinfo.orig pkg_install/distinfo
--- pkg_install/distinfo.orig	Wed Sep  3 18:11:20 2003
+++ pkg_install/distinfo	Wed Sep 17 17:00:56 2003
@@ -1 +1,2 @@
 MD5 (pkg_install-20030714.tar.gz) = 183bed34c5427aeaf2025d9e2176e9ed
+MD5 (patch-pkg_install-20030917.gz) = 82ddd00ae3f48e4cb2f186363820cd43
--- pkg_install.patch ends here ---

Test with:
# /usr/local/sbin/pkg_info -P
Package tools revision: 20030917


>Release-Note:
>Audit-Trail:

From: Sergey Matveychuk <sem@ciam.ru>
To: freebsd-gnats-submit@FreeBSD.org, eikemeier@fillmore-labs.com
Cc:  
Subject: Re: bin/56961: [PATCH] pkg_install: match package version numbers
 with relational operators
Date: Wed, 10 Dec 2003 15:46:47 +0300

 Patch is unfetchable. Host unresolved.
 Fix please.
 
 -- 
 Sem.

From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/56961: [PATCH] pkg_install: match package version numbers
 with relational operators
Date: Wed, 12 May 2004 22:20:01 +0200

 Just for the record:
 
 This and other features have been integrated into port sysutils/pkg_install-devel,
 which is used to compare version numbers in portaudit.
 
 The version number sort and matching rules have silghtly changed from those cited
 above (as of pkg_install-devel version 20040512):
 
 - version numbers using `+' now sort as expected
 
 - a missing patchlevel number now sorts as -1 for consistency with missing
   version numbers, giving 10.a < 10.a0, which is in line with the existing tools
 
 - a component `*' has been introduced, which is guaranteed to sort *before* every other
   number, so that >=2.* <3.* will match *all* 2.x releases (Even 2.alpha)
 
 - csh style {} glob pattern can be used
 
 
 -Oliver
State-Changed-From-To: open->patched 
State-Changed-By: eik 
State-Changed-When: Tue Jun 29 21:27:18 CEST 2004 
State-Changed-Why:  
Awaiting MFC 


Responsible-Changed-From-To: freebsd-bugs->eik 
Responsible-Changed-By: eik 
Responsible-Changed-When: Tue Jun 29 21:27:18 CEST 2004 
Responsible-Changed-Why:  
Handle my own PRs 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56961 
State-Changed-From-To: patched->closed 
State-Changed-By: eik 
State-Changed-When: Fri Aug 13 19:10:38 CEST 2004 
State-Changed-Why:  
MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56961 
>Unformatted:
