Re: backport sysutils/rclone update
On 2020/11/28 08:39, Bjorn Ketelaars wrote: > > Actually, it fails to run on both arm and arm64. From phessler@'s bulk > reports I learned that rclone fails in the post-build phase for both > arches, and it has done so for some time. In the post-build phase rclone > tries to generate completions for bash and zsh, which fails with a > SIGILL for arm64 and a SIGBUS for arm. For now I have marked rclone > BROKEN for both arches in current. There is definitely something wrong with go on arm64. https://marc.info/?l=openbsd-ports&m=160612352117181&w=2
Re: backport sysutils/rclone update
On Fri 27/11/2020 21:56, Solene Rapenne wrote: > On Fri, 27 Nov 2020 16:00:54 +0100 > Bjorn Ketelaars : > > > On Fri 20/11/2020 07:02, Bjorn Ketelaars wrote: > > > On Fri 20/11/2020 06:56, Bjorn Ketelaars wrote: > > > > I would like to backport the recent rclone update to 6.8. > > > > > > > > Why? It fixes CVE-2020-28924: Some passwords generated with rclone > > > > config may be insecure. In particular if you used the 'g' generate > > > > option with rclone v1.49 - v1.53.2 then your password will based on the > > > > second it was generated in. This means that there are fixed number of > > > > passwords in that period. > > > > > > > > Diff below includes a cve entry for quirks. > > > > > > > > OK? > > > > > > Oops...previous diff contained an omission in the quirks entry. New > > > diff: > > > > Ping... > > > > Diff enclosed again. > > > > > > it fails to build on arm64 on 6.8-stable After a bit of investigating: Actually, it fails to run on both arm and arm64. From phessler@'s bulk reports I learned that rclone fails in the post-build phase for both arches, and it has done so for some time. In the post-build phase rclone tries to generate completions for bash and zsh, which fails with a SIGILL for arm64 and a SIGBUS for arm. For now I have marked rclone BROKEN for both arches in current. For arm64 the issue seems to have arisen when I updated rclone to 1.52.0 (Makefile r1.14, 2020/05/28). arm started failing when I updated rclone to 1.51.0 (Makefile r1.13, 2020/02/03). As a result there is no rclone package in 6.7- and 6.8-stable for arm, and no rclone package in 6.8-stable for arm64. The backport did not cause breakage as rclone was already broken. I will try to resolve the underlying issue so that we have a working rclone on current. However, this will take a bit of time as I have currently no access arm and arm64.
Re: backport sysutils/rclone update
On Fri, 27 Nov 2020 16:00:54 +0100 Bjorn Ketelaars : > On Fri 20/11/2020 07:02, Bjorn Ketelaars wrote: > > On Fri 20/11/2020 06:56, Bjorn Ketelaars wrote: > > > I would like to backport the recent rclone update to 6.8. > > > > > > Why? It fixes CVE-2020-28924: Some passwords generated with rclone > > > config may be insecure. In particular if you used the 'g' generate > > > option with rclone v1.49 - v1.53.2 then your password will based on the > > > second it was generated in. This means that there are fixed number of > > > passwords in that period. > > > > > > Diff below includes a cve entry for quirks. > > > > > > OK? > > > > Oops...previous diff contained an omission in the quirks entry. New > > diff: > > Ping... > > Diff enclosed again. > > it fails to build on arm64 on 6.8-stable cd /build/tmp/pobj//rclone-1.53.3/go/bin && HOME=/build/tmp/pobj//rclone-1.53.3/go/src/github.com/rclone/rclone ./rclone genautocomplete bash rclone.bash SIGILL: illegal instruction PC=0xca0700 m=0 sigcode=1 instruction bytes: 0x0 0x6 0x38 0xd5 0xe0 0x7 0x0 0xf9 0xc0 0x3 0x5f 0xd6 0x0 0x0 0x0 0x0 goroutine 1 [running, locked to thread]: github.com/rclone/rclone/vendor/golang.org/x/sys/cpu.getisar0(0x20a7180) /build/tmp/pobj/rclone-1.53.3/go/src/github.com/rclone/rclone/vendor/golang.org/x/sys/cpu/cpu_arm64.s:13 fp=0x40003dfd40 sp=0x40003dfd40 pc=0xca0700 github.com/rclone/rclone/vendor/golang.org/x/sys/cpu.readARM64Registers() /build/tmp/pobj/rclone-1.53.3/go/src/github.com/rclone/rclone/vendor/golang.org/x/sys/cpu/cpu_arm64.go:36 +0x28 fp=0x40003dfd60 sp=0x40003dfd40 pc=0xca0448 github.com/rclone/rclone/vendor/golang.org/x/sys/cpu.init.0() /build/tmp/pobj/rclone-1.53.3/go/src/github.com/rclone/rclone/vendor/golang.org/x/sys/cpu/cpu_arm64.go:28 +0x18 fp=0x40003dfd70 sp=0x40003dfd60 pc=0xca0408 runtime.doInit(0x1fd45e0) /usr/local/go/src/runtime/proc.go:5625 +0x94 fp=0x40003dfdb0 sp=0x40003dfd70 pc=0x51e24 runtime.doInit(0x1fdc160) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dfdf0 sp=0x40003dfdb0 pc=0x51de0 runtime.doInit(0x1fe5dc0) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dfe30 sp=0x40003dfdf0 pc=0x51de0 runtime.doInit(0x1fe3320) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dfe70 sp=0x40003dfe30 pc=0x51de0 runtime.doInit(0x1fe9f80) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dfeb0 sp=0x40003dfe70 pc=0x51de0 runtime.doInit(0x1fe2de0) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dfef0 sp=0x40003dfeb0 pc=0x51de0 runtime.doInit(0x1feb7e0) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dff30 sp=0x40003dfef0 pc=0x51de0 runtime.doInit(0x1fd5ee0) /usr/local/go/src/runtime/proc.go:5620 +0x50 fp=0x40003dff70 sp=0x40003dff30 pc=0x51de0 runtime.main() /usr/local/go/src/runtime/proc.go:191 +0x1b0 fp=0x40003dffd0 sp=0x40003dff70 pc=0x45300 runtime.goexit() /usr/local/go/src/runtime/asm_arm64.s:1136 +0x4 fp=0x40003dffd0 sp=0x40003dffd0 pc=0x748a4 goroutine 9 [select]: github.com/rclone/rclone/vendor/go.opencensus.io/stats/view.(*worker).start(0x4ef100) /build/tmp/pobj/rclone-1.53.3/go/src/github.com/rclone/rclone/vendor/go.opencensus.io/stats/view/worker.go:276 +0x9c created by github.com/rclone/rclone/vendor/go.opencensus.io/stats/view.init.0 /build/tmp/pobj/rclone-1.53.3/go/src/github.com/rclone/rclone/vendor/go.opencensus.io/stats/view/worker.go:34 +0x68 r0 0x1 r1 0x40003603a0 r2 0x40003dfd60 r3 0x1 r4 0xffa0c0 r5 0x0 r6 0x1292f91 r7 0x32 r8 0xf r9 0x1 r10 0x0 r11 0xd r12 0x1 r13 0x0 r14 0xff r15 0x0 r16 0x0 r17 0x16 r18 0x4a9270658 r19 0x8 r20 0x400025bdf0 r21 0x400025be50 r22 0x1f r23 0x0 r24 0x0 r25 0x0 r26 0x1fd4600 r27 0x20a66f4 r28 0x400180 r29 0x0 lr 0xca0448 sp 0x40003dfd40 pc 0xca0700 fault 0xca0700 *** Error 2 in . (Makefile:34 'post-build') *** Error 2 in . (/home/ports//infrastructure/mk/bsd.port.mk:2929 '/build/tmp/pobj//rclone-1.53.3/build-aarch64/.build_done': @cd /home/port...) *** Error 2 in /home/ports/sysutils/rclone (/home/ports//infrastructure/mk/bsd.port.mk:2584 'all': @lock=rclone-1.53.3; export _LOCKS_HELD=...)
Re: backport sysutils/rclone update
On Fri 20/11/2020 07:02, Bjorn Ketelaars wrote: > On Fri 20/11/2020 06:56, Bjorn Ketelaars wrote: > > I would like to backport the recent rclone update to 6.8. > > > > Why? It fixes CVE-2020-28924: Some passwords generated with rclone > > config may be insecure. In particular if you used the 'g' generate > > option with rclone v1.49 - v1.53.2 then your password will based on the > > second it was generated in. This means that there are fixed number of > > passwords in that period. > > > > Diff below includes a cve entry for quirks. > > > > OK? > > Oops...previous diff contained an omission in the quirks entry. New > diff: Ping... Diff enclosed again. Index: sysutils/rclone/Makefile === RCS file: /cvs/ports/sysutils/rclone/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- sysutils/rclone/Makefile8 Aug 2020 16:41:13 - 1.17 +++ sysutils/rclone/Makefile20 Nov 2020 06:01:17 - @@ -2,7 +2,7 @@ COMMENT = rsync for cloud storage -V =1.52.3 +V =1.53.3 DISTNAME = rclone-v${V} PKGNAME = rclone-${V} @@ -18,15 +18,21 @@ PERMIT_PACKAGE = Yes WANTLIB += c pthread MASTER_SITES = https://downloads.rclone.org/v${V}/ +DISTFILES =${DISTNAME}${EXTRACT_SUFX} \ + ${DISTNAME}-vendor${EXTRACT_SUFX} MODULES = lang/go MODGO_TYPE = bin ALL_TARGET = github.com/rclone/rclone +post-extract: + mv ${WRKDIR}/vendor ${WRKDIST} + post-build: .for s in bash zsh - cd ${MODGO_WORKSPACE}/bin && ./rclone genautocomplete $s rclone.$s + cd ${MODGO_WORKSPACE}/bin && \ + HOME=${WRKSRC} ./rclone genautocomplete $s rclone.$s .endfor do-install: Index: sysutils/rclone/distinfo === RCS file: /cvs/ports/sysutils/rclone/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- sysutils/rclone/distinfo8 Aug 2020 16:41:13 - 1.14 +++ sysutils/rclone/distinfo20 Nov 2020 06:01:17 - @@ -1,2 +1,4 @@ -SHA256 (rclone-v1.52.3.tar.gz) = 9IOeAVPu5UYV26N2qFvpQ60EBTAMPupdXgKywn7XsN0= -SIZE (rclone-v1.52.3.tar.gz) = 19431808 +SHA256 (rclone-v1.53.3-vendor.tar.gz) = 21jG7eFRsD3xrEPZhJsy9afrf5rKp7MBfY4A7ZrgBJY= +SHA256 (rclone-v1.53.3.tar.gz) = 8eITvG+3xG+aTMhgSuCFZxhDS9r+B/o85EmumlEKV2M= +SIZE (rclone-v1.53.3-vendor.tar.gz) = 5723994 +SIZE (rclone-v1.53.3.tar.gz) = 14683066 Index: devel/quirks/Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.1047 diff -u -p -r1.1047 Makefile --- devel/quirks/Makefile 25 Sep 2020 21:40:55 - 1.1047 +++ devel/quirks/Makefile 20 Nov 2020 06:01:17 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.439 +PKGNAME = quirks-3.440 PKG_ARCH = * MAINTAINER = Marc Espie Index: devel/quirks/files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.1065 diff -u -p -r1.1065 Quirks.pm --- devel/quirks/files/Quirks.pm25 Sep 2020 21:40:55 - 1.1065 +++ devel/quirks/files/Quirks.pm20 Nov 2020 06:01:17 - @@ -2047,6 +2047,7 @@ my $cve = { 'shells/bash' => 'bash-<4.3.27', 'sysutils/ansible,-main' => 'ansible-<2.7.1', 'sysutils/mcollective' => 'mcollective-<2.5.3', + 'sysutils/rclone' => 'rclone-<1.53.3', 'sysutils/salt' => 'salt-<2018.3.3p2', 'telephony/asterisk,-main' => 'asterisk-<13.23.1', 'telephony/coturn' => 'turnserver-<4.5.1.2',
Re: backport sysutils/rclone update
On Fri 20/11/2020 06:56, Bjorn Ketelaars wrote: > I would like to backport the recent rclone update to 6.8. > > Why? It fixes CVE-2020-28924: Some passwords generated with rclone > config may be insecure. In particular if you used the 'g' generate > option with rclone v1.49 - v1.53.2 then your password will based on the > second it was generated in. This means that there are fixed number of > passwords in that period. > > Diff below includes a cve entry for quirks. > > OK? Oops...previous diff contained an omission in the quirks entry. New diff: Index: sysutils/rclone/Makefile === RCS file: /cvs/ports/sysutils/rclone/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- sysutils/rclone/Makefile8 Aug 2020 16:41:13 - 1.17 +++ sysutils/rclone/Makefile20 Nov 2020 06:01:17 - @@ -2,7 +2,7 @@ COMMENT = rsync for cloud storage -V =1.52.3 +V =1.53.3 DISTNAME = rclone-v${V} PKGNAME = rclone-${V} @@ -18,15 +18,21 @@ PERMIT_PACKAGE = Yes WANTLIB += c pthread MASTER_SITES = https://downloads.rclone.org/v${V}/ +DISTFILES =${DISTNAME}${EXTRACT_SUFX} \ + ${DISTNAME}-vendor${EXTRACT_SUFX} MODULES = lang/go MODGO_TYPE = bin ALL_TARGET = github.com/rclone/rclone +post-extract: + mv ${WRKDIR}/vendor ${WRKDIST} + post-build: .for s in bash zsh - cd ${MODGO_WORKSPACE}/bin && ./rclone genautocomplete $s rclone.$s + cd ${MODGO_WORKSPACE}/bin && \ + HOME=${WRKSRC} ./rclone genautocomplete $s rclone.$s .endfor do-install: Index: sysutils/rclone/distinfo === RCS file: /cvs/ports/sysutils/rclone/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- sysutils/rclone/distinfo8 Aug 2020 16:41:13 - 1.14 +++ sysutils/rclone/distinfo20 Nov 2020 06:01:17 - @@ -1,2 +1,4 @@ -SHA256 (rclone-v1.52.3.tar.gz) = 9IOeAVPu5UYV26N2qFvpQ60EBTAMPupdXgKywn7XsN0= -SIZE (rclone-v1.52.3.tar.gz) = 19431808 +SHA256 (rclone-v1.53.3-vendor.tar.gz) = 21jG7eFRsD3xrEPZhJsy9afrf5rKp7MBfY4A7ZrgBJY= +SHA256 (rclone-v1.53.3.tar.gz) = 8eITvG+3xG+aTMhgSuCFZxhDS9r+B/o85EmumlEKV2M= +SIZE (rclone-v1.53.3-vendor.tar.gz) = 5723994 +SIZE (rclone-v1.53.3.tar.gz) = 14683066 Index: devel/quirks/Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.1047 diff -u -p -r1.1047 Makefile --- devel/quirks/Makefile 25 Sep 2020 21:40:55 - 1.1047 +++ devel/quirks/Makefile 20 Nov 2020 06:01:17 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.439 +PKGNAME = quirks-3.440 PKG_ARCH = * MAINTAINER = Marc Espie Index: devel/quirks/files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.1065 diff -u -p -r1.1065 Quirks.pm --- devel/quirks/files/Quirks.pm25 Sep 2020 21:40:55 - 1.1065 +++ devel/quirks/files/Quirks.pm20 Nov 2020 06:01:17 - @@ -2047,6 +2047,7 @@ my $cve = { 'shells/bash' => 'bash-<4.3.27', 'sysutils/ansible,-main' => 'ansible-<2.7.1', 'sysutils/mcollective' => 'mcollective-<2.5.3', + 'sysutils/rclone' => 'rclone-<1.53.3', 'sysutils/salt' => 'salt-<2018.3.3p2', 'telephony/asterisk,-main' => 'asterisk-<13.23.1', 'telephony/coturn' => 'turnserver-<4.5.1.2',
backport sysutils/rclone update
I would like to backport the recent rclone update to 6.8. Why? It fixes CVE-2020-28924: Some passwords generated with rclone config may be insecure. In particular if you used the 'g' generate option with rclone v1.49 - v1.53.2 then your password will based on the second it was generated in. This means that there are fixed number of passwords in that period. Diff below includes a cve entry for quirks. OK? Index: sysutils/rclone/Makefile === RCS file: /cvs/ports/sysutils/rclone/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- sysutils/rclone/Makefile8 Aug 2020 16:41:13 - 1.17 +++ sysutils/rclone/Makefile20 Nov 2020 05:55:08 - @@ -2,7 +2,7 @@ COMMENT = rsync for cloud storage -V =1.52.3 +V =1.53.3 DISTNAME = rclone-v${V} PKGNAME = rclone-${V} @@ -18,15 +18,21 @@ PERMIT_PACKAGE = Yes WANTLIB += c pthread MASTER_SITES = https://downloads.rclone.org/v${V}/ +DISTFILES =${DISTNAME}${EXTRACT_SUFX} \ + ${DISTNAME}-vendor${EXTRACT_SUFX} MODULES = lang/go MODGO_TYPE = bin ALL_TARGET = github.com/rclone/rclone +post-extract: + mv ${WRKDIR}/vendor ${WRKDIST} + post-build: .for s in bash zsh - cd ${MODGO_WORKSPACE}/bin && ./rclone genautocomplete $s rclone.$s + cd ${MODGO_WORKSPACE}/bin && \ + HOME=${WRKSRC} ./rclone genautocomplete $s rclone.$s .endfor do-install: Index: sysutils/rclone/distinfo === RCS file: /cvs/ports/sysutils/rclone/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- sysutils/rclone/distinfo8 Aug 2020 16:41:13 - 1.14 +++ sysutils/rclone/distinfo20 Nov 2020 05:55:08 - @@ -1,2 +1,4 @@ -SHA256 (rclone-v1.52.3.tar.gz) = 9IOeAVPu5UYV26N2qFvpQ60EBTAMPupdXgKywn7XsN0= -SIZE (rclone-v1.52.3.tar.gz) = 19431808 +SHA256 (rclone-v1.53.3-vendor.tar.gz) = 21jG7eFRsD3xrEPZhJsy9afrf5rKp7MBfY4A7ZrgBJY= +SHA256 (rclone-v1.53.3.tar.gz) = 8eITvG+3xG+aTMhgSuCFZxhDS9r+B/o85EmumlEKV2M= +SIZE (rclone-v1.53.3-vendor.tar.gz) = 5723994 +SIZE (rclone-v1.53.3.tar.gz) = 14683066 Index: devel/quirks/Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.1047 diff -u -p -r1.1047 Makefile --- devel/quirks/Makefile 25 Sep 2020 21:40:55 - 1.1047 +++ devel/quirks/Makefile 20 Nov 2020 05:55:08 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.439 +PKGNAME = quirks-3.440 PKG_ARCH = * MAINTAINER = Marc Espie Index: devel/quirks/files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.1065 diff -u -p -r1.1065 Quirks.pm --- devel/quirks/files/Quirks.pm25 Sep 2020 21:40:55 - 1.1065 +++ devel/quirks/files/Quirks.pm20 Nov 2020 05:55:09 - @@ -2047,6 +2047,7 @@ my $cve = { 'shells/bash' => 'bash-<4.3.27', 'sysutils/ansible,-main' => 'ansible-<2.7.1', 'sysutils/mcollective' => 'mcollective-<2.5.3', + 'sysutils/rclone' => 'rclone-1.53.3', 'sysutils/salt' => 'salt-<2018.3.3p2', 'telephony/asterisk,-main' => 'asterisk-<13.23.1', 'telephony/coturn' => 'turnserver-<4.5.1.2',