Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615302 - Syntax errors in lots of GLSA's
Summary: Syntax errors in lots of GLSA's
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-11 18:18 UTC by Kilian
Modified: 2017-04-11 20:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Full output of cave report (cave_report.txt,28.54 KB, text/plain)
2017-04-11 18:18 UTC, Kilian
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kilian 2017-04-11 18:18:52 UTC
Created attachment 469762 [details]
Full output of cave report

With sys-apps/paludis-2.6.0, when doing

# cave report

I get tons of warnings like this:


cave@1491933920: [WARNING e.package_dep_spec.slot_not_allowed] In thread ID '20487':
  ... In program cave report:
  ... When building security or insecurity package set:
  ... When parsing security advisory '/usr/portage/metadata/glsa/glsa-201010-01.xml':
  ... When handling GLSA '201010-01' from '/usr/portage/metadata/glsa/glsa-201010-01.xml':
  ... When parsing elike package dep spec 'media-libs/libpng:1.2':
  ... When parsing generic package dep spec 'media-libs/libpng:1.2':
  ... Slot dependencies not safe for use here

full set attached. According to Ciaran, "the real fix for this is to get portage to start doing error checking and enforcing EAPIs". However, if slot dependencies are indeed not safe for use there, people should write the GLSA's independent of how portage implements the protocol. Thank you!
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-04-11 20:05:03 UTC
I'm sorry but we really have no clue where you could get such a package name from. The only part where the slot is specified is this:

      <unaffected range="ge" slot="1.2">1.2.46</unaffected>

So if anything is actually happening here, it is Paludis grabbing the 'slot' attribute and using it incorrectly. If the upstream refuses to support slots, I'd say it would be reasonable if Paludis either ignored the attribute or reported it as extraneous attribute. However, if it uses it and then fails on some internal inconsistency, it's purely a bug in Paludis.

That said, between 13 and 15 Jan the GLSA said:

      <unaffected range="ge">1.2.46:1.2</unaffected>

However, I consider it seriously unlikely that you are reporting an issue based on Gentoo snapshot from those two days. And even if you were, I don't see how the invalid ':1.2' part would have jumped from version to package name.