glsa-202208-21.xml contains: <package name="dev-libs/libebml" auto="yes" arch="arm,ppc,sparc,x86"> That arch= should either be * or one or more architectures separated by spaces, not commas. In portage, lib/portage/glsa.py splits the arch argument by the default separator (whitespace): if path["arch"] == "*" or self.config["ARCH"] in path["arch"].split(): Confirmed by modifying a GLSA so that it should fire, but glsa-check does not alert on it until the commas are changed to spaces.
Thanks for noticing! So, we have two obvious things to do here: fix the GLSA, fix glsamaker to not emit this kind of string. But also, why isn't Portage validating that string or erroring on it?
Just pushed: commit be9dce898af341b1581822048910cec753530cb0 Author: John Helmert III <ajak@gentoo.org> Date: Thu Nov 24 18:01:54 2022 -0600 [ GLSA 202208-21 ] fix arch list syntax Signed-off-by: John Helmert III <ajak@gentoo.org>
(In reply to John Helmert III from comment #1) > Thanks for noticing! Pure chance =) I went looking at how arch= is specified in existing GLSAs, for https://bugs.gentoo.org/880543#c6 > So, we have two obvious things to do here: fix the GLSA, fix glsamaker to > not emit this kind of string. > > But also, why isn't Portage validating that string or erroring on it? FWIW, I wondered about that, and did some spelunking. In https://github.com/gentoo/glsamaker/commit/30c1aa6d94c189d4ee19603f1dba6e9b3be846c7 for example, you can see validator regexes that do seem like they would have caught a comma-separated arch list. But... that's the old Ruby implementation. That was replaced with a big commit rewriting in Golang here: https://github.com/gentoo/glsamaker/commit/35a41e63ebd5f6cf9d17419c150eb53a005d2e87 (maybe there's incremental patches when that was developed, elsewhere), and I can't see any sign of validators in the current version of glsamaker.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=6bb6452ee8c1cee1ee5de506f78b12336e89cb32 commit 6bb6452ee8c1cee1ee5de506f78b12336e89cb32 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 05:05:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-10 00:21:05 +0000 glsa: abort on incorrect arch delimiter Bug: https://bugs.gentoo.org/882797 Closes: https://github.com/gentoo/portage/pull/958 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 6 +- lib/portage/glsa.py | 12 +++- lib/portage/tests/glsa/test_security_set.py | 105 +++++++++++++++++++++++++--- 3 files changed, 109 insertions(+), 14 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84b50e99241623bf5557cea8e00a8178b9f01e14 commit 84b50e99241623bf5557cea8e00a8178b9f01e14 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-26 07:16:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-26 07:17:16 +0000 sys-apps/portage: add 3.0.42 Bug: https://bugs.gentoo.org/881383 Bug: https://bugs.gentoo.org/882797 Closes: https://bugs.gentoo.org/884397 Closes: https://bugs.gentoo.org/884135 Closes: https://bugs.gentoo.org/884285 Closes: https://bugs.gentoo.org/887025 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.42.ebuild | 283 +++++++++++++++++++++++++++++++++ 2 files changed, 284 insertions(+)
Okay, so the only thing left here is to fix glsamaker itself.
