On 2019/12/24 14:08, Moritz Buhl wrote:
> Hi ports@,
>
> I noticed that graphviz has not been updated recently. On the
> other hand there is a CVE in the old version:
>
> https://gitlab.com/graphviz/graphviz/merge_requests/1303
>
> I tried myself at just bumping the version number, the diff to
>
> the Makefile is attached.
CC'ing maintainer.
> The sad part is that the new tarball on the graphviz homepage
> is not versioned any longer.
>
> Index: math/graphviz/Makefile
> ===================================================================
> RCS file: /cvs/ports/math/graphviz/Makefile,v
> retrieving revision 1.76
> diff -u -p -r1.76 Makefile
> --- math/graphviz/Makefile 18 Nov 2019 19:57:44 -0000 1.76
> +++ math/graphviz/Makefile 20 Dec 2019 15:58:27 -0000
> @@ -1,20 +1,16 @@
> -# $OpenBSD: Makefile,v 1.76 2019/11/18 19:57:44 ajacoutot Exp $
> +# $OpenBSD$
>
> -COMMENT-main= graph drawing software
> +COMMENT= graph drawing software
>
> -DISTNAME= graphviz-2.36.0
> -REVISION= 14
> -PKGNAME-main= ${DISTNAME}
> +DISTNAME= graphviz-2.40.1
> +REVISION= 1
> +DISTFILES= graphviz${EXTRACT_SUFX}
> CATEGORIES= math devel graphics
>
> -# there is only one multi-package due to legacy, but maybe more
> -# will appear in the form of language bindings.
> -MULTI_PACKAGES= -main
You can't just remove MULTI_PACKAGES without consideration to other ports.
> -
> # to let update-patches work in a simpler way
> PATCHORIG= .orig2
>
> -MASTER_SITES= ${HOMEPAGE}pub/graphviz/ARCHIVE/
> +MASTER_SITES= ${HOMEPAGE}/pub/graphviz/stable/SOURCES/
>
> SHARED_LIBS += gvplugin_core 1.0 # 6.0
> SHARED_LIBS += gvplugin_gd 1.0 # 6.0
>
We will have to do something else for the distfile, we can't use that
as-is. But that 2.40.1 release is old anyway - it's a bit hard to work
out what's going on but there's a 2.42.2 tag on gitlab (which some
other OS including FreeBSD are using) and there's also a 2.42.3 tar at
https://www2.graphviz.org/Packages/stable/portable_source/graphviz-2.42.3.tar.gz
but I'm not sure what that is ..
