From: Michael Gmelin <grembo_at_freebsd.org> > Date: Sat, 06 Jun 2026 18:52:15 UTC > > > On 6. Jun 2026, at 19:56,
Charlie Li <[email protected]> wrote: > > > > Michael Gmelin wrote: >
>> Hi, > >> This probably affects a large number of python ports which
won't build > >> due to the vulnerability in the build dependency. > >
This is a tricky situation because not every consumer can use the >
latest setuptools, not least due to various breaking functional changes.
> Even after we finish the latest effort of the setuptools effort
(massive > is an understatement), there will probably still be a need to
keep older > versions around. > > > > As for this specific
vulnerability, it is not exploitable to how we > (ports) build Python
packages, since the affected mechanism is > setuptools's own PyPI
fetching mechanism which we do not use (we have > our own do-fetch via
fetch(1) et al). Further, the source file this was > found in is an
already deprecated module package_index, about whose only > consumer is
another deprecated entry point easy_install. We don't use > those in
ports either. And even in the case of a Python virtual > environment,
the system Python packages are not used by default, and pip > will
download the latest setuptools if needed. > > > > In all, this vuxml
entry was not added or reviewed by the python@ > team, especially not
for applicability to actual use cases. > > > > Almost figured that by
the tone of the commit message. > > Would it be reasonable to patch all
the versions of setuptools we have > in use (I didn’t look at the
details of the vulnerability to understand > how complex such a fix
would be)? > > Cheers > There's nothing to review, it's valid. There are
also multiple security issues with Python itself and related ports but
progress gets blocked or moves at a glacial pace.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470 To mention a
few You might also want to consider the view on security by reading
comments in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391
Looking at git history none of listed VuXML entries related to Python
have been initially added by the "Python team" for the past 2 years and
there certainly have been relevant CVEs issued during that time.
https://github.com/psf/advisory-database/tree/main/advisories/python
Security overall isn't a priority in the ports tree, bofh@ made a very
good talk about it last year and so far little response unfortunately
https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s . Security
vulnerabilities are in general poorly tracked due to multiple issues,
maintainer time, interest, adding entries are time consuming and so on.
Repology lists about 400 ports as "Potentially vulnerable" but there are
likely some mismatches, a lot of ports aren't tracked/matched with
upstream projects correctly or simply very outdated/EOL/discontinued
upstream so they lack any (active) reviewing. Additionally it also lists
about 6.5k ports as out of date which probably isn't too far off. If
security is a priority you likely want to review the ports you use and
consider using an overlay/fork the ports tree. Best regards, Daniel
