From: Christoph Liebender Subject: Re: [update] www/anubis 1.15.2 -> 1.17.0, privacy relevant To: ports@openbsd.org Date: Fri, 2 May 2025 15:47:54 +0200 Am 30.04.25 um 15:18 schrieb Christoph Liebender: > Am 30.04.25 um 12:47 schrieb Stuart Henderson: >> On 2025/04/30 11:40, Stuart Henderson wrote: >>> On 2025/04/29 20:21, Christoph Liebender wrote: >>>> Hi @ports, >>>> >>>> this is a diff to update www/anubis. I am not the original submitter >>>> of this >>>> port, however I'd strongly suggest to backport this onto 7.7-stable >>>> since >>>> the default behavior of v1.15.2 is to report IPs of accesses to >>>> DroneBL, see >>>> [1,2,3]. Any unsuspecting user that installs this port may not >>>> immediately >>>> notice this privacy issue. v1.17.0, disables this by default. [4] >>> >>> oh, seems they got rid of the super tight go version dependency which >>> was causing a problem for updating even on -current (in a commit with >>> the helpful log entry "perf: embed challenge data in HTML") so we can >>> actually update, will look at this soon. >>> >> >> Does not package with your diff. > > Whoops, sorry, my fault. Should've ran `make package` instead of just > `make`. I can confirm that your diff for `post-install` fixes that. > Thanks. For completeness sake, I've attached the modified diff. Actually, I'm afraid to say that this patch breaks anubis installs because upstream now requires to generate static assets with npm during the build process. They choose to provide a tarball vendoring all dependencies under https://github.com/TecharoHQ/anubis/releases/download/v1.17.1/anubis-src-vendor-npm-1.17.1.tar.gz , but I am not sure how to package that...