I am new to Yocto and would like to know how Yocto Cve check works.
Cve Check finds the patched/unpatched on version number & patch added to the recipe. Is this the only 2 methods Cve Check use?
Cve Check seems to fetch the package artifactory from jFrog. If 1 is true, why do we need to do this? We could just compare the version number & patch added from the metadata of the recipe.
If 1 is true, why Cve Check could take so many minutes (20 min+) for some packages to find its cve?
Related
I am trying to figure out what "version": 1 or "version": 2 at the end of a Package.resolved file generated by Swift Package Manager stands for. I have two workspaces and sometimes the Package.resolved files have both version 1 or 2, sometimes different versions.
What kind of impact has having different versions and what is causing the version change? Is it possible to have the same versions for both?
I've done a bit of research and it seems Apple changed the format of the Package.resolved file with version 5.6 of the Swift tools. Any version of the toolchain can work with version 1 but you need >= 5.6 to work with version 2. See this forum conversation
https://forums.swift.org/t/using-swiftpm-5-6-and-supporting-older-versions/55708/9
As I said in my comment, it's probably best to ignore what's in that file and not commit it to your source code control. One of the comments in the above forum thread mentions that you might want to commit it to ensure repeatability of builds, but that is a fragile solution and if you want to build with exact versions, you should do this in the Package.swift file.
Addendum
You'll get mixed versions because, if resolving a package means no changes, spm will not overwrite the old Package.resolved.
I want to install a previous, specific version of k8slens (https://k8slens.dev/) but impossible for me to find this (neither for mac nor windows !) Do I have to download the source code and rebuild it? Even with this there is no "install" section in the makefile !
Why is it so difficult to find a specific version?
Yes, you can easily download the source code for a specific version tag and the compile and use it. The list of tags is here.
Once you get the source code of your desired version you can generate the binary with :
make build
And then simply run that binary to get your required version. Just know that install simply means copying a compiled binary in a known Path of the system so it can be executed. There is nothing special about it.
The question was made some time ago but just in case you haven't reached the answer yet, One thing I did to solve this problem was that i went to the lens repo : https://github.com/lensapp/lens/releases and search through the old release versions seeking for a binary asset (.exe) (the news version provide the source code but not the binary) then i managed to find the binary of the version 4.2.3. ( release in Apr 26, 2021)
Worked perfectly for me. Hope it helps
I am wondering whether it is possible to update package that was installed with /x flag?
For me it seems that it is not possible right now. What I mean by updating is making packages.config change with greater version of given package (done by nuget.exe update SolutionName.sln)
What is the flow of update operation? Does it look inside nupgk of actually installed package? Or it just search for version within directory name?
When version in directory name is missing is there a problem with version comparison?
I need precise explanation.
Note:
I use nuget 2.8.50224.430
I created identical thread on nuget codeplex here:
https://nuget.codeplex.com/discussions/543299
I think I managed to answer my own question.
While waiting for response I decided to look at nuget.exe sources and find how is version from installed package gathered.
What I realized:
1. Version is taken directly from packages.config.
2. nuget update command looks for PackageName.PackageVersion.nupkg in packages directory.
3. When wanted file does not exists, update cannot be completed (it is aborted).
I tried to change code to use directory and package name without version.
It is possible but it will be better to request another flag for that purpose.
For curious: PathResolver is created in UpdateCommand.cs
var pathResolver = new DefaultPackagePathResolver(sharedRepositoryFileSystem);
You can pass false as second argument to omit version in path concatenation.
When creating a nuget package, the version in the file name of the nuget package seems to come from the AssemblyInfo file in the web application project. I have also created a version attribute inside the nuspec file.
What is the relationship between these two version numbers and are there any conventions attached?
With regards to convention, the NuGet software itself, and the semantics it applies to packages in the gallery, does versioning as described by SemVer.
Specifically you can designate beta versions by suffixing your nuspec version number with "-beta.4" or something. For example, see how the gallery displays the latest version of AutoFac, and compare how it displays an old release (note the text "This is not the latest version of Autofac available." Edit: The gallery no longer seems to provide any special message for non-current versions) and an old PRE-release version (with the text "This is a prerelease version of Autofac.").
Unfortunately, the AssemblyVersion in AssemblyInfo.cs may not contain letters or hyphens, so it can't be used in this way. However the AssemblyInformationalVersion MAY have letters and hyphens in it and, if you provide it, NuGet will use that instead of the AssemblyVersion to replace the $version$ token in your nuspec file. What's more, the AssemblyInformationalVersion (also called the "Product Version" if you check a DLL's details in windows explorer), at least to me, better represents what the NuGet version should match.
I have a slight concern with this approach in that I'm expected to leave the AssemblyVersion the same through various beta iterations and a final production iteration of the AssemblyInformationalVersion, which means I'm allowing several different versions of my DLL into the wild that may behave differently or incorrectly, yet are all identical as far as the CLR is concerned (the CLR only cares about AssemblyVersion). In practice, though, this happens frequently (including with the AutoFac packages described above) and it doesn't seem to cause a problem.
See the two excellent highest-voted answers to What are differences between AssemblyVersion, AssemblyFileVersion and AssemblyInformationalVersion? for more info on AssemblyInformationalVersion and friends.
There doesn't need to be a relationship between the assembly version and the nuget package version. By convention, many maintainers use the same number for both.
The convention for using the same number is also the nuget.exe default if you have no nuspec, or you use nuget.exe spec to create a tokenized nuspec file. However, if you replace the $version$ token with a value, then that value will take precendence and will be used in the package file name.
You can also set the version on the command line, which takes precedence over all of the above.
More info on Xavier's blog: NuGet $version$ token explained
I am upgrading an old N2CMS website to the newest version released in the trunk (2.2.5 or something like that), following these instructions https://github.com/n2cms/n2cms/blob/master/docs/releases/upgrade_2.2.1.txt but i am getting an error when tring to compile the project:
Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.
Has anyone done this before and know if there's anything else i should be doing appart from just copying files?
Thanks
Complete text of this error contains the name of DLL you are missing. Read it carefully and you will find out what DLL you need to add. It could be something like Lucene.dll which was introduced recently (it depends how old your project is).