From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 13 01:07:06 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E81750E for ; Mon, 13 Jan 2014 01:07:06 +0000 (UTC) Received: from mail-oa0-x22e.google.com (mail-oa0-x22e.google.com [IPv6:2607:f8b0:4003:c02::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 653441171 for ; Mon, 13 Jan 2014 01:07:06 +0000 (UTC) Received: by mail-oa0-f46.google.com with SMTP id l6so7317403oag.19 for ; Sun, 12 Jan 2014 17:07:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:content-type:message-id:date:to :content-transfer-encoding:mime-version; bh=XpIBX7wQVxmkL6cKYDeIfWB3g/0LWZ+30xYgdd3yMW0=; b=MO1TPZxDFOuyFyrSjNmEZ4mWTnTR5gWQdEeWZ1yDJK6H9HVLRRo2A3ekOU1c9b689C 9ngeg3Nm+xdNVDFQvpGyAh2YUOh4Q095Co7XjqsYHtR7WmZ0nckskeR6NousJyJcUcGI 2ArZBMtnh7VHovbdFw7YHqCCAGLSFXlM2TW6mXsjQdO5ukhSU5A2p71ETmRYl33wqq7e fMK+wz4bSi9W1xSwMXYMRPjPRvpd/3yK0KoVPInxOnaqxeTYZOSVxQ6bSe5I5M8oW7bO EVdnNJScbEvlpSvIJoF5nOH4jxpg8xf6SR/tVme/fve7YyI5Wnx6CjXg73iLEcu1Mjto g3jA== X-Received: by 10.60.124.138 with SMTP id mi10mr17206oeb.57.1389575225638; Sun, 12 Jan 2014 17:07:05 -0800 (PST) Received: from [192.168.1.64] (pool-96-226-7-190.dllstx.fios.verizon.net. [96.226.7.190]) by mx.google.com with ESMTPSA id hl3sm19120567obb.0.2014.01.12.17.07.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 12 Jan 2014 17:07:04 -0800 (PST) Subject: Why does Vim in pkgng depend on X11 and the GTK? From: Matthew Pherigo Content-Type: text/plain; charset=us-ascii X-Mailer: iPad Mail (11B554a) Message-Id: <89775A0F-1C96-4B9C-A620-E9EAB4D514F5@gmail.com> Date: Sun, 12 Jan 2014 19:07:03 -0600 To: "freebsd-pkg@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 01:07:06 -0000 Hi, (Note: I'm not sure if this is the right mailing list or not, so if I need t= o go somewhere else, let me know.) When installing Vim from pkgng, I'm forced to also install a lot of addition= al stuff I don't need, like so: # pkg install vim Updating repository catalogue The following 90 packages will be installed: Installing xproto: 7.0.25 Installing libXdmcp: 1.1.1 Installing libXau: 1.0.8 Installing libiconv: 1.14_1 Installing libpthread-stubs: 0.3_4 Installing kbproto: 1.0.6 Installing libICE: 1.0.8,1 Installing pixman: 0.32.4 Installing renderproto: 0.11.1 Installing libfontenc: 1.1.2 Installing freetype2: 2.5.2 Installing expat: 2.1.0 Installing font-util: 1.3.0_1 Installing graphite2: 1.2.4 Installing png: 1.5.17 Installing pcre: 8.33 Installing libffi: 3.0.13_1 Installing gettext: 0.18.3.1 Installing perl5: 5.16.3_6 Installing icu: 50.1.2 Installing gnomehier: 3.0 Installing randrproto: 1.4.0 Installing xextproto: 7.2.1 Installing xineramaproto: 1.2.1 Installing fixesproto: 5.0 Installing inputproto: 2.3 Installing damageproto: 1.2.1 Installing compositeproto: 0.4.2 Installing cups-client: 1.5.4_1 Installing hicolor-icon-theme: 0.12 Installing xf86vidmodeproto: 2.3.1 Installing dri2proto: 2.8 Installing pciids: 20131225 Installing jpeg: 8_4 Installing jbigkit: 1.6 Installing jasper: 1.900.1_12 Installing tcl86: 8.6.1 Installing libyaml: 0.1.4_2 Installing libexecinfo: 1.1_3 Installing lua: 5.1.5_6 Installing ctags: 5.8 Installing cscope: 15.8a Installing libxml2: 2.8.0_3 Installing libSM: 1.2.2,1 Installing mkfontscale: 1.1.1 Installing mkfontdir: 1.0.7 Installing fontconfig: 2.11.0_1,1 Installing font-misc-ethiopic: 1.0.3_1 Installing font-bh-ttf: 1.0.3_1 Installing encodings: 1.0.4_1,1 Installing dejavu: 2.34 Installing python27: 2.7.6_1 Installing python2: 2_2 Installing libpciaccess: 0.13.2 Installing ruby: 1.9.3.484,1 Installing libxcb: 1.9.3 Installing font-misc-meltho: 1.0.3_1 Installing xcb-util: 0.3.9_1,1 Installing glib: 2.36.3_1 Installing shared-mime-info: 1.1 Installing python: 2.7_1,2 Installing libdrm: 2.4.17_1 Installing atk: 2.8.0 Installing libX11: 1.6.2,1 Installing libXrender: 0.9.8 Installing xorg-fonts-truetype: 7.7_1 Installing libXft: 2.3.1 Installing xcb-util-renderutil: 0.3.8 Installing libXt: 1.1.4,1 Installing libXext: 1.3.2,1 Installing libXinerama: 1.1.3,1 Installing libXfixes: 5.0.1 Installing libXdamage: 1.1.4 Installing libXcursor: 1.1.14 Installing libXcomposite: 0.4.4,1 Installing libXmu: 1.1.2,1 Installing libXxf86vm: 1.1.3 Installing cairo: 1.10.2_7,2 Installing libXrandr: 1.4.2 Installing libXi: 1.7.2,1 Installing libGL: 7.6.1_4 Installing harfbuzz: 0.9.25 Installing libGLU: 9.0.0 Installing freeglut: 2.8.1 Installing pango: 1.34.1_1 Installing tiff: 4.0.3 Installing gdk-pixbuf2: 2.28.2 Installing gtk-update-icon-cache: 2.24.22 Installing gtk2: 2.24.22_1 Installing vim: 7.4.110_2 The installation will require 349 MB more space 71 MB to be downloaded Proceed with installing packages [y/N]:=20 Apparently, I can compile it without these requirements from the ports tree (= not to mention that no Linux distro I've used has ever required X to be inst= alled with Vim), so the problem isn't inherently in Vim. Perhaps these setti= ngs would make sense on something like PC-BSD where the user is expected to h= ave a graphical environment, but on FreeBSD, which is more targeted toward s= erver usage, doesn't it make more sense for vim to not depend on X? Thanks, Matt= From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 13 01:55:15 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E4DBC95 for ; Mon, 13 Jan 2014 01:55:15 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 12E301479 for ; Mon, 13 Jan 2014 01:55:14 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:16c0:b50:21c:c0ff:fe7f:96ee]) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 841CE2D4FA0; Sun, 12 Jan 2014 17:55:07 -0800 (PST) Received: from [IPv6:2601:7:880:bd0:24f3:10cb:6280:eceb] (unknown [IPv6:2601:7:880:bd0:24f3:10cb:6280:eceb]) by chombo.houseloki.net (Postfix) with ESMTPSA id 68280E40; Sun, 12 Jan 2014 17:55:04 -0800 (PST) Message-ID: <52D34776.6090203@bluerosetech.com> Date: Sun, 12 Jan 2014 17:55:02 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Matthew Pherigo , "freebsd-pkg@freebsd.org" Subject: Re: Why does Vim in pkgng depend on X11 and the GTK? References: <89775A0F-1C96-4B9C-A620-E9EAB4D514F5@gmail.com> In-Reply-To: <89775A0F-1C96-4B9C-A620-E9EAB4D514F5@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 01:55:15 -0000 On 1/12/2014 5:07 PM, Matthew Pherigo wrote: > Apparently, I can compile it without these requirements from the > ports tree (not to mention that no Linux distro I've used has ever > required X to be installed with Vim), so the problem isn't inherently > in Vim. editors/vim includes gvim, the gtk version of vim. If you just want the command-line vim, install editors/vim-lite. From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 11:59:28 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 711F8287 for ; Tue, 14 Jan 2014 11:59:28 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 57A391DD1 for ; Tue, 14 Jan 2014 11:59:28 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0EBxMRW053302 for ; Tue, 14 Jan 2014 03:59:22 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D5269A.5090803@rawbw.com> Date: Tue, 14 Jan 2014 03:59:22 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pkg@freebsd.org Subject: Does pkg check signatures? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 11:59:28 -0000 In October announcement has been made that pkg-1.2 will support package signing: https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html Now I am running 'pkg install' using pkg-1.2.5 on 9.2, and don't see it opening any files related to keys/signatures in ktrace log. When pkg downloads anything from the central repository (packages, sqlite databases or any other files), all files should be signed with the private key, and pkg(8) should be checking signatures with the public key, and refuse to work in case of failure. This should be the default behavior. Please beware of this attack https://github.com/infobyte/evilgrade It doesn't (yet) have FreeBSD plugin, but it is a matter of few hours to write one. Evilgrade could be made to repackage the package .txz files (or sqlite files) on the fly, and to add arbitrary new files into them. It only takes one malicious DNS server for this. Using such DNS server, attacker can inject malicious code into the victim systems. Various forms of DNS hijacking are quire widespread today. Routers, providers, WiFi hackers and (presumably) government agencies do this for various reasons. Without mandatory package signing by default, pkg(8) presents a security threat to the system. Yuri From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 12:10:30 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 65902554 for ; Tue, 14 Jan 2014 12:10:30 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0BDDC1E9E for ; Tue, 14 Jan 2014 12:10:29 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.7/8.14.7) with ESMTP id s0ECANfM075891 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 14 Jan 2014 12:10:23 GMT (envelope-from m.seaman@infracaninophile.co.uk) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s0ECANfM075891 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1389701423; bh=f4D387ZmrViqrKH3+PUnLFIbmaerSbDfBTi2QBXzI/Y=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Tue,=2014=20Jan=202014=2012:10:14=20+0000|From:=20Matthew =20Seaman=20|To:=20Yuri=20,=20freebsd-pkg@freebsd.org|Subject:=20Re:=20Does=20pkg=2 0check=20signatures?|References:=20<52D5269A.5090803@rawbw.com>|In -Reply-To:=20<52D5269A.5090803@rawbw.com>; b=mjCRh5j/iVh40xN5DKU+E6YNmGpkgJXCX+JsqzhrN1Xn9qQ5JoS0j2hD8inga+oWa w03iT8FJsaxVwn8rJXK3FBuMuShhhJd1wL4rWrMue4vvsVi7JAslIcmMT3D3yDI4nh EIauwnn3LNsFkZbIf1Xu+k3HdCOn+6cbSE/nOYyM= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <52D52926.5090104@infracaninophile.co.uk> Date: Tue, 14 Jan 2014 12:10:14 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Yuri , freebsd-pkg@freebsd.org Subject: Re: Does pkg check signatures? References: <52D5269A.5090803@rawbw.com> In-Reply-To: <52D5269A.5090803@rawbw.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6JP1Q8BpIqmfXPrTxtwES8kh9JfOvSKGF" X-Virus-Scanned: clamav-milter 0.98 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00,DCC_CHECK, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,RCVD_IN_RP_RNBL,RDNS_NONE autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 12:10:30 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6JP1Q8BpIqmfXPrTxtwES8kh9JfOvSKGF Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 01/14/14 11:59, Yuri wrote: > In October announcement has been made that pkg-1.2 will support package= > signing: > https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.htm= l > Now I am running 'pkg install' using pkg-1.2.5 on 9.2, and don't see it= > opening any files related to keys/signatures in ktrace log. pkg is fully capable of checking cryptographic signatures if configured to do so. Specifically you need 'signature-type' and 'fingerprints' defined in your repo.conf Try using the standard /etc/pkg/FreeBSD.conf available here: http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=3Dlog and the public key in /usr/share/keys/pkg available here: http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.or= g.2013102301?view=3Dlog Cheers, Matthew --6JP1Q8BpIqmfXPrTxtwES8kh9JfOvSKGF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJS1SkuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnJHUP/1r4AiVKw/mTnqeYH715jEvm g4iX59ECjkZzKXpitn/gOCN0F1rPOZniVhATXUaMC8NjcH9ej65wO3y4ZJ77Eell 5UqwyuYZmq8hLC5ZpisbfIRmOlwP5znVrkKx0Y9xHxTlM95lO3ntWV6AurMsveze pqUv0p2IaXREb0aPlVgcr2IK/S7XhbWE6U93/UGatlOnONU7yp8zq/EFFH2q0u2F 1mUyhUZzxspMtaABPNHCc6qGGaUZ2tTKy1rEEOA6bakLxLGqQMk3whdQhDV/ImpO ve4LGp7vM+8d+Jl8eyoH5DSptWZuyxDaX4LStvEOylss62D1gRg+gN8unh/untpf Iychu2e+hZ9t0PwqqavEj/WBSbsykvSj4U9mp1DL/9YEGI98OVoXCPjqNBbrTKnK 4fATcqxJu2vqKo/DvcP5CrWZPoeRBmSoC5296J9XSs9pILrgrobR3d4Q8pNrOKcO EVhdRiG94UvdL5PPYAhItIq4r3U5CYpIupriGUm/EGWHJYddmYUjgIDM4A04boHn ZYywezwn23ejIjrlpzzsG3tiqv0p0xZgd0kfs4H+0GFHeImzKBgC2tDT6RI0ChzG oBhnflm8psve0+h90kJNAcK2UjrijH3ztdDd5g5INd6daVVYd64BGgi9NbhsVZV4 3qHjSq+r2IzIpqbPsW6Q =HOqR -----END PGP SIGNATURE----- --6JP1Q8BpIqmfXPrTxtwES8kh9JfOvSKGF-- From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 12:42:55 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C428FB17 for ; Tue, 14 Jan 2014 12:42:55 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id AECFC112E for ; Tue, 14 Jan 2014 12:42:55 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0ECgs2X061048; Tue, 14 Jan 2014 04:42:55 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D530CE.4090908@rawbw.com> Date: Tue, 14 Jan 2014 04:42:54 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Matthew Seaman , freebsd-pkg@freebsd.org Subject: Re: Does pkg check signatures? References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> In-Reply-To: <52D52926.5090104@infracaninophile.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 12:42:55 -0000 On 01/14/2014 04:10, Matthew Seaman wrote: > pkg is fully capable of checking cryptographic signatures if configured > to do so. Specifically you need 'signature-type' and 'fingerprints' > defined in your repo.conf > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=log > > and the public key in /usr/share/keys/pkg available here: > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?view=log I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf is like this: ---begin--- FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } ---end--- and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like this: ---begin--- # $FreeBSD$ function: "sha256" fingerprint: "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" ---end--- 'pkg install' reads the first file, doesn't read the second file, and succeeds downloading and installing a package. Something is wrong. Which file is this fingerprint for? Every downloaded file should have individual signature downloaded with it. Yuri From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 12:58:36 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36C74D76 for ; Tue, 14 Jan 2014 12:58:36 +0000 (UTC) Received: from mail-we0-x233.google.com (mail-we0-x233.google.com [IPv6:2a00:1450:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id BDDDA1214 for ; Tue, 14 Jan 2014 12:58:35 +0000 (UTC) Received: by mail-we0-f179.google.com with SMTP id w62so333597wes.24 for ; Tue, 14 Jan 2014 04:58:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=p18EqwRR+E6WAeRSD6pytL6UhDeXEYhh1QOxwu1YmG8=; b=hCqdF+jqWMMWcHY2x8d7E/WELnDcRGZjoVzVsZyaWDbMYqnhp35lc5eSvemaE5MiBI dxDaSYy/2oZ9YrAsytzgDS5BBk8fJ4q7ORSXk5wtJ/UMyAuqAN/Znjj37V/GXuialFtC tEuXpFaMMrSm7aoCl9ihcBwrFsPGWt5wVFWn7Kt1melRVtOJCtHccrpVwQECSQb4oWiP 4PfPYYu4YL7kzxvHV5DmzKy4AlQBNqJLR6bv9KtDBSe6lELoa3uM6xS0ybmy1bn5RCY7 y5MuWoqvruQ69o4kQmHq3OOB2oxV5WiG5tn2PZyhtqUeXXYXpFEhIcr/dGEAE5Hb4lUM bQKA== X-Received: by 10.194.175.66 with SMTP id by2mr8475415wjc.59.1389704314091; Tue, 14 Jan 2014 04:58:34 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id dh8sm1369502wib.4.2014.01.14.04.58.32 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 14 Jan 2014 04:58:32 -0800 (PST) Sender: Baptiste Daroussin Date: Tue, 14 Jan 2014 13:58:31 +0100 From: Baptiste Daroussin To: Yuri Subject: Re: Does pkg check signatures? Message-ID: <20140114125830.GB77567@ithaqua.etoilebsd.net> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y" Content-Disposition: inline In-Reply-To: <52D530CE.4090908@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pkg@freebsd.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 12:58:36 -0000 --f2QGlHpHGjS2mn6Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 04:42:54AM -0800, Yuri wrote: > On 01/14/2014 04:10, Matthew Seaman wrote: > > pkg is fully capable of checking cryptographic signatures if configured > > to do so. Specifically you need 'signature-type' and 'fingerprints' > > defined in your repo.conf > > > > Try using the standard /etc/pkg/FreeBSD.conf available here: > > > > http://svnweb.freebsd.org/base/head/etc/pkg/FreeBSD.conf?view=3Dlog > > > > and the public key in /usr/share/keys/pkg available here: > > > > http://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.= org.2013102301?view=3Dlog >=20 > I followed your instructions. File /usr/local/etc/pkg/repos/FreeBSD.conf= =20 > is like this: > ---begin--- > FreeBSD: { > url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", > mirror_type: "srv", > signature_type: "fingerprints", > fingerprints: "/usr/share/keys/pkg", > enabled: yes > } > ---end--- >=20 > and file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 is like= =20 > this: > ---begin--- > # $FreeBSD$ >=20 > function: "sha256" > fingerprint:=20 > "b0170035af3acc5f3f3ae1859dc717101b4e6c1d0a794ad554928ca0cbb2f438" > ---end--- >=20 > 'pkg install' reads the first file, doesn't read the second file, and=20 > succeeds downloading and installing a package. Something is wrong. > Which file is this fingerprint for? Every downloaded file should have=20 > individual signature downloaded with it. >=20 What is signed is the catalog which contains the hash of all the available packages. So the signature is only checked during pkg update in case the database is = being updated not during package installation because it the not needed, the fetc= hed packages are tested agains their hash. regards, Bapt --f2QGlHpHGjS2mn6Y Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVNHYACgkQ8kTtMUmk6EzkQwCglMwuYVGSPJ8od8w+cupqL6oa 5PAAnAwASMVqudX7wPfmjdu6ejE9XIG0 =Rwf5 -----END PGP SIGNATURE----- --f2QGlHpHGjS2mn6Y-- From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 13:27:59 2014 Return-Path: Delivered-To: freebsd-pkg@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82B86807; Tue, 14 Jan 2014 13:27:59 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 6CEF514C5; Tue, 14 Jan 2014 13:27:59 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0EDRwr9068515; Tue, 14 Jan 2014 05:27:58 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D53B5E.9020705@rawbw.com> Date: Tue, 14 Jan 2014 05:27:58 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Baptiste Daroussin Subject: Re: Does pkg check signatures? References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> In-Reply-To: <20140114125830.GB77567@ithaqua.etoilebsd.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:27:59 -0000 On 01/14/2014 04:58, Baptiste Daroussin wrote: > What is signed is the catalog which contains the hash of all the available > packages. How is this fingerprint on the local system updated when the remote catalog file changes? > > So the signature is only checked during pkg update in case the database is being > updated not during package installation because it the not needed, the fetched > packages are tested agains their hash. I think this process is very weak. Normal procedure goes like this: * During system installation, public key of the distributor is installed on the local system. One key per repository. Should be verified by admin if this is a concern. * Every downloaded file should be downloaded together with its signature. Signature is computed on the server using the private key of the distributor. * Signature of every single downloaded file should be checked. No exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all such procedures. Current procedure is flawed for the following reasons: 1. No clear automated process of fingerprint update is defined. (In fact, no secure automated way of its update is possible) 2. Security is opt-in. And it should be opt-out. (There is a big difference) I don't think this fingerprinting scheme can survive a security review. pkgng without proper package signing can't be recommended to users because it is a clear security threat. Yuri From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 13:48:28 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 00809D7C for ; Tue, 14 Jan 2014 13:48:27 +0000 (UTC) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 738101642 for ; Tue, 14 Jan 2014 13:48:27 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id hq4so3711588wib.3 for ; Tue, 14 Jan 2014 05:48:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=+F8FWT96puRq4soAptGveUAxXHTIVgj/lZlfb3FPJAk=; b=ROvhBIUx8xZPssb8FJ6Fk+4vgrvtNH5vVdJBwWXM9EeSo18OpyCxRNS5CdasB1X7i7 JoBkmBMvrZ+hqJ5T5/5X/j8jXsFgqrL0UvXEtNY2w6VdCsEBOpsrh9wg/q0UWbGVeUAp yXaFThwE9dJZz219rahkOdd6PZlMM3tzyIEourk47ooqwkLkZRMS4q/+1AEt1SbcWQST 02GvKTErKHZRJxUa/3h6yKJZ/AK46ZBosECUgqzP/hITVNsOfClW26WRPDVkS5KniUjh Jc1pPp5gVF6LQ8m+RcCVGzcuS/2bE/2s6ZxiT3fibEKIPQdoXpkJdQK3xbwhB4Ylcten QAUQ== X-Received: by 10.194.109.68 with SMTP id hq4mr27935868wjb.12.1389707303592; Tue, 14 Jan 2014 05:48:23 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id fp9sm3468541wib.8.2014.01.14.05.48.22 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 14 Jan 2014 05:48:22 -0800 (PST) Sender: Baptiste Daroussin Date: Tue, 14 Jan 2014 14:48:20 +0100 From: Baptiste Daroussin To: Yuri Subject: Re: Does pkg check signatures? Message-ID: <20140114134820.GC77567@ithaqua.etoilebsd.net> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> <52D53B5E.9020705@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="32u276st3Jlj2kUU" Content-Disposition: inline In-Reply-To: <52D53B5E.9020705@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:48:28 -0000 --32u276st3Jlj2kUU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 05:27:58AM -0800, Yuri wrote: > On 01/14/2014 04:58, Baptiste Daroussin wrote: > > What is signed is the catalog which contains the hash of all the availa= ble > > packages. >=20 > How is this fingerprint on the local system updated when the remote=20 > catalog file changes? >=20 > > > > So the signature is only checked during pkg update in case the database= is being > > updated not during package installation because it the not needed, the = fetched > > packages are tested agains their hash. >=20 > I think this process is very weak. > Normal procedure goes like this: > * During system installation, public key of the distributor is installed= =20 > on the local system. One key per repository. Should be verified by admin= =20 > if this is a concern. This is what we have > * Every downloaded file should be downloaded together with its=20 > signature. Signature is computed on the server using the private key of= =20 > the distributor. Why if you have a trusted list of hashes of what you will download? > * Signature of every single downloaded file should be checked. No=20 > exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all=20 > such procedures. Why if you have a trusted list of hashes of what you will download? > Current procedure is flawed for the following reasons: > 1. No clear automated process of fingerprint update is defined. (In=20 > fact, no secure automated way of its update is possible) yes there is, distributed via freebsd-update. > 2. Security is opt-in. And it should be opt-out. (There is a big differen= ce) it is opt-out on FreeBSD 10+ as the default configuration is with signature check. >=20 > I don't think this fingerprinting scheme can survive a security review. > pkgng without proper package signing can't be recommended to users=20 > because it is a clear security threat. secteam doesn't seem to agree with you, talk to them. regards, Bapt --32u276st3Jlj2kUU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVQCQACgkQ8kTtMUmk6EzkngCeL0+m/URFfIJWowTUNHCnc/lE RlgAoJqUvX5wtzWat9hMlhLuQzPXf10T =uKrg -----END PGP SIGNATURE----- --32u276st3Jlj2kUU-- From owner-freebsd-pkg@FreeBSD.ORG Wed Jan 15 02:44:43 2014 Return-Path: Delivered-To: freebsd-pkg@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BA27798E; Wed, 15 Jan 2014 02:44:43 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id A3AAE1AE8; Wed, 15 Jan 2014 02:44:43 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0F2igVN036260; Tue, 14 Jan 2014 18:44:42 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D5F61A.4030807@rawbw.com> Date: Tue, 14 Jan 2014 18:44:42 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Baptiste Daroussin Subject: Re: Does pkg check signatures? References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> <52D53B5E.9020705@rawbw.com> <20140114134820.GC77567@ithaqua.etoilebsd.net> In-Reply-To: <20140114134820.GC77567@ithaqua.etoilebsd.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 02:44:43 -0000 On 01/14/2014 05:48, Baptiste Daroussin wrote: > secteam doesn't seem to agree with you, talk to them. Since I didn't find any documentation on how security of package transfer works, I did some debugging and learned from there. The files downloaded from repository are gzipped tar archive with .txz extension, and contain 3 files inside. For example, if the file is mydist.txz, it would be contain these files: * mydist.pub -- RSA public key, always the same in all archives * mydist.sig -- 256 byte binary RSA signature of mydist file * mydist -- the payload file The fingerprint file /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 contains the SHA256 hash of the .pub file from all .txz archives. So that all those .pub files are the same, and the secret key is merely its verification fingerprint. .sig file is the RSA signature of the payload file. Verification of mydist payload is done using .pub certificate. So this whole process appears to be secure. What confused me is the term "fingerprint". The only question that I still have is this: Why this "fingerprint" is introduced here? Why not just store the corresponding .pub file over there as a trusted key? Since this public key is what is used for verification, and there is 1-1 relationship, unless sha256 gets broken. Eliminating one concept would have made this system simpler, and wouldn't have required to have "fingerprint" term there. Yuri From owner-freebsd-pkg@FreeBSD.ORG Thu Jan 16 01:28:49 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 510CE6C for ; Thu, 16 Jan 2014 01:28:49 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 23AB51D0F for ; Thu, 16 Jan 2014 01:28:48 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0G1SmjC076380 for ; Wed, 15 Jan 2014 17:28:48 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D735D0.8080603@rawbw.com> Date: Wed, 15 Jan 2014 17:28:48 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pkg@freebsd.org Subject: "pkg: Unable to find catalogs" message during "pkg upgrade" on 10-RC5 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 01:28:49 -0000 Updating repository catalogue digests.txz <...skipped...> packagesite.txz <...skipped...> Incremental update completed, 21327 packages processed: 1786 packages updated, 1050 removed and 67 added. pkg: Unable to find catalogs This last message came without an obvious reason. Next run of "pkg upgrade" succeeded: Updating repository catalogue Nothing to do So it is some intermittent issue. Yuri From owner-freebsd-pkg@FreeBSD.ORG Thu Jan 16 08:55:49 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BDDD4B6 for ; Thu, 16 Jan 2014 08:55:49 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2EF8A1E65 for ; Thu, 16 Jan 2014 08:55:49 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id m15so2867773wgh.14 for ; Thu, 16 Jan 2014 00:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=wioWUM+y1CEEPFTM/V//Ou6QoNTsSFU//AsDAjlwevQ=; b=rcGqXa8av43nqYRWdClzqeW8IwqIR1ZTYWW1FxP+OTqC9SrZB8oGKk0imxmEocEvSF FxAxLx4Mdc+Kn7bMrDyuUQ35zJH614yYV9pH/JMBsQxl3nee3zmeia6g2HQr00ctEJOC tyoJTq+TYdGiwU3UupouR6RVsDbVW9jIT3jVvEmnuAtLAdcQNWK4ACtGksFffMsDV+le 3RQWUO4TjqEzGjSEBN6lbe9NFJ51V6IkQn42t2hh6FynjjwaLbjABNHn+63H5xwN0sDQ 0aqppamsxfSgo3+zqMdvYvhdfbiZOSt36od3DhevpmylqECs0fzUTkqi8TuHzMt0yrKT x+cg== X-Received: by 10.180.77.131 with SMTP id s3mr6855514wiw.25.1389862547442; Thu, 16 Jan 2014 00:55:47 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id gd5sm32484125wic.0.2014.01.16.00.55.46 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 16 Jan 2014 00:55:46 -0800 (PST) Sender: Baptiste Daroussin Date: Thu, 16 Jan 2014 09:55:45 +0100 From: Baptiste Daroussin To: Yuri Subject: Re: "pkg: Unable to find catalogs" message during "pkg upgrade" on 10-RC5 Message-ID: <20140116085545.GG39030@ithaqua.etoilebsd.net> References: <52D735D0.8080603@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ExXT7PjY8AI4Hyfa" Content-Disposition: inline In-Reply-To: <52D735D0.8080603@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pkg@freebsd.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 08:55:49 -0000 --ExXT7PjY8AI4Hyfa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 15, 2014 at 05:28:48PM -0800, Yuri wrote: > Updating repository catalogue > digests.txz <...skipped...> > packagesite.txz <...skipped...> > Incremental update completed, 21327 packages processed: > 1786 packages updated, 1050 removed and 67 added. > pkg: Unable to find catalogs >=20 > This last message came without an obvious reason. > Next run of "pkg upgrade" succeeded: > Updating repository catalogue > Nothing to do >=20 > So it is some intermittent issue. >=20 no, it is a cluster issue I'm working on it. regards, Bapt --ExXT7PjY8AI4Hyfa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLXnpEACgkQ8kTtMUmk6EydAACgqfnK8OBtS4p3IN6wn4cIyvn3 RzIAnRb9vuQ23dU8QLAjiNvl5fBrrkfr =JyIP -----END PGP SIGNATURE----- --ExXT7PjY8AI4Hyfa-- From owner-freebsd-pkg@FreeBSD.ORG Fri Jan 17 01:21:28 2014 Return-Path: Delivered-To: freebsd-pkg@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4EC09E7; Fri, 17 Jan 2014 01:21:28 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 869781D19; Fri, 17 Jan 2014 01:21:28 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0H1LRiG070639; Thu, 16 Jan 2014 17:21:27 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D88597.8080807@rawbw.com> Date: Thu, 16 Jan 2014 17:21:27 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Baptiste Daroussin Subject: Re: "pkg: Unable to find catalogs" message during "pkg upgrade" on 10-RC5 References: <52D735D0.8080603@rawbw.com> <20140116085545.GG39030@ithaqua.etoilebsd.net> In-Reply-To: <20140116085545.GG39030@ithaqua.etoilebsd.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jan 2014 01:21:28 -0000 On 01/16/2014 00:55, Baptiste Daroussin wrote: > no, it is a cluster issue I'm working on it. Now this happens during every single run of 'pkg upgrade' and 'pkg install xxx' on 10-RC5 This is a serious usability issue, unless there is a workaround. I tried deleting /var/db/pkg/*, this didn't help. Also, somewhere EPKG_FATAL is set without printing what the error was. It should always print the message detailing what the failure is. There are 474 locations where this error is initiated. Yuri