Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Jul 2026 11:06:20 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        Alexander Ziaee <ziaee@FreeBSD.org>
Cc:        freebsd-pkgbase <freebsd-pkgbase@freebsd.org>
Subject:   Re: None of "man freebsd-base" (or "man pkgbase"), "man pkg-upgrade", or "man pkg-install" deal with documenting .pkgsave and/or .pkgnew behavior or how to handle such
Message-ID:  <18ns29q2-89s4-rqq1-85oo-s0s8270or512@>
In-Reply-To: <E1wefJq-000633-G1@rmmprod06.runbox>

index | next in thread | previous in thread | raw e-mail

On Tue, 30 Jun 2026, Alexander Ziaee wrote:
> Would you please share any specific examples of .pkgsave or equivalent
> stashed new upstream configuration files created by a package manager after
> failed merge in any ecosystem that would have cured any specific CVE in a
> system that was deployed correctly before the CVE?

Apologies for being out of context.  I was referring to .pkgsave files
created by pkg and other apps and specifically those that write
executable and library files.  The files created by etcupdate do
not, as far as I know, have security issues in and of themselves.

There ideally would be a common policy for creating and reporting on
.pkgsave file creation from all applications.  It should be outlined or
at least referenced in all relevant man pages, clearly noted by
applications that create these files, reported on by cron scripts and
logged via syslogd.  Would be better if there were an rc.conf setting to
just turn them off altogether, for those of us who already have
snapshots, backups and/or revision control.

WRT etcupdate, its output is a big improvement but still generally more
verbose than ideal for the standard use case.

IMO,
Roger


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18ns29q2-89s4-rqq1-85oo-s0s8270or512>