Date: Wed, 1 Jul 2026 11:06:20 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Alexander Ziaee <ziaee@FreeBSD.org> Cc: freebsd-pkgbase <freebsd-pkgbase@freebsd.org> Subject: Re: None of "man freebsd-base" (or "man pkgbase"), "man pkg-upgrade", or "man pkg-install" deal with documenting .pkgsave and/or .pkgnew behavior or how to handle such Message-ID: <18ns29q2-89s4-rqq1-85oo-s0s8270or512@> In-Reply-To: <E1wefJq-000633-G1@rmmprod06.runbox>
index | next in thread | previous in thread | raw e-mail
On Tue, 30 Jun 2026, Alexander Ziaee wrote: > Would you please share any specific examples of .pkgsave or equivalent > stashed new upstream configuration files created by a package manager after > failed merge in any ecosystem that would have cured any specific CVE in a > system that was deployed correctly before the CVE? Apologies for being out of context. I was referring to .pkgsave files created by pkg and other apps and specifically those that write executable and library files. The files created by etcupdate do not, as far as I know, have security issues in and of themselves. There ideally would be a common policy for creating and reporting on .pkgsave file creation from all applications. It should be outlined or at least referenced in all relevant man pages, clearly noted by applications that create these files, reported on by cron scripts and logged via syslogd. Would be better if there were an rc.conf setting to just turn them off altogether, for those of us who already have snapshots, backups and/or revision control. WRT etcupdate, its output is a big improvement but still generally more verbose than ideal for the standard use case. IMO, Rogerhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18ns29q2-89s4-rqq1-85oo-s0s8270or512>
