Date: Sat, 17 Feb 2018 16:04:00 +0000 From: Rafal Lukawiecki <raf@rafal.net> To: Ernie Luzar <luzar722@gmail.com> Cc: FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: pkg check --recompute and apache24 deleted files Message-ID: <998C9A52-CA84-4B22-AA57-16E3382705B8@rafal.net> In-Reply-To: <5A861F0D.2030209@gmail.com> References: <D784CCCF-1B18-45A5-B8CF-48343BC8DB83@rafal.net> <5A861F0D.2030209@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 16 Feb 2018, at 00:00, Ernie Luzar <luzar722@gmail.com> wrote: >=20 > Hi Rafal; >=20 > I also delete the /usr/local/www/apache24/cgi-bin directory as a > security leak because I don't use the cgi-bin method. >=20 > I noticed this pkg checksum test came into being after the 11.1-p4 > security update. >=20 > As you have shown, this security update is only highlighting the user > customizing of installed ports/packages. These types of customization > are not things that need security warnings. >=20 > This is part of the daily security run report. > /usr/local/etc/periodic/security/460.pkg-checksum >=20 > To make this stop add; > security_status_pkgchecksum_enable=3D"NO" > to /etc/periodic.conf Thank you, Ernie, this is very helpful=E2=80=94and I fully agree with = you that reporting our intended customisations, especially as they have = been intended to improve security, as security warnings is not helpful = unless it can be disabled. Your solution, if I understood it, will = disable checksum verification. However, I think it is valuable having it = on for =E2=80=9Ceverything else=E2=80=9D that might be surreptitiously = changed and that I may be unaware of. Ideally, I would like to switch it = off just for the Apache, or other specified packages. Which is why I = hoped pkg check --recompute would do that. Maybe it is a bug/missing = functionality in pkg check --recompute? Rafal=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?998C9A52-CA84-4B22-AA57-16E3382705B8>