From owner-freebsd-ports@freebsd.org Sat Feb 17 16:04:33 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91C74F1BBF5 for ; Sat, 17 Feb 2018 16:04:33 +0000 (UTC) (envelope-from raf@rafal.net) Received: from fbo-2.mxes.net (mxout-22.mxes.net [216.86.168.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F11186EE7 for ; Sat, 17 Feb 2018 16:04:32 +0000 (UTC) (envelope-from raf@rafal.net) Received: from smtp-out-1.mxes.net (smtp-out-1.mxes.net [67.222.241.250]) by fbi-2.mxes.net (Postfix) with ESMTP id 2EB8427501 for ; Sat, 17 Feb 2018 11:04:25 -0500 (EST) Received: from [192.168.40.37] (86-40-118-125-dynamic.agg2.bri.bbh-prp.eircom.net [86.40.118.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 95A4427542; Sat, 17 Feb 2018 11:04:02 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: pkg check --recompute and apache24 deleted files From: Rafal Lukawiecki In-Reply-To: <5A861F0D.2030209@gmail.com> Date: Sat, 17 Feb 2018 16:04:00 +0000 Cc: FreeBSD Ports Content-Transfer-Encoding: quoted-printable Message-Id: <998C9A52-CA84-4B22-AA57-16E3382705B8@rafal.net> References: <5A861F0D.2030209@gmail.com> To: Ernie Luzar X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Feb 2018 16:04:33 -0000 > On 16 Feb 2018, at 00:00, Ernie Luzar wrote: >=20 > Hi Rafal; >=20 > I also delete the /usr/local/www/apache24/cgi-bin directory as a > security leak because I don't use the cgi-bin method. >=20 > I noticed this pkg checksum test came into being after the 11.1-p4 > security update. >=20 > As you have shown, this security update is only highlighting the user > customizing of installed ports/packages. These types of customization > are not things that need security warnings. >=20 > This is part of the daily security run report. > /usr/local/etc/periodic/security/460.pkg-checksum >=20 > To make this stop add; > security_status_pkgchecksum_enable=3D"NO" > to /etc/periodic.conf Thank you, Ernie, this is very helpful=E2=80=94and I fully agree with = you that reporting our intended customisations, especially as they have = been intended to improve security, as security warnings is not helpful = unless it can be disabled. Your solution, if I understood it, will = disable checksum verification. However, I think it is valuable having it = on for =E2=80=9Ceverything else=E2=80=9D that might be surreptitiously = changed and that I may be unaware of. Ideally, I would like to switch it = off just for the Apache, or other specified packages. Which is why I = hoped pkg check --recompute would do that. Maybe it is a bug/missing = functionality in pkg check --recompute? Rafal=