Date: Sun, 7 Dec 2014 20:35:02 -0800 From: Jacob Helwig <jacob@technosorcery.net> To: freebsd-doc@freebsd.org Subject: Re: Issue with Handbook section 5.2 Message-ID: <F1BFCB4B-2F99-4734-AD6F-54EBAA966F30@technosorcery.net> In-Reply-To: <54845136.6050603@FreeBSD.org> References: <B06E0DF0-73F5-4B6B-A7B3-EFCCC9AD875A@technosorcery.net> <54845136.6050603@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 7, 2014, at 05:08, Matthew Seaman <matthew@FreeBSD.org> wrote:
>=20
> On 07/12/2014 02:58, Jacob Helwig wrote:
>> In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC
>> 2014), section 5.2 (Overview of Software Installation) mentions using
>> ports-mgmt/portaudit to check for security issues. Unfortunately,
>> portaudit was removed from ports on October 13th[0].
>>=20
>> The commit that removed it says that =E2=80=9Cpkg audit=E2=80=9D =
should be used
>> instead ("portaudit expired when pkg_tools did, use pkg audit=E2=80=9D)=
, but
>> as someone pretty new to FreeBSD, it=E2=80=99s not clear that this =
would be
>> appropriate for ports usage. Is =E2=80=9Cpkg audit=E2=80=9D =
appropriate? The
>> language in the warning section of this Handbook section suggests
>> that =E2=80=9Cpkg audit=E2=80=9D isn=E2=80=99t appropriate outside of =
package use. If =E2=80=9Cpkg
>> audit=E2=80=9D isn=E2=80=99t appropriate, what should be used =
instead?
>>=20
>> -Jacob
>>=20
>> [0]
>> =
https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f38=
4729fa04bcbb7
>=20
> pkg audit is certainly the correct tool to use. You can audit your
> system for vulnerable packages by running 'pkg audit -F' at intervals.
> If you add:
>=20
> daily_status_security_pkgaudit_enable=3D"YES"
>=20
> to /etc/periodic.conf then you can have it run automatically each =
night.
>=20
> You seem to be suffering from a common misconception that packages and
> ports are somehow much more distinct than is actually the case. It is
> something that clearly we aren't explaining very effectively.
>=20
> A port is a set of instructions for building a package -- and pkg is =
the
> tool for creating and managing packages. So much so that packages
> themselves are now referred to as 'pkgs.' (Partly that was to
> distinguish them from the old pkg_tools style of packages, but that is
> generally no longer a consideration. Even so, the usage persists.) =
All
> pkgs are originally built from ports and the result of building a port
> is a pkg[*]. Even if you're installing pre-built pkgs from the =
FreeBSD
> pkg repositories, this is still true.
>=20
> Pkgs have two states: installed -- with all the files extracted and
> copied into place in the filesystem -- and as tarballs -- collected =
into
> one compressed archive for easy network distribution. But they are =
both
> still pkgs.
>=20
> Cheers,
>=20
> Matthew
>=20
> [*] At the moment. There are plans to change this so that several =
pkgs
> may be build from one port, and also plans to be able to create pkgs
> from other sources than the ports tree.
>=20
> --=20
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey
5.4.1 does a little to help dispel the idea that pkg & ports are =
completely independent systems (aside from being able to make pkgs from =
ports, as pointed out in 5.2). Specifically where 5.4.1 mentions ports =
registering new software with pkg. Though, this doesn=E2=80=99t do much =
good for the warning in 5.2, as you wouldn=E2=80=99t have read 5.4.1 =
yet.
I think updating the warning in 5.2 to call out that =E2=80=9Cpkg =
audit=E2=80=9D has taken over the portaudit functionality in 10.x+, and =
that it works with software installed via either mechanism, would go a =
long way towards getting rid of the misconception, or at the very least, =
not reinforce it.
-Jacob
--=20
http://technosorcery.net/about/me
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F1BFCB4B-2F99-4734-AD6F-54EBAA966F30>