From owner-freebsd-doc@FreeBSD.ORG Mon Dec 8 04:35:11 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1B23CCF1 for ; Mon, 8 Dec 2014 04:35:11 +0000 (UTC) Received: from mail.technosorcery.net (mail.technosorcery.net [173.255.245.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F0994103 for ; Mon, 8 Dec 2014 04:35:10 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.technosorcery.net (Postfix) with ESMTP id 410C75A724 for ; Sun, 7 Dec 2014 20:35:04 -0800 (PST) Received: from mail.technosorcery.net ([127.0.0.1]) by localhost (mail.technosorcery.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id Ukrzn6tN422n for ; Sun, 7 Dec 2014 20:35:03 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.technosorcery.net (Postfix) with ESMTP id 572F85A725 for ; Sun, 7 Dec 2014 20:35:03 -0800 (PST) X-Virus-Scanned: amavisd-new at technosorcery.net Received: from mail.technosorcery.net ([127.0.0.1]) by localhost (mail.technosorcery.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NlWda4O-CJKk for ; Sun, 7 Dec 2014 20:35:03 -0800 (PST) Received: from jacobs-air.lan.technosorcery.net (static-50-53-17-227.bvtn.or.frontiernet.net [50.53.17.227]) by mail.technosorcery.net (Postfix) with ESMTPSA id 238615A724 for ; Sun, 7 Dec 2014 20:35:03 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: Issue with Handbook section 5.2 From: Jacob Helwig In-Reply-To: <54845136.6050603@FreeBSD.org> Date: Sun, 7 Dec 2014 20:35:02 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <54845136.6050603@FreeBSD.org> To: freebsd-doc@freebsd.org X-Mailer: Apple Mail (2.1993) X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 04:35:11 -0000 On Dec 7, 2014, at 05:08, Matthew Seaman wrote: >=20 > On 07/12/2014 02:58, Jacob Helwig wrote: >> In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC >> 2014), section 5.2 (Overview of Software Installation) mentions using >> ports-mgmt/portaudit to check for security issues. Unfortunately, >> portaudit was removed from ports on October 13th[0]. >>=20 >> The commit that removed it says that =E2=80=9Cpkg audit=E2=80=9D = should be used >> instead ("portaudit expired when pkg_tools did, use pkg audit=E2=80=9D)= , but >> as someone pretty new to FreeBSD, it=E2=80=99s not clear that this = would be >> appropriate for ports usage. Is =E2=80=9Cpkg audit=E2=80=9D = appropriate? The >> language in the warning section of this Handbook section suggests >> that =E2=80=9Cpkg audit=E2=80=9D isn=E2=80=99t appropriate outside of = package use. If =E2=80=9Cpkg >> audit=E2=80=9D isn=E2=80=99t appropriate, what should be used = instead? >>=20 >> -Jacob >>=20 >> [0] >> = https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f38= 4729fa04bcbb7 >=20 > pkg audit is certainly the correct tool to use. You can audit your > system for vulnerable packages by running 'pkg audit -F' at intervals. > If you add: >=20 > daily_status_security_pkgaudit_enable=3D"YES" >=20 > to /etc/periodic.conf then you can have it run automatically each = night. >=20 > You seem to be suffering from a common misconception that packages and > ports are somehow much more distinct than is actually the case. It is > something that clearly we aren't explaining very effectively. >=20 > A port is a set of instructions for building a package -- and pkg is = the > tool for creating and managing packages. So much so that packages > themselves are now referred to as 'pkgs.' (Partly that was to > distinguish them from the old pkg_tools style of packages, but that is > generally no longer a consideration. Even so, the usage persists.) = All > pkgs are originally built from ports and the result of building a port > is a pkg[*]. Even if you're installing pre-built pkgs from the = FreeBSD > pkg repositories, this is still true. >=20 > Pkgs have two states: installed -- with all the files extracted and > copied into place in the filesystem -- and as tarballs -- collected = into > one compressed archive for easy network distribution. But they are = both > still pkgs. >=20 > Cheers, >=20 > Matthew >=20 > [*] At the moment. There are plans to change this so that several = pkgs > may be build from one port, and also plans to be able to create pkgs > from other sources than the ports tree. >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey 5.4.1 does a little to help dispel the idea that pkg & ports are = completely independent systems (aside from being able to make pkgs from = ports, as pointed out in 5.2). Specifically where 5.4.1 mentions ports = registering new software with pkg. Though, this doesn=E2=80=99t do much = good for the warning in 5.2, as you wouldn=E2=80=99t have read 5.4.1 = yet. I think updating the warning in 5.2 to call out that =E2=80=9Cpkg = audit=E2=80=9D has taken over the portaudit functionality in 10.x+, and = that it works with software installed via either mechanism, would go a = long way towards getting rid of the misconception, or at the very least, = not reinforce it. -Jacob --=20 http://technosorcery.net/about/me