From owner-freebsd-doc@FreeBSD.ORG Sun Dec 7 13:08:29 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F8C2B5B for ; Sun, 7 Dec 2014 13:08:29 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 329D9EC9 for ; Sun, 7 Dec 2014 13:08:29 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.9/8.14.9) with ESMTP id sB7D8FNI007048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 7 Dec 2014 13:08:19 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk sB7D8FNI007048 Authentication-Results: smtp.infracaninophile.co.uk/sB7D8FNI007048; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral Message-ID: <54845136.6050603@FreeBSD.org> Date: Sun, 07 Dec 2014 13:08:06 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-doc@freebsd.org Subject: Re: Issue with Handbook section 5.2 References: In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rC9pJVtEsEoqNUnWrs0pxwVcqdstbBS30" X-Virus-Scanned: clamav-milter 0.98.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 13:08:29 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rC9pJVtEsEoqNUnWrs0pxwVcqdstbBS30 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 07/12/2014 02:58, Jacob Helwig wrote: > In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC > 2014), section 5.2 (Overview of Software Installation) mentions using > ports-mgmt/portaudit to check for security issues. Unfortunately, > portaudit was removed from ports on October 13th[0]. >=20 > The commit that removed it says that =E2=80=9Cpkg audit=E2=80=9D should= be used > instead ("portaudit expired when pkg_tools did, use pkg audit=E2=80=9D)= , but > as someone pretty new to FreeBSD, it=E2=80=99s not clear that this woul= d be > appropriate for ports usage. Is =E2=80=9Cpkg audit=E2=80=9D appropriat= e? The > language in the warning section of this Handbook section suggests > that =E2=80=9Cpkg audit=E2=80=9D isn=E2=80=99t appropriate outside of p= ackage use. If =E2=80=9Cpkg > audit=E2=80=9D isn=E2=80=99t appropriate, what should be used instead? >=20 > -Jacob >=20 > [0] > https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709= f384729fa04bcbb7 pkg audit is certainly the correct tool to use. You can audit your system for vulnerable packages by running 'pkg audit -F' at intervals. If you add: daily_status_security_pkgaudit_enable=3D"YES" to /etc/periodic.conf then you can have it run automatically each night. You seem to be suffering from a common misconception that packages and ports are somehow much more distinct than is actually the case. It is something that clearly we aren't explaining very effectively. A port is a set of instructions for building a package -- and pkg is the tool for creating and managing packages. So much so that packages themselves are now referred to as 'pkgs.' (Partly that was to distinguish them from the old pkg_tools style of packages, but that is generally no longer a consideration. Even so, the usage persists.) All pkgs are originally built from ports and the result of building a port is a pkg[*]. Even if you're installing pre-built pkgs from the FreeBSD pkg repositories, this is still true. Pkgs have two states: installed -- with all the files extracted and copied into place in the filesystem -- and as tarballs -- collected into one compressed archive for easy network distribution. But they are both still pkgs. Cheers, Matthew [*] At the moment. There are plans to change this so that several pkgs may be build from one port, and also plans to be able to create pkgs from other sources than the ports tree. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --rC9pJVtEsEoqNUnWrs0pxwVcqdstbBS30 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJUhFE/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATBMEP/1f2UGgPKV9XUrvAbOlcqAb5 1JsNd7uyljTUkfLWndGsJoOPrHJn3EKhucRAJLBaWbNtHDXenY4oSwyYOzFiTqvJ 3J0GrKddDngFSGB+x9bXOnJWlmoQqzRLsV460kA16mPuiB58r8Q/36EMcLrVz53i CHBj0hJmleENCYeXFjUSvIzGaCo2u5mXHv+6EPJTYk/7OyppyALbRY88euQEZr/4 JyAriX34hJ3vM84DHDbD+Kv10D8SfTss1oKlKOfIjHfTB4OEJ0gFXrQfNqo8X+MJ TGmPajQYLkNQVBQmNmxJrRggAOufTmVqrZzVmPUPWYXtwNhKCdG/3a9Xyo60oLL/ xywjLivhHDMZwddDt5kpy7eTsreZEAPlVx4ZW7WE5pD3u8im/Y8WElSgVXvstRHh PW7ipDtuYrQljrgWPU2VX8nJXEZMMcHlnpChGrLf0BbNCtdz9b9vthYJyxFAIDry I7momjzAgM9nCICpvo6FoVHgmJ3UOxi7ur3bGdWSs37PyxdGXaGMQ6TQEkKB9DxZ zQt6eWDYuHveV8VUkX5rT+EuSfcn4Qi3+dzuEeypssqjUuat8fUnD1bYR1NY2n8H BzekYXYvfKaSckdXbMETxO5LXAdD3Xln7wPkNGKQ3bPzGywnA/SoRSWS8Ef5HUPf WDAksk6ADUNAqPfxO/zJ =J+jp -----END PGP SIGNATURE----- --rC9pJVtEsEoqNUnWrs0pxwVcqdstbBS30--