Date: Sun, 7 Dec 2014 22:06:03 -0800 From: Jason Helfman <bsd-src@helfman.org> To: Jacob Helwig <jacob@technosorcery.net> Cc: "freebsd-doc@freebsd.org" <freebsd-doc@freebsd.org> Subject: Re: Issue with Handbook section 5.2 Message-ID: <8520FD79-CD02-4F71-B057-9E461DCA668E@helfman.org> In-Reply-To: <F1BFCB4B-2F99-4734-AD6F-54EBAA966F30@technosorcery.net> References: <B06E0DF0-73F5-4B6B-A7B3-EFCCC9AD875A@technosorcery.net> <54845136.6050603@FreeBSD.org> <F1BFCB4B-2F99-4734-AD6F-54EBAA966F30@technosorcery.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Dec 7, 2014, at 8:35 PM, Jacob Helwig <jacob@technosorcery.net> wrote:
>=20
>> On Dec 7, 2014, at 05:08, Matthew Seaman <matthew@FreeBSD.org> wrote:
>>=20
>>> On 07/12/2014 02:58, Jacob Helwig wrote:
>>> In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC
>>> 2014), section 5.2 (Overview of Software Installation) mentions using
>>> ports-mgmt/portaudit to check for security issues. Unfortunately,
>>> portaudit was removed from ports on October 13th[0].
>>>=20
>>> The commit that removed it says that =E2=80=9Cpkg audit=E2=80=9D should b=
e used
>>> instead ("portaudit expired when pkg_tools did, use pkg audit=E2=80=9D),=
but
>>> as someone pretty new to FreeBSD, it=E2=80=99s not clear that this would=
be
>>> appropriate for ports usage. Is =E2=80=9Cpkg audit=E2=80=9D appropriate=
? The
>>> language in the warning section of this Handbook section suggests
>>> that =E2=80=9Cpkg audit=E2=80=9D isn=E2=80=99t appropriate outside of pa=
ckage use. If =E2=80=9Cpkg
>>> audit=E2=80=9D isn=E2=80=99t appropriate, what should be used instead?
>>>=20
>>> -Jacob
>>>=20
>>> [0]
>>> https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f=
384729fa04bcbb7
>>=20
>> pkg audit is certainly the correct tool to use. You can audit your
>> system for vulnerable packages by running 'pkg audit -F' at intervals.
>> If you add:
>>=20
>> daily_status_security_pkgaudit_enable=3D"YES"
>>=20
>> to /etc/periodic.conf then you can have it run automatically each night.
>>=20
>> You seem to be suffering from a common misconception that packages and
>> ports are somehow much more distinct than is actually the case. It is
>> something that clearly we aren't explaining very effectively.
>>=20
>> A port is a set of instructions for building a package -- and pkg is the
>> tool for creating and managing packages. So much so that packages
>> themselves are now referred to as 'pkgs.' (Partly that was to
>> distinguish them from the old pkg_tools style of packages, but that is
>> generally no longer a consideration. Even so, the usage persists.) All
>> pkgs are originally built from ports and the result of building a port
>> is a pkg[*]. Even if you're installing pre-built pkgs from the FreeBSD
>> pkg repositories, this is still true.
>>=20
>> Pkgs have two states: installed -- with all the files extracted and
>> copied into place in the filesystem -- and as tarballs -- collected into
>> one compressed archive for easy network distribution. But they are both
>> still pkgs.
>>=20
>> Cheers,
>>=20
>> Matthew
>>=20
>> [*] At the moment. There are plans to change this so that several pkgs
>> may be build from one port, and also plans to be able to create pkgs
>> from other sources than the ports tree.
>>=20
>> --=20
>> Dr Matthew J Seaman MA, D.Phil.
>> PGP: http://www.infracaninophile.co.uk/pgpkey
>=20
>=20
> 5.4.1 does a little to help dispel the idea that pkg & ports are completel=
y independent systems (aside from being able to make pkgs from ports, as poi=
nted out in 5.2). Specifically where 5.4.1 mentions ports registering new s=
oftware with pkg. Though, this doesn=E2=80=99t do much good for the warning=
in 5.2, as you wouldn=E2=80=99t have read 5.4.1 yet.
>=20
> I think updating the warning in 5.2 to call out that =E2=80=9Cpkg audit=E2=
=80=9D has taken over the portaudit functionality in 10.x+, and that it work=
s with software installed via either mechanism, would go a long way towards g=
etting rid of the misconception, or at the very least, not reinforce it.
>=20
> -Jacob
I have not read this entire thread, but I noticed this on Friday and started=
working on a patch.=20
Thanks!
-jgh=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8520FD79-CD02-4F71-B057-9E461DCA668E>