From owner-freebsd-doc@FreeBSD.ORG Mon Dec 8 06:06:12 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53AF7A69 for ; Mon, 8 Dec 2014 06:06:12 +0000 (UTC) Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26A33B4F for ; Mon, 8 Dec 2014 06:06:11 +0000 (UTC) Received: by mail-pa0-f53.google.com with SMTP id kq14so4581787pab.12 for ; Sun, 07 Dec 2014 22:06:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=flk838YrU0OFYG3l5KBcpnB86mBRJ3BeTsUAxp/ZxTI=; b=fyTNCvGEWH5He8Nj8AAfoVGbD/rO4IiNYfD/V8LlvpD2OpnBxWv2lTxLsJ9E2DNc4y anra5ibQwbr422bvemLrCQ93tgZuS6BWzQnlsTnAJQL/pdnUrT7EnBXOy5T2R9ClIYY5 k9N91UxVFwUziKmHlYYbpXZ4Hajmbycm8sPQ/BPWVVr7C2qnoR5i+NnXB0teifndkgFe oNWhGytNt9gyjGuGaxIh9pS6ngGJlFNhFKHFvOLfoJd55576BOwpz9+nd1s2qCc1nMwm mKkcBXUEWMHyGF5ZyJSK4pBElClu5NXGO8MKCmTRJytvYOrED0eFq7kdh3suziZOhXfz jvtg== X-Gm-Message-State: ALoCoQkC/qwVpZwWl0fWSIeqs09WcQQ/7HYEL8U5M0hErr998NJL7Xh3tv0pjKmKOQ+iG42C2IRB X-Received: by 10.66.145.234 with SMTP id sx10mr50588935pab.130.1418018765402; Sun, 07 Dec 2014 22:06:05 -0800 (PST) Received: from [192.168.1.124] (adsl-63-196-198-82.dsl.snlo01.pacbell.net. [63.196.198.82]) by mx.google.com with ESMTPSA id ou9sm35150547pbb.26.2014.12.07.22.06.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 07 Dec 2014 22:06:04 -0800 (PST) References: <54845136.6050603@FreeBSD.org> Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <8520FD79-CD02-4F71-B057-9E461DCA668E@helfman.org> X-Mailer: iPhone Mail (12B435) From: Jason Helfman Subject: Re: Issue with Handbook section 5.2 Date: Sun, 7 Dec 2014 22:06:03 -0800 To: Jacob Helwig Cc: "freebsd-doc@freebsd.org" X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 06:06:12 -0000 > On Dec 7, 2014, at 8:35 PM, Jacob Helwig wrote: >=20 >> On Dec 7, 2014, at 05:08, Matthew Seaman wrote: >>=20 >>> On 07/12/2014 02:58, Jacob Helwig wrote: >>> In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC >>> 2014), section 5.2 (Overview of Software Installation) mentions using >>> ports-mgmt/portaudit to check for security issues. Unfortunately, >>> portaudit was removed from ports on October 13th[0]. >>>=20 >>> The commit that removed it says that =E2=80=9Cpkg audit=E2=80=9D should b= e used >>> instead ("portaudit expired when pkg_tools did, use pkg audit=E2=80=9D),= but >>> as someone pretty new to FreeBSD, it=E2=80=99s not clear that this would= be >>> appropriate for ports usage. Is =E2=80=9Cpkg audit=E2=80=9D appropriate= ? The >>> language in the warning section of this Handbook section suggests >>> that =E2=80=9Cpkg audit=E2=80=9D isn=E2=80=99t appropriate outside of pa= ckage use. If =E2=80=9Cpkg >>> audit=E2=80=9D isn=E2=80=99t appropriate, what should be used instead? >>>=20 >>> -Jacob >>>=20 >>> [0] >>> https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f= 384729fa04bcbb7 >>=20 >> pkg audit is certainly the correct tool to use. You can audit your >> system for vulnerable packages by running 'pkg audit -F' at intervals. >> If you add: >>=20 >> daily_status_security_pkgaudit_enable=3D"YES" >>=20 >> to /etc/periodic.conf then you can have it run automatically each night. >>=20 >> You seem to be suffering from a common misconception that packages and >> ports are somehow much more distinct than is actually the case. It is >> something that clearly we aren't explaining very effectively. >>=20 >> A port is a set of instructions for building a package -- and pkg is the >> tool for creating and managing packages. So much so that packages >> themselves are now referred to as 'pkgs.' (Partly that was to >> distinguish them from the old pkg_tools style of packages, but that is >> generally no longer a consideration. Even so, the usage persists.) All >> pkgs are originally built from ports and the result of building a port >> is a pkg[*]. Even if you're installing pre-built pkgs from the FreeBSD >> pkg repositories, this is still true. >>=20 >> Pkgs have two states: installed -- with all the files extracted and >> copied into place in the filesystem -- and as tarballs -- collected into >> one compressed archive for easy network distribution. But they are both >> still pkgs. >>=20 >> Cheers, >>=20 >> Matthew >>=20 >> [*] At the moment. There are plans to change this so that several pkgs >> may be build from one port, and also plans to be able to create pkgs >> from other sources than the ports tree. >>=20 >> --=20 >> Dr Matthew J Seaman MA, D.Phil. >> PGP: http://www.infracaninophile.co.uk/pgpkey >=20 >=20 > 5.4.1 does a little to help dispel the idea that pkg & ports are completel= y independent systems (aside from being able to make pkgs from ports, as poi= nted out in 5.2). Specifically where 5.4.1 mentions ports registering new s= oftware with pkg. Though, this doesn=E2=80=99t do much good for the warning= in 5.2, as you wouldn=E2=80=99t have read 5.4.1 yet. >=20 > I think updating the warning in 5.2 to call out that =E2=80=9Cpkg audit=E2= =80=9D has taken over the portaudit functionality in 10.x+, and that it work= s with software installed via either mechanism, would go a long way towards g= etting rid of the misconception, or at the very least, not reinforce it. >=20 > -Jacob I have not read this entire thread, but I noticed this on Friday and started= working on a patch.=20 Thanks! -jgh=