From nobody Thu Oct 30 20:25:37 2025
X-Original-To: pkgbase@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cyFxD5wywz6FY2K
	for <pkgbase@mlmmj.nyi.freebsd.org>; Thu, 30 Oct 2025 20:25:52 +0000 (UTC)
	(envelope-from ivy@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cyFxD5MMLz3D8g
	for <pkgbase@freebsd.org>; Thu, 30 Oct 2025 20:25:52 +0000 (UTC)
	(envelope-from ivy@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761855952;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=pmIpwHVMrjSa0rQjHASKLlshWsA1eglaIcx/XRz8sX0=;
	b=iSowuT9l9SX+/WPhcFpquX7XWuOHE+u6jGKGeAJdpMkaXrRt8aQBfwBaTeZK+FsvC5VjKN
	UhlSkkKvgtgnH04UASKfh0219HGm62wsS7FTalhPKVEOiQJ7V4Nzy2LNCC/wed//bPsan5
	8sCoGgN6fjrrA1W8+0F+PTwEOjKpwdVEUoCFRxY9Bl6j4BW7s2O/m5IcUrXRsRL+misbJ6
	aG1sXlUzBWcSVEcyX71GksKSwocJY7Qk2Ht4JEKat4H0TFDRMoWTXkLuE/SIvDtm5o+fdh
	9sdsVf8gWJnXPD2Qtzykw6jRaD0Q/G7TK1Hkfc4lvpxT/fuKNXAjeiZ1k8JkHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761855952;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=pmIpwHVMrjSa0rQjHASKLlshWsA1eglaIcx/XRz8sX0=;
	b=kf2KL3e74GHFX6e0baNL1HOBCrQcxUgqc41PUD3Jjlz8ALJqeOiwe0X3jj90vELXRkqFbX
	qSzjybKFzI4MkjoPE1NcFwW7Glx7l4H58t/wLNXjJFxR3kKQ7DQe455k/uPV4bBnsI/CKd
	MCd8qIab7kIYxrrVw7MnZK3STEh7pFEb35jAs0Id4zQ1xpoOzLqKLT/xT0X1MNQ1JKBnFs
	yvLYjzSr36v1jvSEYyKj53aIFhq0xB4j9qEYXfuLDc6xhIiEk1IRCDMn5rIdx2/8Lg1awm
	5yrGYOEClLxB8Ew7KVPA3BccDu6WnHmKF22/vedp40FYx0zInWDMSUHiTTt/hQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761855952; a=rsa-sha256; cv=none;
	b=E3fZCB1WLWgaefMbQBtf/vGyzB3rPixOr1bzptjMDCh1bDwUZovWRtmnDLwOYn2DlV3OWq
	rGQgqwv4iZSijkl0P/E69ooNRrDsLEVr3gF9d3PW+rUzwH3jzZG5YPWp0q/fEqIqOX/kHX
	tW0To2wHdD7MJU+ZLUWOMlAMXCaGrPqf7upgv7Nd+pl4+Fy2exppuK5LFRU7N1OoccEKLd
	yYMypCrEfsGst1ZosZ1tL8Xvl4LUDmrNHBF+XkhY+tj4TKTURs4sI8YQVi1XNoQ2xQ4sAi
	dcF26IIKpXRNbu4yVcDdi3NpJl53fJQ89pEgLx01RkNWj4neC9ZdruYcyfDa0A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from amaryllis.le-fay.org (amaryllis.le-fay.org [IPv6:2a00:1098:6b:400::9])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: ivy/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4cyFxD3Q0zz78P
	for <pkgbase@freebsd.org>; Thu, 30 Oct 2025 20:25:52 +0000 (UTC)
	(envelope-from ivy@freebsd.org)
Date: Thu, 30 Oct 2025 20:25:37 +0000
From: Lexi Winter <ivy@freebsd.org>
To: pkgbase@freebsd.org
Subject: a sad story about /usr/sbin/sshd and pkg triggers
Message-ID: <aQPJwdWtN-f5qF_D@amaryllis.le-fay.org>
Mail-Followup-To: pkgbase@freebsd.org
List-Id: Packaging the FreeBSD base system <freebsd-pkgbase.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pkgbase
List-Help: <mailto:freebsd-pkgbase+help@freebsd.org>
List-Post: <mailto:freebsd-pkgbase@freebsd.org>
List-Subscribe: <mailto:freebsd-pkgbase+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-pkgbase+unsubscribe@freebsd.org>
Sender: owner-freebsd-pkgbase@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="UE45Wm/y+hJcRa+u"
Content-Disposition: inline


--UE45Wm/y+hJcRa+u
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

hello,

there is a known issue in sshd(8) where, if you replace the sshd binary
on disk, but do not restart sshd, it will no longer accept connections
until the service is restarted.

for freebsd-update, we solve this by restarting the sshd service if the
sshd binary is updated.

for pkgbase, i wanted to do this with a trigger, but it seems like this
doesn't work because pkg only considers directories when evaluating
triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger
will never be matched.

this means that future security updates to sshd in 15.0 might lock
people out of their system when we don't restart sshd.

does anyone have a specific, actionable suggestion on how we can fix
this today for 15.0?

note, we cannot use a post-install script since pkg kills all
subprocesses of the post-install script before exiting.

--UE45Wm/y+hJcRa+u
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaQPJvgAKCRD1nT63mIK/
YJtzAQCz4NNR2XCni5SKaxgPDpR2lftAqkYHEdExZlTLfkSiFgD/dJMECBNKe4Nx
M2dqVwi26arWVMfoTRE5YbPGryPXagk=
=Twuc
-----END PGP SIGNATURE-----

--UE45Wm/y+hJcRa+u--