From nobody Thu Oct 30 20:41:07 2025 X-Original-To: pkgbase@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cyGHH21kkz6FZ3q for ; Thu, 30 Oct 2025 20:41:31 +0000 (UTC) (envelope-from freebsd@gushi.org) Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "prime.gushi.org", Issuer "E7" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cyGHG6VDcz3G3Z; Thu, 30 Oct 2025 20:41:30 +0000 (UTC) (envelope-from freebsd@gushi.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple ([IPv6:2601:602:57e:f59d:30ff:83db:83c2:9ee6]) (authenticated bits=0) by prime.gushi.org (8.18.1/8.18.1) with ESMTPSA id 59UKfMwN080321 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 30 Oct 2025 20:41:22 GMT (envelope-from freebsd@gushi.org) DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 59UKfMwN080321 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org; s=prime2014; t=1761856883; bh=CSgenIPk9ggY88kpcI7ARkGR/ukFhziU4xUAVux7RKs=; h=From:Subject:Date:References:Cc:In-Reply-To:To; z=From:=20Dan=20Mahoney=20|Subject:=20Re:=20a=20 sad=20story=20about=20/usr/sbin/sshd=20and=20pkg=20triggers|Date:= 20Thu,=2030=20Oct=202025=2013:41:07=20-0700|References:=20|Cc:=20pkgbase@freebsd.org|In-Reply -To:=20|To:=20Lexi=20Winter =20; b=j+Wh3gFdA3dRFdELdLy2yI/9YEtZ6lJ4r9JVwqYv9GZYartpUAXN9lIuB6E2FFxoK +6TU0D6mcBe9P9Y15rZZmcwxPs0rxsDSjR2FEiQgpv8h7K14ng+bDfFYSB+PZ+1u28 Z8RAnD9dU8+w56HRa/umFbkj+wfrgBp/boDUdiWIYXVfoRafc64gTmeOr0+NqeCYt2 mzFcWN+3ov8yUGHE4oRNoCfBKoIU8dWShG3Dt0Ln9kfwYMuGy3m47kMnY2YhLsXiIa Duop+qmQ7zyOlgmBz/1dxkL8NTwbYceKK5jK9qUlYuztopWFexPiKKIyoxqveBKphm FjuX4E5+03a4g== X-Authentication-Warning: prime.gushi.org: Host [IPv6:2601:602:57e:f59d:30ff:83db:83c2:9ee6] claimed to be smtpclient.apple Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Dan Mahoney List-Id: Packaging the FreeBSD base system List-Archive: https://lists.freebsd.org/archives/freebsd-pkgbase List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkgbase@FreeBSD.org Mime-Version: 1.0 (1.0) Subject: Re: a sad story about /usr/sbin/sshd and pkg triggers Date: Thu, 30 Oct 2025 13:41:07 -0700 Message-Id: References: Cc: pkgbase@freebsd.org In-Reply-To: To: Lexi Winter X-Mailer: iPhone Mail (23A355) X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:393507, ipnet:2620:137:6000::/44, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4cyGHG6VDcz3G3Z Fire off an atrun? -Dan Sent from my iPhone > On Oct 30, 2025, at 13:25, Lexi Winter wrote: >=20 > =EF=BB=BFhello, >=20 > there is a known issue in sshd(8) where, if you replace the sshd binary > on disk, but do not restart sshd, it will no longer accept connections > until the service is restarted. >=20 > for freebsd-update, we solve this by restarting the sshd service if the > sshd binary is updated. >=20 > for pkgbase, i wanted to do this with a trigger, but it seems like this > doesn't work because pkg only considers directories when evaluating > triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger > will never be matched. >=20 > this means that future security updates to sshd in 15.0 might lock > people out of their system when we don't restart sshd. >=20 > does anyone have a specific, actionable suggestion on how we can fix > this today for 15.0? >=20 > note, we cannot use a post-install script since pkg kills all > subprocesses of the post-install script before exiting. >