From nobody Thu Oct 30 20:43:46 2025 X-Original-To: pkgbase@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cyGL82Wqgz6FZNC for ; Thu, 30 Oct 2025 20:44:00 +0000 (UTC) (envelope-from ivy@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cyGL822fyz3GMn for ; Thu, 30 Oct 2025 20:44:00 +0000 (UTC) (envelope-from ivy@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761857040; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Z8zQUOEDsbRAAdsRTU1VeM6hNm9r+CU02B6AT8E2p8A=; b=E2A9mTvUkI9TMmDDGj5K3ywNT/L1u2QIXS20HYfXWFUOhPbN7Icx3yKDjfr0s52V+NWWSl Nh5l0zYbncHqt2mk0CBJC5exYfjLca+ygbg+fAZ6bnxpVXb4CEFwbnP62454S+DdqUch5X L4Xbpqjli23NwWcx4k3Gy/r2qjyyGUxol+P9wmtppBShjmnSxYX+l3wKVIsAozTJy0Ke+7 lVUDZjF534hhnGPlTUBdn6W/FvfTNJt/JKjL8TB9q8rL2nJmo9EaTbIT8rwIW45qyErwVQ DA6VwVmz2eUQ3NAP6COLgO/WhNo5+tOA6MWmu/TZBs/2dx3zhAK0XDIUNtTPHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761857040; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Z8zQUOEDsbRAAdsRTU1VeM6hNm9r+CU02B6AT8E2p8A=; b=YvlteXMXzicOcKhSBow2Z521i4hvXdQkeK4KX0iLKLMdoanhH7a0UWCqTOfDqNqXTw1rXu aNYAEPX/RxVYSeqP7Mj0gTW9hToVPpHwFDOR1PjHq8zwn6qeh1bkL5V7GAPvBQB1GQOZJ/ ZML+c+iIkLs6BD2qyvSD4zyL6YN7oOcNKHKqlrLqqlePcyuFh3fLc3XhGaY+zkAErOMg2l s86CQ6ZNTNNBT9HAw/7Q9Dt6T3gwaX12VYFnXNMOAS7ZtVUGry5XRMtkk3zeLqZbL3Ye/V L6eCn1Aat5LKkN7YEq46ti+nCh0nNKhT2y4u2nqwYcAL3684EDTagDtukwBgMA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761857040; a=rsa-sha256; cv=none; b=MMugwHNOtM3xjTKxZTEWZaWFDvE4vERJ7Q9xFQO1RQ2LdgF3KLJD82T+vzZWDGjScopCz7 WTxTmvWqOGtROiU9bBPhrs31SZBZu8GIK0HfvRzxWLhfTrSiyaQLOt/xCMZxcmQgC03vhW H/2FFtIpJM6MQlu5pSlEmy8Y8yFHN1uUuO8vhzwvt6kCzCznVrWZ6TLCe+TBQ3nkHkU5y0 jnPEks7scpJeastEj3WKb5TdHw2qJdMtQVjPcOIrDNL/O558d5iy09aklJRaoxb0Bv++Od 23PCvOb8K4SnH5czjVPKxB6M54UHqzV9E5ZB/rqfYFqCLYQ4MDrwTFkQWMgSEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from amaryllis.le-fay.org (amaryllis.le-fay.org [IPv6:2a00:1098:6b:400::9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: ivy/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4cyGL76dHrz628 for ; Thu, 30 Oct 2025 20:43:59 +0000 (UTC) (envelope-from ivy@freebsd.org) Date: Thu, 30 Oct 2025 20:43:46 +0000 From: Lexi Winter To: pkgbase@freebsd.org Subject: Re: a sad story about /usr/sbin/sshd and pkg triggers Message-ID: Mail-Followup-To: pkgbase@freebsd.org References: List-Id: Packaging the FreeBSD base system List-Archive: https://lists.freebsd.org/archives/freebsd-pkgbase List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pkgbase@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GLwDQ52MvY6mkpeQ" Content-Disposition: inline In-Reply-To: --GLwDQ52MvY6mkpeQ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dan Mahoney wrote in : > > On Oct 30, 2025, at 13:25, Lexi Winter wrote: > >=20 > > =EF=BB=BFhello, > >=20 > > there is a known issue in sshd(8) where, if you replace the sshd binary > > on disk, but do not restart sshd, it will no longer accept connections > > until the service is restarted. > >=20 > > for freebsd-update, we solve this by restarting the sshd service if the > > sshd binary is updated. > >=20 > > for pkgbase, i wanted to do this with a trigger, but it seems like this > > doesn't work because pkg only considers directories when evaluating > > triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger > > will never be matched. > >=20 > > this means that future security updates to sshd in 15.0 might lock > > people out of their system when we don't restart sshd. > >=20 > > does anyone have a specific, actionable suggestion on how we can fix > > this today for 15.0? > >=20 > > note, we cannot use a post-install script since pkg kills all > > subprocesses of the post-install script before exiting. > > =20 > Fire off an atrun? i don't think this will work reliably since cron may not be running, particularly in jails. --GLwDQ52MvY6mkpeQ Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaQPOAgAKCRD1nT63mIK/ YGw4AP4wQsEcMe8LWGHhPjRfixnOgfUOmaPw3tkbnHtSKQL21AEAm4CdXdDrz5Hh VXr+2pk+MaBNDzsy3C0SsXTm/ELSkws= =kmnf -----END PGP SIGNATURE----- --GLwDQ52MvY6mkpeQ--