Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Jun 2026 10:48:33 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        Alexander Ziaee <ziaee@FreeBSD.org>
Cc:        Larry Fahnoe <fahnoe@fahnoetech.com>, Mark Millard <marklmi@yahoo.com>,  vermaden <vermaden@interia.pl>, Lexi Winter <ivy@freebsd.org>,  freebsd-pkgbase <freebsd-pkgbase@freebsd.org>
Subject:   Re: None of "man freebsd-base" (or "man pkgbase"), "man pkg-upgrade", or "man pkg-install" deal with documenting .pkgsave and/or .pkgnew behavior or how to handle such
Message-ID:  <6nrn78o7-0448-qoq3-6681-n5qoq07n3n6r@>
In-Reply-To: <E1wea2V-0006mp-Ab@rmmprod07.runbox>

index | next in thread | previous in thread | raw e-mail

On Tue, 30 Jun 2026, Alexander Ziaee wrote:
>> the *.pkgnew and *.pkgsave files as they seem a bit less intuitive
>> than on the other platforms. For some it may be natural to go looking
>> for these leftover telltales but they may represent important but
>> neglected potential time-bombs for the less familiar.
>
> OpenVMS and Linux do create these files. OpenVMS increments the version
> (;2 or ;3) or drops a TEMPLATE file. Linux uses .dpkg-dist and .dpkg-old
> or .rpmnew and .rpmsave. However, it is a not a ticking time bomb, so
> they do not tell you and you have not noticed.

Any CVE-related .pkgsave is a ticking time bomb in so far as it
unnecessarily increases the OS' attack surface.  These files are not
only easy to find but in the path (shell and lib).

This is the similar to the installation and preservation of unused but
vulnerable kernel modules (Linux' Dirty Frag et al: CVE-2026-43284,
CVE-2026-43500, ...).

IMO any Ops, SecOps or DevSecOps worth their salary will detect and
encrypt or remove these files from their systems.

Roger Marquis


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6nrn78o7-0448-qoq3-6681-n5qoq07n3n6r>