Date: Tue, 30 Jun 2026 20:44:34 +0000 (UTC) From: "Alexander Ziaee" <ziaee@FreeBSD.org> To: "Roger Marquis" <marquis@roble.com> Cc: "freebsd-pkgbase" <freebsd-pkgbase@freebsd.org> Subject: Re: None of "man freebsd-base" (or "man pkgbase"), "man pkg-upgrade", or "man pkg-install" deal with documenting .pkgsave and/or .pkgnew behavior or how to handle such Message-ID: <E1wefJq-000633-G1@rmmprod06.runbox> In-Reply-To: <6nrn78o7-0448-qoq3-6681-n5qoq07n3n6r@>
index | next in thread | previous in thread | raw e-mail
On 2026-06-30 13:48 -04:00 EDT, "Roger Marquis" <marquis@roble.com> wrote: > Any CVE-related .pkgsave is a ticking time bomb in so far as it > unnecessarily increases the OS' attack surface. These files are not > only easy to find but in the path (shell and lib). Would you please share any specific examples of .pkgsave or equivalent stashed new upstream configuration files created by a package manager after failed merge in any ecosystem that would have cured any specific CVE in a system that was deployed correctly before the CVE? I have never heard of that, but that would be good information to come to light. > IMO any Ops, SecOps or DevSecOps worth their salary will detect and > encrypt or remove these files from their systems. I think we all agree that operators should always do all of their chores promptly, so we put an entire section on this in the official FreeBSD 15.1 upgrading docs :) One of the principles in the doc project is that the docs are always buggy. In this case, I'm struggling with how to make it clearer without making it less accessible. If we put a tip box at the bottom of the section saying "tip: other operating systems also do this, they just don't tell you", I think that would be a bit condescending and also outside the scope of the doc. People get fatigued easily when they detect irrelevant information or hit patches of much higher information density. Then they start skipping and miss important stuff, and the ecosystem is much worse off. Again, this is the same behavior I see in all other similar operating systems, the only difference I see is that we are instructing all operators to address it during the scheduled downtime as part of the approved upgrade process, and we are documenting files in the reference manual. But the docs certainly have massive room for improvement! Best, Alexhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1wefJq-000633-G1>
