From owner-freebsd-security@freebsd.org  Mon Aug 14 15:55:32 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E4C3DD2878;
 Mon, 14 Aug 2017 15:55:32 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D2053A89;
 Mon, 14 Aug 2017 15:55:31 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 02ED23E5F9;
 Mon, 14 Aug 2017 08:55:30 -0700 (PDT)
Date: Mon, 14 Aug 2017 08:55:30 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Remko Lodder <remko@FreeBSD.org>
cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org
Subject: Re: pkg audit false negatives
In-Reply-To: <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org>
Message-ID: <nycvar.OFS.7.76.1708140848070.96628@eboyr.pbz>
References: <nycvar.OFS.7.76.1708101931090.13252@eboyr.pbz>
 <C540BA50-5F06-4F99-A575-D27347A3F527@FreeBSD.org>
 <D12FD70B-2F2B-4895-AB9D-1BD72F8512B6@FreeBSD.org>
 <nycvar.OFS.7.76.1708111441430.53156@eboyr.pbz>
 <B1E5DD0C-8BBD-4F37-855C-447F28B0B49C@FreeBSD.org>
 <nycvar.OFS.7.76.1708111716080.86615@eboyr.pbz>
 <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org>
 <nycvar.OFS.7.76.1708132022470.4437@eboyr.pbz>
 <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 15:55:32 -0000

>> That leaves just unpackaged base as FreeBSD's remaining audit weakness.
>
> Hi, I am happy that I can reduce your worry factor a bit ;-)
>
> Can you share what the audit weakness is? freebsd-update cron checks
> whether or not an update is available and then emails you. If you run
> -RELEASE, then that means that either an EN or SA had been released..

Can you run freebsd-update on a -RELEASE system installed and maintained
with buildworld/buildkernel/installkernel/installworld?

Though it's been more than a year since the last time I tested
freebsd-update, on Virtualbox VMs, it resulted in too many bricked
systems to rely on.  That may have changed but it would still be better
to build a packaged base or have reproduceable builds as lighter-weight
solutions to the base audit issue.

Roger