> On Dec 7, 2014, at 8:35 PM, Jacob Helwig <ja...@technosorcery.net> wrote:
>
>> On Dec 7, 2014, at 05:08, Matthew Seaman <matt...@freebsd.org> wrote:
>>
>>> On 07/12/2014 02:58, Jacob Helwig wrote:
>>> In going through the FreeBSD Handbook (as of Sun Dec 7 02:44:11 UTC
>>> 2014), section 5.2 (Overview of Software Installation) mentions using
>>> ports-mgmt/portaudit to check for security issues. Unfortunately,
>>> portaudit was removed from ports on October 13th[0].
>>>
>>> The commit that removed it says that “pkg audit” should be used
>>> instead ("portaudit expired when pkg_tools did, use pkg audit”), but
>>> as someone pretty new to FreeBSD, it’s not clear that this would be
>>> appropriate for ports usage. Is “pkg audit” appropriate? The
>>> language in the warning section of this Handbook section suggests
>>> that “pkg audit” isn’t appropriate outside of package use. If “pkg
>>> audit” isn’t appropriate, what should be used instead?
>>>
>>> -Jacob
>>>
>>> [0]
>>> https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f384729fa04bcbb7
>>
>> pkg audit is certainly the correct tool to use. You can audit your
>> system for vulnerable packages by running 'pkg audit -F' at intervals.
>> If you add:
>>
>> daily_status_security_pkgaudit_enable="YES"
>>
>> to /etc/periodic.conf then you can have it run automatically each night.
>>
>> You seem to be suffering from a common misconception that packages and
>> ports are somehow much more distinct than is actually the case. It is
>> something that clearly we aren't explaining very effectively.
>>
>> A port is a set of instructions for building a package -- and pkg is the
>> tool for creating and managing packages. So much so that packages
>> themselves are now referred to as 'pkgs.' (Partly that was to
>> distinguish them from the old pkg_tools style of packages, but that is
>> generally no longer a consideration. Even so, the usage persists.) All
>> pkgs are originally built from ports and the result of building a port
>> is a pkg[*]. Even if you're installing pre-built pkgs from the FreeBSD
>> pkg repositories, this is still true.
>>
>> Pkgs have two states: installed -- with all the files extracted and
>> copied into place in the filesystem -- and as tarballs -- collected into
>> one compressed archive for easy network distribution. But they are both
>> still pkgs.
>>
>> Cheers,
>>
>> Matthew
>>
>> [*] At the moment. There are plans to change this so that several pkgs
>> may be build from one port, and also plans to be able to create pkgs
>> from other sources than the ports tree.
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil.
>> PGP: http://www.infracaninophile.co.uk/pgpkey
>
>
> 5.4.1 does a little to help dispel the idea that pkg & ports are completely
> independent systems (aside from being able to make pkgs from ports, as
> pointed out in 5.2). Specifically where 5.4.1 mentions ports registering new
> software with pkg. Though, this doesn’t do much good for the warning in 5.2,
> as you wouldn’t have read 5.4.1 yet.
>
> I think updating the warning in 5.2 to call out that “pkg audit” has taken
> over the portaudit functionality in 10.x+, and that it works with software
> installed via either mechanism, would go a long way towards getting rid of
> the misconception, or at the very least, not reinforce it.
>
> -Jacob
I have not read this entire thread, but I noticed this on Friday and started
working on a patch.
Thanks!
-jgh
_______________________________________________
freebsd-doc@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-doc
To unsubscribe, send any mail to "freebsd-doc-unsubscr...@freebsd.org"
