I recently tried FreeBSD’s pkgng, based on Ivan Voras’ blog post. Days after getting the new machine set up, though, I got this in my daily status mail:
Checking for packages with security vulnerabilities:
Database fetched: Fri Aug 3 03:02:57 EDT 2012
apache-2.2.22_5 is vulnerable:
Apache -- Insecure LD_LIBRARY_PATH handling
WWW: http://portaudit.FreeBSD.org/de2bc01f-dc44-11e1-9f4d-002354ed89bc.html
php5-5.4.4 is vulnerable:
php -- potential overflow in _php_stream_scandir
WWW: http://portaudit.FreeBSD.org/bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89.html
Where did this come from? A bit of poking around my system leads me to /usr/local/etc/periodic/security/410.pkg-audit. My first question is, where did this file come from? pkgng includes an equivalent to the old pkg_info -W:
$ pkg which /usr/local/etc/periodic/security/410.pkg-audit
/usr/local/etc/periodic/security/410.pkg-audit was installed by package pkg-1.0.r4
pkgng gives you an audit of your packages in the daily mail. Excellent. It’s a DragonFly feature that I really like, and long overdue in FreeBSD.
So, how to upgrade the insecure ports? Unfortunately, I’ve had to build apache from source. I can’t use packages. That means I need to build the new version from ports. I get the new version ports tree with:
# portsnap fetch extract
I like to use portmaster for managing my ports. I’m told it works with pkgng. Let’s find out. First, tell ports that we’re running under pkgng by setting a variable in /etc/make.conf:
WITH_PKGNG=yes
Now install portmaster:
# cd /usr/ports/ports-mgmt/portmaster
# make all install clean
But portmaster doesn’t seem to work with pkgng:
$ portmaster -L
===>>> Root ports (No dependencies, not depended on)
===>>> 0 root ports
===>>> Trunk ports (No dependencies, are depended on)
===>>> 0 trunk ports
===>>> Branch ports (Have dependencies, are depended on)
===>>> 0 branch ports
===>>> Leaf ports (Have dependencies, not depended on)
===>>> 0 leaf ports
===>>> 0 total installed ports
===>>> There are no new versions available
A bit of research shows that portmaster needs to be patched before it works with pkgng. (Portmaster has a large install base, the portmaster maintainer is very careful about not messing up existing users, and pkgng is still very young. I’m confident that portmaster will work with pkgng by the time pkgng becomes the default.) You can get the patch on github.
Now build portmaster with the patch.
# cd /usr/ports/ports-mgmt/portmaster/
# make patch
# cd work/portmaster-3.13.13
# patch < $HOME/patch-portmaster-pkgng
# cd ..
# cd ..
# make all install
I keep the patch in my home directory, because any time I want to rebuild portmaster I must reapply the patch. And if the patch fails, I must check for a new patch.
Try the new portmaster:
# portmaster -L
===>>> Root ports (No dependencies, not depended on)
===>>> pkg-1.0.r4
===>>> New version available: pkg-1.0.r5_1
===>>> portmaster-3.13.13
...
Much better.
I’ll start by upgrading pkgng itself, then my other ports. I use:
# portmaster -d --no-confirm pkg
Use whatever portmaster options you prefer, of course. With the pkgng patch, portmaster seems to behave exactly as you expect. But the only way we’ll know for sure is if you test pkgng in your environment and file bug reports with the appropriate maintainer.