Re: portaudit question.....
From: Alex Zbyslaw (xfb52_at_dial.pipex.com)
Date: 09/29/05
- Previous message: Andrew P.: "Re: Sharing /usr/ports"
- In reply to: Wright Jim Contractor 14MDSS/SGSI: "portaudit question....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 29 Sep 2005 10:55:41 +0100 To: Wright Jim Contractor 14MDSS/SGSI <jim.wright.ctr@columbus.af.mil>
Wright Jim Contractor 14MDSS/SGSI wrote:
>I guess my question is this.
>
>How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest
>version??
>
>Or am I missing the concept altogether ?
>
>( I understand the process of downloading this latest version and installing
>it manually. Just trying to understand and use the FreeBSD tools )
>
>
>
IMHO, the messages from portaudit are misleadingly worded. Portaudit is
correct that some of the software you installed has *some kind* of
security vulnerability. But everything else it says is potentially
misleading.
1) There may be no upgrade available yet. For there to be an upgrade
the original code has to be fixed; in your example by the Mozilla team.
Then, whoever is maintaining the port has to go through the work of
fixing the new code to work on FreeBSD. For a few simple bug fixes,
that may not be too hard, but it still has to be done. How long all this
takes will vary from port to port. Mozilla is generally quite quick,
from my experience, but xloadimage hung around for ages, not long ago.
2) The advice that you should either upgrade or de-install in
unnecessarily authoritarian and frightening. De-installing may not be
an option, and the actual bug may have zero affect on your environment.
And the presence of a bug does not indicate the presence of an exploit.
If you are worried about a particular package then follow up the links
portaudit provides and make up your mind what to do.
However, that fact that you have so many packages reporting problems
says that either you are doing something wrong or not checking often enough.
1) cvsup your ports tree
2) either make fetchindex in /usr/ports and run portsdb -u, or run
portsdb -Uu (slower but more accurate)
3) run pkg_version -L= to see what needs upgrading
4) use portupgrade to upgrade on a schedule that suits. That might be
daily or monthly depending on you environment. Remember to read
/usr/port/UPDATING *before* doing any upgrades.
All of that except the upgrading can be automated safely to run at 3am,
or any other quiet time you might have.
--Alex
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Andrew P.: "Re: Sharing /usr/ports"
- In reply to: Wright Jim Contractor 14MDSS/SGSI: "portaudit question....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
