DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th July 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default stable branch - ports security updates

Hi everyone,

Could someone help me to clarify how to apply packages security updates and what is the proper way to do it?

I know I have to go through ports, as there are no packages for stable, the branch I want to follow.

So I got the port tree via Anonymous CVS as explained in the FAQ.

From there the script
Code:
/usr/ports/infrastructure/build/out-of-date
gave me the list of what needed to be updated.

Here are examples of the output :
Code:
...
databases/evolution-data-server #  -> eggdbus-0.6p1
...
www/firefox-i18n,-fr           # mozilla-firefox-3.6.13p3 -> mozilla-firefox-3.6.16
www/mozilla-firefox            # 3.6.13p3 -> 3.6.16
I updated evolution-data-server this way
Code:
# cd /usr/ports/databases/evolution-data-server
# make FORCE_UPDATE=Yes update
Once the build over, running the out-of-date script still shows evolution as candidate for an update even though eggdbus had been updated.

Here is what I did to update Firefox :
Code:
# make FORCE_UPDATE=Yes update
...
Upgrading from mozilla-firefox-3.6.13p3
mozilla-firefox-3.6.13p3->mozilla-firefox-3.6.16 forward dependencies:
| Dependency of firefox-i18n-fr-3.6.13 on mozilla-firefox-3.6.13 doesn't match
NOT MERGING: can't find update for firefox-i18n-fr-3.6.13-> (ok)
Forcing update
mozilla-firefox-3.6.13p3->mozilla-firefox-3.6.16: ok                           
Read shared items: ok                                                          
Look in /usr/local/share/doc/pkg-readmes for extra documentation.              
Couldn't find updates for firefox-i18n-fr-3.6.13
It seems that firefox-i18n was not updated in the port tree so building it fails. So I downloaded the language pack directly from Firefox Modules.

My questions are :

- What should I do for evolution-data-server to be correctly linked to eggdbus-0.6p1 ?

- How come new packages came along while I update ? (CUPS for example in the case of Firefox)

- Is there a way to send the output of the out-of-date script to the update process ?

I tried this

Code:
# pkg_list=$(mktemp)
# /usr/ports/infrastructure/build/out-of-date > $pkg_list
# cd /usr/ports
# SUBDIRLIST=$pkg_list make clean package
but it ended up in installing packages (instead of only building them) even some I hadn't before (qt3, mysql...) and seemed to continue endlessly.


- Last question, I wanted to subscribe to the ports-security list, but there is no activity since 2006. Is there a way to be aware of the availability of updates without updating the port tree and running out-of-date ?

Many thanks.

Last edited by albator; 10th July 2011 at 07:04 PM.
Reply With Quote
  #2   (View Single Post)  
Old 11th July 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by albator View Post
# make FORCE_UPDATE=Yes update
I've never used make update when updating anything, because that's used for bulk updates, and either I'm doing fresh builds of select ports, or, I want to control what ports get updated. For both changed ports and unchanged ports with updated dependent libraries, I typically use make package followed by pkg_add -ir.

If I am building a group of packages, I complete all the package builds and follow with pkg_add -iu.

Is this best practice? I'm unsure. It works for me.
Quote:
- What should I do for evolution-data-server to be correctly linked to eggdbus-0.6p1 ?
I'm going to guess: evolution-data-server was NOT rebuilt. That port had no update, and your make found a matching package at your $PKG_PATH, and skipped the build. It's just a guess, of course.
Quote:
- How come new packages came along while I update ? (CUPS for example in the case of Firefox)
New versions of software may have new dependencies, but more likely, CUPS is a build dependency, but not a run dependency.
Quote:
- Is there a way to send the output of the out-of-date script to the update process ?
Yes. You can edit the output to look like one of the SUBDIR Makefiles in any of the ports tree branches, such as /usr/ports/databases/Makefile

Last edited by jggimi; 11th July 2011 at 06:18 PM.
Reply With Quote
  #3   (View Single Post)  
Old 12th July 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

@jggimi
Thanks for answering !

Quote:
I'm going to guess: evolution-data-server was NOT rebuilt. That port had no update, and your make found a matching package at your $PKG_PATH, and skipped the build. It's just a guess, of course.
There was an update for eggdbus, isn't it enough for evolution to be rebuild ?
Code:
# grep eggdbus /usr/ports/databases/evolution-data-server/Makefile
devel/eggdbus
I finally went this way :
Code:
# pkg_list=$(mktemp)
# /usr/ports/infrastructure/build/out-of-date > $pkg_list
# cd /usr/ports
# SUBDIRLIST=$pkg_list make clean package
but again, I don't understand why packages got installed and not only created in in/usr/ports/packages/amd64/all
I then updated this way
Code:
# export PKG_PATH=/usr/ports/packages/`uname -m`/all
# pkg_add -ui -F update -F updatedepends
At the end here is the result :

Code:
# /usr/ports/infrastructure/build/out-of-date
databases/evolution-data-server #  -> eggdbus-0.6p1
devel/libgdata                 #  -> eggdbus-0.6p1
multimedia/gstreamer-0.10/plugins-good,-main #  -> eggdbus-0.6p1
x11/gnome/libgnome             #  -> popt-1.7p1
x11/gnome/libgweather          #  -> dbus-glib-0.92v0
And I got CUPS, Samba and a lot of packages I didn't want to install :'(
Reply With Quote
  #4   (View Single Post)  
Old 12th July 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by albator View Post
There was an update for eggdbus, isn't it enough for evolution to be rebuild ?
No, you must manually build if you want to bring it up to date. There is no forced update, because the Makefile doesn't require it. Look in /usr/ports/database/evolution-data-server/Makefile. You will find devel/eggdbus is one of 7 LIB_DEPENDS, and it does not have a minimum version or patchh level -- only one library has a minimum version requirement.

As I said before, If you want to force the building of a port, you are likely to find "make package" more effective than "make update" -- there is nothing in your dependency chain nor in this unchanged Makefile that will force a rebuild.
Quote:
I don't understand why packages got installed and not only created in in/usr/ports/packages/amd64/all
Build dependencies are required to be installed and operational in order to build the port in question.
Quote:
And I got CUPS, Samba and a lot of packages I didn't want to install :'(
Yes, because the dependency chains can be quite long, and build dependencies are usually much larger than run dependencies. You are building, you are no longer installing pre-built packages built by someone else.


To understand what gets installed in order to build, use "make print-build-depends" and compare that to "make print-run-depends". I had attempted to copy/paste some console output, but it's not working for me from this particular browser. But you will see for yourself when you run make with those targets.

Last edited by jggimi; 13th July 2011 at 02:33 PM.
Reply With Quote
  #5   (View Single Post)  
Old 13th July 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

Quote:
To understand what gets installed in order to build, use "make print-build-depends" and compare that to "make print-run-depends". I had attempted to copy/paste some console output, but it's not working for me from this particular browser. But you will see for yourself when you run make with those targets.
Thanks, it is much clearer now. A shame there is no option to delete the build dependencies, once the final package is created. But I guess I won't have to build them again next time I update the same packages. (well, if they don't need to be updated themselves)

And I'll do a samba share and buy a printer to avoid wasting disk space

Quote:
As I said before, If you want to force the building of a port, you are likely to find "make package" more effective than "make update" -- there is nothing in your dependency chain nor in this unchanged Makefile that will force a rebuild.
I forced the rebuild :
Code:
env FORCE_UPDATE=yes make package
export $PKG_PATH=/usr/ports/packages/amd64/all/
pkg_add -r evolution-data-server
But /usr/ports/infrastructure/build/out-of-date keeps telling me that my evolution-data-serverport is outdated because of eggdbus.
Was the package not built with the new version of eggdbus, previously installed ?
Reply With Quote
  #6   (View Single Post)  
Old 13th July 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by albator View Post
Was the package not built with the new version of eggdbus, previously installed ?
Only you will know.

$ pkg_info | grep eggdbus

You may find script(1) helpful when you are trying to determine what has happened.
Reply With Quote
  #7   (View Single Post)  
Old 13th July 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

Quote:
Only you will know.

$ pkg_info | grep eggdbus

You may find script(1) helpful when you are trying to determine what has happened.
As I said, I updated eggdbus before.
Code:
$ pkg_info | grep eggdbus
eggdbus-0.6p1       D-Bus binding for GObject
Ok I'll run the update process again with script to see what's happening.
Thanks again
Reply With Quote
  #8   (View Single Post)  
Old 16th July 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

I deinstalled vinagre (which was the reason for all this) and all its dependencies and did the same for the outdated packages and eggdbus.
I used all the make clean possible and installed vinagre from ports.
After this, out-of-date, still points out the same packages. I guess the script is somehow mistaken...

the output shows the last version of eggdbus :
Code:
===>  Extracting for eggdbus-0.6p1
===>  Patching for eggdbus-0.6p1
===>  Configuring for eggdbus-0.6p1
Reply With Quote
  #9   (View Single Post)  
Old 8th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

As I havn't many answers, appart from jggimi (thank you to you), should I conclude than most people run current instead of stable ?

Or maybe those who do run stable don't update packages ?
Reply With Quote
Old 8th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by albator View Post
...should I conclude than most people run current instead of stable ?
This is a small community of users, enthusiasts, & no project developers. A poll was taken a few years ago, & the results were bimodal. Most here either use -release or -current:

http://www.daemonforums.org/showthread.php?t=3518
Reply With Quote
Old 9th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

@ocicat Thank you for the link.

This sounds a bit strange to use a security focused system and not to bother apply security patches then. That's what people running release do.

The other thing I wonder is if the stable branch gets ports security fixes as soon as there is a security hole and if all ports get a fix.

On OpenBSD site, you are encouraged to start with release and apply patches.
If the way to update the system is documented in deep, there isn't much about ports. The mailing list ports-security is dormant and there is no mention about the out-of-date script.

So even if I am willing to update ports, I don't know the right way to do it.
I asked on the misc mailing list, but no answer yet...

I guess it is because OpenBSD only have a small community of developers and users which is a shame, it is a very nice project.
Reply With Quote
Old 9th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I ran -stable for 2 or 3 years on my production platforms. At that time, -stable packages were being built and deployed on the project's mirrors. I moved to -current around 3.8 or 3.9. I'd had a bug requiring active cooperation with a developer. Once the problem was resolved, I stayed -current on production.

Some time after my transition, the project ceased backporting -stable ports or building -stable packages, due to the workload required. Things stayed that way for several years; it is a small project with limited resources.

---

As I've stated above, "make update" is the wrong target. You may find make package (or make repackage) followed by make update will be more effective than a make update alone. The latter does not build ports, it is a package installation directive only, as is FORCE_UPDATE, per bsd.port.mk(5):
Code:
     update        Update an existing installation to a newer package: scan
                   the installation for a package with the same FULLPKGPATH,
                   and update it using `pkg_add -r' if a newer package is
                   available.  In multi-packages ports, all relevant packages
                   are updated.  See UPDATE_COOKIES_DIR and FORCE_UPDATE as
                   well.
Reply With Quote
Old 9th August 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by albator View Post
This sounds a bit strange to use a security focused system and not to bother apply security patches then.
Those of us running -current get security patches the quickest

I started off using -release at home, then moved to -stable. After a bit, I ran into a bug that I discovered had already been fixed in -current, so I upgraded. Around that time I switched my Linux desktop at work for OpenBSD-current, and I never looked back.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 9th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

@jggimi
Quote:
As I've stated above, "make update" is the wrong target.
In fact, here is what I did most of the time after updating the ports tree :
Code:
# cd /usr/ports 
# cvs up -rOPENBSD_4_9 -Pd 
# make index 
# pkg_list=$(mktemp) 
# /usr/ports/infrastructure/build/out-of-date |tee $pkg_list 
# SUBDIRLIST=$pkg_list make clean package 
# export PKG_PATH=/usr/ports/packages/`uname -m`/all 
# pkg_add -ui -F update -F updatedepends
And out-of-date was still complaining what ever I tried next.

I know it was possible to update third party applications in stable with packages in the past. But as it is not supported anymore, I guess even if some updates make their way through ports, stable is not supposed to have proper fixes for these and this is why there is no documentation about it.

I might consider running current then.

Thank you all for you answers.

Last edited by albator; 9th August 2011 at 04:57 PM.
Reply With Quote
Old 16th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

Quote:
Originally Posted by ocicat View Post
This is a small community of users, enthusiasts, & no project developers. A poll was taken a few years ago, & the results were bimodal. Most here either use -release or -current:

http://www.daemonforums.org/showthread.php?t=3518
It looks like you are right ! 30 answers to the poll, OpenBSD gather only few people. This is a shame, and as I said before it must be the reason why there is not enough man power to have stable updates for applications.

I guess it is safer to run current then.
Reply With Quote
Old 16th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by albator View Post
It looks like you are right ! 30 answers to the poll, OpenBSD gather only few people.
Again, this site is not officially affiliated with the project proper. The results of the poll are only indicative of this community at the time the poll was taken. I also would not say that the results seen here are necessarily representative of the entire OpenBSD community. Statistics like that are not maintained officially or unofficially.
Quote:
This is a shame, and as I said before it must be the reason why there is not enough man power to have stable updates for applications.
If you really want to explore discussion on the future & importance of -stable branch maintenance, search the official misc@ mailing list archives. Roughly once a year, a long protracted thread can be found on the subject.
Quote:
I guess it is safer to run current then.
It depends upon how you define the word "safer", plus you need to be very clear on the collateral responsibilities you will take upon by running -current. For starters, be very aware of what is stated in Section 5.1 of the FAQ.

As a final comment, posting your question on misc@ may not have been seen by the developers most involved in the packages/ports management. That, or given that work at this moment is focused on finalizing OpenBSD 5.0, this was not a matter of highest importance. I can only guess. Yet, if you were really interested in resolving your situation, I would suggest sending mail to espie@.
Reply With Quote
Old 16th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

Quote:
Originally Posted by ocicat View Post
Again, this site is not officially affiliated with the project proper. The results of the poll are only indicative...
Yes I know, this is not official, but still we should be honest to ourself, OpenBSD users may not be that many. ;-)

Quote:
Originally Posted by ocicat View Post
If you really want to explore discussion on the future & importance of -stable branch maintenance, search the official misc@ mailing list archives.
I did, and found people in the same situation as the one I am in. It takes a long time to go through these archives. But I'll try again.

Quote:
Originally Posted by ocicat View Post
you need to be very clear on the collateral responsibilities you will take upon by running current. For starters, be very aware of what is stated in Section 5.1 of the FAQ.
This is my new book ! Should I switch to -current I'll read it again.

Quote:
Originally Posted by ocicat View Post
Yet, if you were really interested in resolving your situation, I would suggest sending mail to espie@.
I don't think I'd dare. He might be busy and not willing answering questions like this one.

Anyway thank you again for your advice!

By the way, are you the one who gave me the name of port guard ? :-)
Edit : just found out that it is a rank related to the number of posts and not to their subject

Last edited by albator; 16th August 2011 at 11:37 PM.
Reply With Quote
Old 16th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by albator View Post
I don't think I'd dare. He might be busy and not willing answering questions like this one.
OpenBSD 5.0 (including ports...) was tagged today, so work on 5.1 is only beginning. Actually, I would think now is a very good time to be contacting espie@.

Much of what you are surmising about -stable may be correct, but contacting the project developers serves two purposes:
  • You might get your situation addressed.
  • Project developers are reminded that there are those who legitimately use -stable.
More over, there may be a third issue at bay: creating a package management system which covers a plethora of real world applications is a tough nut to crack. Maybe there is a fundamental flaw which needs to be addressed. If you pursue this further, you may get your problem resolved plus help other users. If you drop the matter & there is a bug, it will not get addressed until someone else makes the same issue known to those that can resolve the problem.
Reply With Quote
Old 18th August 2011
albator albator is offline
Shell Scout
 
Join Date: Jul 2011
Posts: 98
Default

Quote:
Originally Posted by ocicat View Post
OpenBSD 5.0 (including ports...) was tagged today, so work on 5.1 is only beginning. Actually, I would think now is a very good time to be contacting espie@.
I wrote Marc Espie. I'll let you know.

Que sera sera

Last edited by albator; 19th August 2011 at 05:34 PM.
Reply With Quote
Old 21st August 2011
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 136
Default

Quote:
Originally Posted by albator View Post
Thanks, it is much clearer now. A shame there is no option to delete the build dependencies, once the final package is created. But I guess I won't have to build them again next time I update the same packages. (well, if they don't need to be updated themselves)
-current (and I believe 5.0) have pkg_delete -a:
Code:
     -a              Delete unused dependencies (packages that are not needed
                     by anything tagged as installed manually).  Can be used
                     without pkgnames.
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireshark updates close security holes J65nko News 1 1st June 2011 10:15 PM
Mozilla issues Firefox & Thunderbird security updates J65nko News 0 2nd March 2011 05:29 PM
Ruby on Rails updates fix security holes J65nko News 0 10th February 2011 04:00 PM
phpMyAdmin updates close security vulnerability J65nko News 0 10th February 2011 03:58 PM
Tor Project infrastructure updates in response to security breach J65nko News 1 22nd January 2010 06:57 PM


All times are GMT. The time now is 11:57 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick