|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
stable branch - ports security updates
Hi everyone,
Could someone help me to clarify how to apply packages security updates and what is the proper way to do it? I know I have to go through ports, as there are no packages for stable, the branch I want to follow. So I got the port tree via Anonymous CVS as explained in the FAQ. From there the script Code:
/usr/ports/infrastructure/build/out-of-date Here are examples of the output : Code:
... databases/evolution-data-server # -> eggdbus-0.6p1 ... www/firefox-i18n,-fr # mozilla-firefox-3.6.13p3 -> mozilla-firefox-3.6.16 www/mozilla-firefox # 3.6.13p3 -> 3.6.16 Code:
# cd /usr/ports/databases/evolution-data-server # make FORCE_UPDATE=Yes update Here is what I did to update Firefox : Code:
# make FORCE_UPDATE=Yes update ... Upgrading from mozilla-firefox-3.6.13p3 mozilla-firefox-3.6.13p3->mozilla-firefox-3.6.16 forward dependencies: | Dependency of firefox-i18n-fr-3.6.13 on mozilla-firefox-3.6.13 doesn't match NOT MERGING: can't find update for firefox-i18n-fr-3.6.13-> (ok) Forcing update mozilla-firefox-3.6.13p3->mozilla-firefox-3.6.16: ok Read shared items: ok Look in /usr/local/share/doc/pkg-readmes for extra documentation. Couldn't find updates for firefox-i18n-fr-3.6.13 My questions are : - What should I do for evolution-data-server to be correctly linked to eggdbus-0.6p1 ? - How come new packages came along while I update ? (CUPS for example in the case of Firefox) - Is there a way to send the output of the out-of-date script to the update process ? I tried this Code:
# pkg_list=$(mktemp) # /usr/ports/infrastructure/build/out-of-date > $pkg_list # cd /usr/ports # SUBDIRLIST=$pkg_list make clean package - Last question, I wanted to subscribe to the ports-security list, but there is no activity since 2006. Is there a way to be aware of the availability of updates without updating the port tree and running out-of-date ? Many thanks. Last edited by albator; 10th July 2011 at 07:04 PM. |
|
|||
@jggimi
Thanks for answering ! Quote:
Code:
# grep eggdbus /usr/ports/databases/evolution-data-server/Makefile devel/eggdbus Code:
# pkg_list=$(mktemp) # /usr/ports/infrastructure/build/out-of-date > $pkg_list # cd /usr/ports # SUBDIRLIST=$pkg_list make clean package I then updated this way Code:
# export PKG_PATH=/usr/ports/packages/`uname -m`/all # pkg_add -ui -F update -F updatedepends Code:
# /usr/ports/infrastructure/build/out-of-date databases/evolution-data-server # -> eggdbus-0.6p1 devel/libgdata # -> eggdbus-0.6p1 multimedia/gstreamer-0.10/plugins-good,-main # -> eggdbus-0.6p1 x11/gnome/libgnome # -> popt-1.7p1 x11/gnome/libgweather # -> dbus-glib-0.92v0 |
|
||||
Quote:
As I said before, If you want to force the building of a port, you are likely to find "make package" more effective than "make update" -- there is nothing in your dependency chain nor in this unchanged Makefile that will force a rebuild. Quote:
Quote:
To understand what gets installed in order to build, use "make print-build-depends" and compare that to "make print-run-depends". I had attempted to copy/paste some console output, but it's not working for me from this particular browser. But you will see for yourself when you run make with those targets. Last edited by jggimi; 13th July 2011 at 02:33 PM. |
|
|||
Quote:
And I'll do a samba share and buy a printer to avoid wasting disk space Quote:
Code:
env FORCE_UPDATE=yes make package export $PKG_PATH=/usr/ports/packages/amd64/all/ pkg_add -r evolution-data-server Was the package not built with the new version of eggdbus, previously installed ? |
|
|||
Quote:
Code:
$ pkg_info | grep eggdbus eggdbus-0.6p1 D-Bus binding for GObject Thanks again |
|
|||
I deinstalled vinagre (which was the reason for all this) and all its dependencies and did the same for the outdated packages and eggdbus.
I used all the make clean possible and installed vinagre from ports. After this, out-of-date, still points out the same packages. I guess the script is somehow mistaken... the output shows the last version of eggdbus : Code:
===> Extracting for eggdbus-0.6p1 ===> Patching for eggdbus-0.6p1 ===> Configuring for eggdbus-0.6p1 |
|
|||
As I havn't many answers, appart from jggimi (thank you to you), should I conclude than most people run current instead of stable ?
Or maybe those who do run stable don't update packages ? |
|
|||
Quote:
http://www.daemonforums.org/showthread.php?t=3518 |
|
|||
@ocicat Thank you for the link.
This sounds a bit strange to use a security focused system and not to bother apply security patches then. That's what people running release do. The other thing I wonder is if the stable branch gets ports security fixes as soon as there is a security hole and if all ports get a fix. On OpenBSD site, you are encouraged to start with release and apply patches. If the way to update the system is documented in deep, there isn't much about ports. The mailing list ports-security is dormant and there is no mention about the out-of-date script. So even if I am willing to update ports, I don't know the right way to do it. I asked on the misc mailing list, but no answer yet... I guess it is because OpenBSD only have a small community of developers and users which is a shame, it is a very nice project. |
|
||||
I ran -stable for 2 or 3 years on my production platforms. At that time, -stable packages were being built and deployed on the project's mirrors. I moved to -current around 3.8 or 3.9. I'd had a bug requiring active cooperation with a developer. Once the problem was resolved, I stayed -current on production.
Some time after my transition, the project ceased backporting -stable ports or building -stable packages, due to the workload required. Things stayed that way for several years; it is a small project with limited resources. --- As I've stated above, "make update" is the wrong target. You may find make package (or make repackage) followed by make update will be more effective than a make update alone. The latter does not build ports, it is a package installation directive only, as is FORCE_UPDATE, per bsd.port.mk(5): Code:
update Update an existing installation to a newer package: scan the installation for a package with the same FULLPKGPATH, and update it using `pkg_add -r' if a newer package is available. In multi-packages ports, all relevant packages are updated. See UPDATE_COOKIES_DIR and FORCE_UPDATE as well. |
|
||||
Quote:
I started off using -release at home, then moved to -stable. After a bit, I ran into a bug that I discovered had already been fixed in -current, so I upgraded. Around that time I switched my Linux desktop at work for OpenBSD-current, and I never looked back.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|||
@jggimi
Quote:
Code:
# cd /usr/ports # cvs up -rOPENBSD_4_9 -Pd # make index # pkg_list=$(mktemp) # /usr/ports/infrastructure/build/out-of-date |tee $pkg_list # SUBDIRLIST=$pkg_list make clean package # export PKG_PATH=/usr/ports/packages/`uname -m`/all # pkg_add -ui -F update -F updatedepends I know it was possible to update third party applications in stable with packages in the past. But as it is not supported anymore, I guess even if some updates make their way through ports, stable is not supposed to have proper fixes for these and this is why there is no documentation about it. I might consider running current then. Thank you all for you answers. Last edited by albator; 9th August 2011 at 04:57 PM. |
|
|||
Quote:
I guess it is safer to run current then. |
|
|||
Quote:
Quote:
Quote:
As a final comment, posting your question on misc@ may not have been seen by the developers most involved in the packages/ports management. That, or given that work at this moment is focused on finalizing OpenBSD 5.0, this was not a matter of highest importance. I can only guess. Yet, if you were really interested in resolving your situation, I would suggest sending mail to espie@. |
|
||||
Quote:
Quote:
Quote:
Quote:
Anyway thank you again for your advice! By the way, are you the one who gave me the name of port guard ? :-) Edit : just found out that it is a rank related to the number of posts and not to their subject Last edited by albator; 16th August 2011 at 11:37 PM. |
|
|||
Quote:
Much of what you are surmising about -stable may be correct, but contacting the project developers serves two purposes:
|
|
|||
Quote:
Que sera sera Last edited by albator; 19th August 2011 at 05:34 PM. |
|
|||
Quote:
Code:
-a Delete unused dependencies (packages that are not needed by anything tagged as installed manually). Can be used without pkgnames.
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wireshark updates close security holes | J65nko | News | 1 | 1st June 2011 10:15 PM |
Mozilla issues Firefox & Thunderbird security updates | J65nko | News | 0 | 2nd March 2011 05:29 PM |
Ruby on Rails updates fix security holes | J65nko | News | 0 | 10th February 2011 04:00 PM |
phpMyAdmin updates close security vulnerability | J65nko | News | 0 | 10th February 2011 03:58 PM |
Tor Project infrastructure updates in response to security breach | J65nko | News | 1 | 22nd January 2010 06:57 PM |