Re: None of "man freebsd-base" (or "man pkgbase"), "man pkg-upgrade", or "man pkg-install" deal with documenting .pkgsave and/or .pkgnew behavior or how to handle such

From: Roger Marquis <marquis_at_roble.com>
Date: Tue, 30 Jun 2026 17:48:33 UTC
On Tue, 30 Jun 2026, Alexander Ziaee wrote:
>> the *.pkgnew and *.pkgsave files as they seem a bit less intuitive
>> than on the other platforms. For some it may be natural to go looking
>> for these leftover telltales but they may represent important but
>> neglected potential time-bombs for the less familiar.
>
> OpenVMS and Linux do create these files. OpenVMS increments the version
> (;2 or ;3) or drops a TEMPLATE file. Linux uses .dpkg-dist and .dpkg-old
> or .rpmnew and .rpmsave. However, it is a not a ticking time bomb, so
> they do not tell you and you have not noticed.

Any CVE-related .pkgsave is a ticking time bomb in so far as it
unnecessarily increases the OS' attack surface.  These files are not
only easy to find but in the path (shell and lib).

This is the similar to the installation and preservation of unused but
vulnerable kernel modules (Linux' Dirty Frag et al: CVE-2026-43284,
CVE-2026-43500, ...).

IMO any Ops, SecOps or DevSecOps worth their salary will detect and
encrypt or remove these files from their systems.

Roger Marquis