Issue with Handbook section 5.2

Mon Dec 8 06:06:12 UTC 2014

> On Dec 7, 2014, at 8:35 PM, Jacob Helwig <jacob at technosorcery.net> wrote:
> 
>> On Dec 7, 2014, at 05:08, Matthew Seaman <matthew at FreeBSD.org> wrote:
>> 
>>> On 07/12/2014 02:58, Jacob Helwig wrote:
>>> In going through the FreeBSD Handbook (as of Sun Dec  7 02:44:11 UTC
>>> 2014), section 5.2 (Overview of Software Installation) mentions using
>>> ports-mgmt/portaudit to check for security issues.  Unfortunately,
>>> portaudit was removed from ports on October 13th[0].
>>> 
>>> The commit that removed it says that “pkg audit” should be used
>>> instead ("portaudit expired when pkg_tools did, use pkg audit”), but
>>> as someone pretty new to FreeBSD, it’s not clear that this would be
>>> appropriate for ports usage.  Is “pkg audit” appropriate?  The
>>> language in the warning section of this Handbook section suggests
>>> that “pkg audit” isn’t appropriate outside of package use.  If “pkg
>>> audit” isn’t appropriate, what should be used instead?
>>> 
>>> -Jacob
>>> 
>>> [0]
>>> https://github.com/freebsd/freebsd-ports/commit/a3523a34bbef563b0b50709f384729fa04bcbb7
>> 
>> pkg audit is certainly the correct tool to use.  You can audit your
>> system for vulnerable packages by running 'pkg audit -F' at intervals.
>> If you add:
>> 
>>  daily_status_security_pkgaudit_enable="YES"
>> 
>> to /etc/periodic.conf then you can have it run automatically each night.
>> 
>> You seem to be suffering from a common misconception that packages and
>> ports are somehow much more distinct than is actually the case.  It is
>> something that clearly we aren't explaining very effectively.
>> 
>> A port is a set of instructions for building a package -- and pkg is the
>> tool for creating and managing packages.  So much so that packages
>> themselves are now referred to as 'pkgs.'  (Partly that was to
>> distinguish them from the old pkg_tools style of packages, but that is
>> generally no longer a consideration. Even so, the usage persists.)  All
>> pkgs are originally built from ports and the result of building a port
>> is a pkg[*].  Even if you're installing pre-built pkgs from the FreeBSD
>> pkg repositories, this is still true.
>> 
>> Pkgs have two states: installed -- with all the files extracted and
>> copied into place in the filesystem -- and as tarballs -- collected into
>> one compressed archive for easy network distribution.  But they are both
>> still pkgs.
>> 
>>    Cheers,
>> 
>>    Matthew
>> 
>> [*] At the moment.  There are plans to change this so that several pkgs
>> may be build from one port, and also plans to be able to create pkgs
>> from other sources than the ports tree.
>> 
>> -- 
>> Dr Matthew J Seaman MA, D.Phil.
>> PGP: http://www.infracaninophile.co.uk/pgpkey
> 
> 
> 5.4.1 does a little to help dispel the idea that pkg & ports are completely independent systems (aside from being able to make pkgs from ports, as pointed out in 5.2).  Specifically where 5.4.1 mentions ports registering new software with pkg.  Though, this doesn’t do much good for the warning in 5.2, as you wouldn’t have read 5.4.1 yet.
> 
> I think updating the warning in 5.2 to call out that “pkg audit” has taken over the portaudit functionality in 10.x+, and that it works with software installed via either mechanism, would go a long way towards getting rid of the misconception, or at the very least, not reinforce it.
> 
> -Jacob

I have not read this entire thread, but I noticed this on Friday and started working on a patch. 

Thanks!
-jgh