Ports question ....

Arthur Chance freebsd at qeng-ho.org
Fri Aug 29 07:50:56 UTC 2014

On 28/08/2014 23:31, Mike Clarke wrote:
> On Thursday 28 August 2014 15:16:40 William A. Mahaffey III wrote:
>> I think that is what I am asking .... To be more precise, how often
>> should I check to see if it is updated, weekly, monthly, other ....
>> I guess that is the nub of the question ....
> It's largely down to what's most convenient for you.
> There's a lot to be said for the "If it ain't broke don't mend it"
> philosophy. If everything's working fine on your system and you don't
> need the latest and greatest new feature recently added to one of your
> ports then there's no real need to keep updating them.

Agreed. I have a cron job that updates /usr/ports every week and mails 
me a diff between the previous and latest /usr/ports/UPDATING. If 
there's a security problem shown by pkg audit (see below) or if UPDATING 
shows a new feature I'd like to have, I upgrade, otherwise I tend to 
leave things alone.

> If a port has just been updated to fix some freshly discovered
> security issue then you need to upgrade it ASAP. Running the periodic
> script from ports-mgmt/portaudit is a good way of being kept up to
> date with new vulnerabilities affecting ports installed on your
> system.

If you're using pkgng you don't need to install a port to audit ports, 
the pkg system should be doing it automatically. Look at


This is controlled by the value of daily_status_security_pkgaudit_enable 
in /etc/periodic.conf but defaults to "YES" if not set.

You can just type "pkg audit" at the command line as well. man pkg-audit 
for details.

> There could be a delay before a new version of a vulnerable port is
> available. You can check what the latest revision level of a port is
> by looking it up at <http://www.freshports.org>.
> After running portsnap you can run "pkg version -vIL=" to see a list
> of which ports have version numbers which differ from the latest.

Again, this is dealt with by periodic. The weekly script 400.status-pkg 
(find it in /usr/local/etc/periodic/weekly) will tell you which packages 
are out of date. Enable it by


in /etc/periodic.conf. It'll turn up on Saturdays.

> You need to maintain all your ports in a consistent state, upgrading
> just one port can lead to dependency problems so it's worth using
> ports-mgmt/portmaster after running portsnap, this can upgrade all
> affected ports.

Personally I use poudriere for port building, but I run a very 
customised system so need to build all ports myself.

> If you only upgrade your ports when required by security issues then
> you may find that there are lots of ports with newer versions so, to
> reduce the workload, you might prefer to upgrade rather more
> frequently than waiting until a security issue requires it.

Good advice. If I haven't upgraded in a couple of months, I'll usually 
do an upgrade anyway. There have been times when I've left things for 
longer and then had so many changes that it was easier to delete all 
packages and reinstall. I hope the new solver in pkg makes that less of 
a problem.

> Sometimes you will need to give some ports individual attention before
> running a bulk upgrade. Check for this by seeing if any of your ports
> are mentioned in /usr/ports/UPDATING - you only need to check entries
> dated later than the last time you did an upgrade and take whatever
> action is advised there.
> If you pay attention to /usr/ports/UPDATING then portmaster will
> usually upgrade all affected ports without problems but sometimes you
> come across a situation that it can't handle and you might need to
> deal with the problematic port yourself.

More information about the freebsd-questions mailing list