FreeBSD Security Survey

Paul Allen nospam at
Sun May 21 23:17:24 PDT 2006

>From Scott Long <scottl at>, Sun, May 21, 2006 at 11:44:27PM -0600:
> I share this frustration with you.  I was once told that the pain in
> upgrading is due largely to a somewhat invisible difference between
> installing a pre-compiled package, and building+installing a port.  In
> theory, if you stick to one method or the other, things will stay mostly
> consistent.  But if you mix them, and particularly if you update the
> ports tree in the process, the end result is a bit more undefined.  One
> thing that I wish for is that the ports tree would branch for releases,
> and that those branches would get security updates.  I know that this
> would involve an exponentially larger amount of effort from the ports
> team, and I don't fault them for not doing it.  Still, it would be nice
> to have.

Huh? Really.  What you say makes a certain amount of sense when pkg_add 
is used, but I haven't seen much evidence for problems with mixing ports
and packages via portupgrade -P.

The trouble comes not with packages but in the conflicting information between
/var/db/pkg/ and the ports themselves.  The former does not merely contain a 
stale version of the port dependency and origin information; it contains
many snapshots of small slices of many different port dependency graphs (as the
port tree evolves).

Consistently using portupgade -rR, portinstall helps keep this under control
but each pkg_add or make install in a port directory causes drift.  Given
that portupgrade is an optional tool and the handbook suggests the other form...
well you see the trouble.

But the situation is worse than this because of the manual interventions 
necessary to fixup the portsdb.  These fixups easily create dependency graphs 
that never existed anywhere else before.  Most often this happens because of
ports being renamed, deleted, combined, etc--the trouble here is that the ports
tree reveals no history about these actions.

It is left to a program like portupgrade to heuristically guess!?! what has 
taken place.  Now if you go through this process every week (every day?) usually
the risk is small and it is obvious what to do, but this is not always so.

Some speculation:  I've always thought portupgrade did the Wrong Thing(tm) by
consulting the dependency graph in /var/db.   Better to merely learn which
packages were installed and then exclusively use the port information...
Maybe someone knows why that would be the wrong thing to do?


More information about the freebsd-stable mailing list