Update documentation since vulnerable packages are not moved to the vulnerable/ directory any longer.diff -r1.7 -r1.8 pkgsrc/doc/guide/files/bulk.xml
(wiz)
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | <!-- $NetBSD: bulk.xml,v 1.7 2009/10/11 20:50:48 rillig Exp $ --> | 1 | <!-- $NetBSD: bulk.xml,v 1.8 2010/03/18 10:56:18 wiz Exp $ --> | |
2 | 2 | |||
3 | <chapter id="bulk"> | 3 | <chapter id="bulk"> | |
4 | <title>Creating binary packages for everything in pkgsrc (bulk | 4 | <title>Creating binary packages for everything in pkgsrc (bulk | |
5 | builds)</title> | 5 | builds)</title> | |
6 | 6 | |||
7 | <para>When you have multiple machines that should run the same packages, | 7 | <para>When you have multiple machines that should run the same packages, | |
8 | it is wasted time if they all build their packages themselves from | 8 | it is wasted time if they all build their packages themselves from | |
9 | source. There are two ways of getting a set of binary packages: The old | 9 | source. There are two ways of getting a set of binary packages: The old | |
10 | bulk build system, or the new (as of 2007) parallel bulk build (pbulk) | 10 | bulk build system, or the new (as of 2007) parallel bulk build (pbulk) | |
11 | system. This chapter describes how to set them up so that the packages | 11 | system. This chapter describes how to set them up so that the packages | |
12 | are most likely to be usable later.</para> | 12 | are most likely to be usable later.</para> | |
13 | 13 | |||
14 | <sect1 id="bulk.pre"> | 14 | <sect1 id="bulk.pre"> | |
@@ -147,33 +147,32 @@ SKIP_LICENSE_CHECK= yes | @@ -147,33 +147,32 @@ SKIP_LICENSE_CHECK= yes | |||
147 | <listitem><para>Another important variable is | 147 | <listitem><para>Another important variable is | |
148 | <varname>BULK_PREREQ</varname>, which is a list of packages that | 148 | <varname>BULK_PREREQ</varname>, which is a list of packages that | |
149 | should be always available while building other | 149 | should be always available while building other | |
150 | packages.</para></listitem> | 150 | packages.</para></listitem> | |
151 | 151 | |||
152 | </itemizedlist> | 152 | </itemizedlist> | |
153 | 153 | |||
154 | <para>Some other options are scattered in the pkgsrc | 154 | <para>Some other options are scattered in the pkgsrc | |
155 | infrastructure:</para> | 155 | infrastructure:</para> | |
156 | 156 | |||
157 | <itemizedlist> | 157 | <itemizedlist> | |
158 | 158 | |||
159 | <listitem><para><varname>ALLOW_VULNERABLE_PACKAGES</varname> | 159 | <listitem><para><varname>ALLOW_VULNERABLE_PACKAGES</varname> | |
160 | should be set to <literal>yes</literal>. The purpose of the bulk | 160 | should be set to <literal>yes</literal>. The purpose of the | |
161 | builds is creating binary packages, no matter if they are | 161 | bulk builds is creating binary packages, no matter if they | |
162 | vulnerable or not. When uploading the packages to a public | 162 | are vulnerable or not. Leaving this variable unset would | |
163 | server, the vulnerable packages will be put into a directory of | 163 | prevent the bulk build system from even trying to build | |
164 | their own. Leaving this variable unset would prevent the bulk | 164 | them, so possible building errors would not show | |
165 | build system from even trying to build them, so possible | 165 | up.</para></listitem> | |
166 | building errors would not show up.</para></listitem> | |||
167 | 166 | |||
168 | <listitem><para><varname>CHECK_FILES</varname> | 167 | <listitem><para><varname>CHECK_FILES</varname> | |
169 | (<filename>pkgsrc/mk/check/check-files.mk</filename>) can be set to | 168 | (<filename>pkgsrc/mk/check/check-files.mk</filename>) can be set to | |
170 | <quote>yes</quote> to check that the installed set of files | 169 | <quote>yes</quote> to check that the installed set of files | |
171 | matches the <filename>PLIST</filename>.</para></listitem> | 170 | matches the <filename>PLIST</filename>.</para></listitem> | |
172 | 171 | |||
173 | <listitem><para><varname>CHECK_INTERPRETER</varname> | 172 | <listitem><para><varname>CHECK_INTERPRETER</varname> | |
174 | (<filename>pkgsrc/mk/check/check-interpreter.mk</filename>) can be set to | 173 | (<filename>pkgsrc/mk/check/check-interpreter.mk</filename>) can be set to | |
175 | <quote>yes</quote> to check that the installed | 174 | <quote>yes</quote> to check that the installed | |
176 | <quote>#!</quote>-scripts will find their | 175 | <quote>#!</quote>-scripts will find their | |
177 | interpreter.</para></listitem> | 176 | interpreter.</para></listitem> | |
178 | 177 | |||
179 | <listitem><para><varname>PKGSRC_RUN_TEST</varname> can be | 178 | <listitem><para><varname>PKGSRC_RUN_TEST</varname> can be | |
@@ -575,28 +574,27 @@ chroot-&rprompt; | @@ -575,28 +574,27 @@ chroot-&rprompt; | |||
575 | 574 | |||
576 | <para>Now after all this works, you can exit the sandbox and start | 575 | <para>Now after all this works, you can exit the sandbox and start | |
577 | the upload:</para> | 576 | the upload:</para> | |
578 | 577 | |||
579 | <screen> | 578 | <screen> | |
580 | chroot-&rprompt; <userinput>exit</userinput> | 579 | chroot-&rprompt; <userinput>exit</userinput> | |
581 | &rprompt; <userinput>cd /usr/sandbox/usr/pkgsrc</userinput> | 580 | &rprompt; <userinput>cd /usr/sandbox/usr/pkgsrc</userinput> | |
582 | &rprompt; <userinput>sh mk/bulk/do-sandbox-upload</userinput> | 581 | &rprompt; <userinput>sh mk/bulk/do-sandbox-upload</userinput> | |
583 | </screen> | 582 | </screen> | |
584 | 583 | |||
585 | <para>The upload process may take quite some time. Use &man.ls.1; or | 584 | <para>The upload process may take quite some time. Use &man.ls.1; or | |
586 | &man.du.1; on the FTP server to monitor progress of the | 585 | &man.du.1; on the FTP server to monitor progress of the | |
587 | upload. The upload script will take care of not uploading | 586 | upload. The upload script will take care of not uploading | |
588 | restricted packages and putting vulnerable packages into the | 587 | restricted packages.</para> | |
589 | <filename>vulnerable</filename> subdirectory.</para> | |||
590 | 588 | |||
591 | <para>After the upload has ended, first thing is to revoke ssh access:</para> | 589 | <para>After the upload has ended, first thing is to revoke ssh access:</para> | |
592 | 590 | |||
593 | <screen>nbftp% <userinput>vi ~/.ssh/authorized_keys</userinput> | 591 | <screen>nbftp% <userinput>vi ~/.ssh/authorized_keys</userinput> | |
594 | Gdd:x! </screen> | 592 | Gdd:x! </screen> | |
595 | 593 | |||
596 | <para>Use whatever is needed to remove the key you've entered | 594 | <para>Use whatever is needed to remove the key you've entered | |
597 | before! Last, move the uploaded packages out of the | 595 | before! Last, move the uploaded packages out of the | |
598 | <filename>upload</filename> directory to have them accessible | 596 | <filename>upload</filename> directory to have them accessible | |
599 | to everyone:</para> | 597 | to everyone:</para> | |
600 | 598 | |||
601 | <screen> | 599 | <screen> | |
602 | nbftp% <userinput>cd /pub/NetBSD/packages/packages-20xxQy/NetBSD-a.b.c/arch</userinput> | 600 | nbftp% <userinput>cd /pub/NetBSD/packages/packages-20xxQy/NetBSD-a.b.c/arch</userinput> |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | <!-- $NetBSD: faq.xml,v 1.45 2009/04/20 17:07:13 ver Exp $ --> | 1 | <!-- $NetBSD: faq.xml,v 1.46 2010/03/18 10:56:18 wiz Exp $ --> | |
2 | 2 | |||
3 | <chapter id="faq"> <?dbhtml filename="faq.html"?> | 3 | <chapter id="faq"> <?dbhtml filename="faq.html"?> | |
4 | <title>Frequently Asked Questions</title> | 4 | <title>Frequently Asked Questions</title> | |
5 | 5 | |||
6 | <para>This section contains hints, tips & tricks on special things in | 6 | <para>This section contains hints, tips & tricks on special things in | |
7 | pkgsrc that we didn't find a better place for in the previous chapters, and | 7 | pkgsrc that we didn't find a better place for in the previous chapters, and | |
8 | it contains items for both pkgsrc users and developers.</para> | 8 | it contains items for both pkgsrc users and developers.</para> | |
9 | 9 | |||
10 | <!-- ================================================================== --> | 10 | <!-- ================================================================== --> | |
11 | 11 | |||
12 | <sect1 id="mailing-list-pointers"> | 12 | <sect1 id="mailing-list-pointers"> | |
13 | <title>Are there any mailing lists for pkg-related discussion?</title> | 13 | <title>Are there any mailing lists for pkg-related discussion?</title> | |
14 | 14 | |||
@@ -518,27 +518,27 @@ do this, refer to the following two tool | @@ -518,27 +518,27 @@ do this, refer to the following two tool | |||
518 | 518 | |||
519 | <listitem> | 519 | <listitem> | |
520 | <para><command>pkg_admin fetch-pkg-vulnerabilities</command>, an easy way to | 520 | <para><command>pkg_admin fetch-pkg-vulnerabilities</command>, an easy way to | |
521 | download a list of the security vulnerabilities information. This list | 521 | download a list of the security vulnerabilities information. This list | |
522 | is kept up to date by the NetBSD security officer and the NetBSD | 522 | is kept up to date by the NetBSD security officer and the NetBSD | |
523 | packages team, and is distributed from the NetBSD ftp server:</para> | 523 | packages team, and is distributed from the NetBSD ftp server:</para> | |
524 | 524 | |||
525 | <para><ulink | 525 | <para><ulink | |
526 | url="ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"/></para> | 526 | url="ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"/></para> | |
527 | </listitem> | 527 | </listitem> | |
528 | 528 | |||
529 | <listitem> | 529 | <listitem> | |
530 | <para><command>pkg_admin audit</command>, an easy way to audit the | 530 | <para><command>pkg_admin audit</command>, an easy way to audit the | |
531 | current machine, checking each vulnerability which is known. If a | 531 | current machine, checking each known vulnerability. If a | |
532 | vulnerable package is installed, it will be shown by output to stdout, | 532 | vulnerable package is installed, it will be shown by output to stdout, | |
533 | including a description of the type of vulnerability, and a URL | 533 | including a description of the type of vulnerability, and a URL | |
534 | containing more information.</para> | 534 | containing more information.</para> | |
535 | </listitem> | 535 | </listitem> | |
536 | 536 | |||
537 | </orderedlist> | 537 | </orderedlist> | |
538 | 538 | |||
539 | <para>Use of these tools is strongly recommended! After | 539 | <para>Use of these tools is strongly recommended! After | |
540 | <quote>pkg_install</quote> is installed, please read | 540 | <quote>pkg_install</quote> is installed, please read | |
541 | the package's message, which you can get by running <userinput>pkg_info -D | 541 | the package's message, which you can get by running <userinput>pkg_info -D | |
542 | pkg_install</userinput>.</para> | 542 | pkg_install</userinput>.</para> | |
543 | 543 | |||
544 | <para>If this package is installed, pkgsrc builds will use it to | 544 | <para>If this package is installed, pkgsrc builds will use it to |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | <!-- $NetBSD: using.xml,v 1.37 2009/08/25 13:19:50 wiz Exp $ --> | 1 | <!-- $NetBSD: using.xml,v 1.38 2010/03/18 10:56:18 wiz Exp $ --> | |
2 | 2 | |||
3 | <chapter id="using"> <?dbhtml filename="using.html"?> | 3 | <chapter id="using"> <?dbhtml filename="using.html"?> | |
4 | <title>Using pkgsrc</title> | 4 | <title>Using pkgsrc</title> | |
5 | 5 | |||
6 | <para>Basically, there are two ways of using pkgsrc. The first | 6 | <para>Basically, there are two ways of using pkgsrc. The first | |
7 | is to only install the package tools and to use binary packages | 7 | is to only install the package tools and to use binary packages | |
8 | that someone else has prepared. This is the <quote>pkg</quote> | 8 | that someone else has prepared. This is the <quote>pkg</quote> | |
9 | in pkgsrc. The second way is to install the <quote>src</quote> | 9 | in pkgsrc. The second way is to install the <quote>src</quote> | |
10 | of pkgsrc, too. Then you are able to build your own packages, | 10 | of pkgsrc, too. Then you are able to build your own packages, | |
11 | and you can still use binary packages from someone else.</para> | 11 | and you can still use binary packages from someone else.</para> | |
12 | 12 | |||
13 | <sect1 id="using-pkg"> | 13 | <sect1 id="using-pkg"> | |
14 | <title>Using binary packages</title> | 14 | <title>Using binary packages</title> | |
@@ -50,29 +50,27 @@ and you can still use binary packages fr | @@ -50,29 +50,27 @@ and you can still use binary packages fr | |||
50 | extract it in the <filename>/</filename> directory. It will create | 50 | extract it in the <filename>/</filename> directory. It will create | |
51 | the directories <filename>/usr/pkg</filename> (containing the tools | 51 | the directories <filename>/usr/pkg</filename> (containing the tools | |
52 | for managing binary packages) and <filename>/var/db/pkg</filename> | 52 | for managing binary packages) and <filename>/var/db/pkg</filename> | |
53 | (the database of installed packages).</para> | 53 | (the database of installed packages).</para> | |
54 | </sect2> | 54 | </sect2> | |
55 | 55 | |||
56 | <sect2 id="installing-binary-packages"> | 56 | <sect2 id="installing-binary-packages"> | |
57 | <title>Installing binary packages</title> | 57 | <title>Installing binary packages</title> | |
58 | 58 | |||
59 | <para>In the directory from the last section, there is a | 59 | <para>In the directory from the last section, there is a | |
60 | subdirectory called <filename>All</filename>, which contains all the | 60 | subdirectory called <filename>All</filename>, which contains all the | |
61 | binary packages that are available for the platform, excluding those | 61 | binary packages that are available for the platform, excluding those | |
62 | that may not be distributed via FTP or CDROM (depending on which | 62 | that may not be distributed via FTP or CDROM (depending on which | |
63 | medium you are using), and the ones that have vulnerabilities and | 63 | medium you are using).</para> | |
64 | therefore are considered insecure to install without thinking | |||
65 | before.</para> | |||
66 | 64 | |||
67 | <para>To install packages directly from an FTP or HTTP server, run | 65 | <para>To install packages directly from an FTP or HTTP server, run | |
68 | the following commands in a Bourne-compatible shell (be sure to | 66 | the following commands in a Bourne-compatible shell (be sure to | |
69 | <command>su</command> to root first):</para> | 67 | <command>su</command> to root first):</para> | |
70 | 68 | |||
71 | <screen> | 69 | <screen> | |
72 | &rprompt; <userinput>PATH="/usr/pkg/sbin:$PATH"</userinput> | 70 | &rprompt; <userinput>PATH="/usr/pkg/sbin:$PATH"</userinput> | |
73 | &rprompt; <userinput>PKG_PATH="ftp://ftp.NetBSD.org/pub/pkgsrc/packages/<replaceable>OPSYS</replaceable>/<replaceable>ARCH</replaceable>/<replaceable>VERSIONS</replaceable>/All"</userinput> | 71 | &rprompt; <userinput>PKG_PATH="ftp://ftp.NetBSD.org/pub/pkgsrc/packages/<replaceable>OPSYS</replaceable>/<replaceable>ARCH</replaceable>/<replaceable>VERSIONS</replaceable>/All"</userinput> | |
74 | &rprompt; <userinput>export PATH PKG_PATH</userinput> | 72 | &rprompt; <userinput>export PATH PKG_PATH</userinput> | |
75 | </screen> | 73 | </screen> | |
76 | 74 | |||
77 | <para>Instead of URLs, you can also use local paths, for example if | 75 | <para>Instead of URLs, you can also use local paths, for example if | |
78 | you are installing from a set of CDROMs, DVDs or an NFS-mounted | 76 | you are installing from a set of CDROMs, DVDs or an NFS-mounted | |
@@ -83,33 +81,28 @@ and you can still use binary packages fr | @@ -83,33 +81,28 @@ and you can still use binary packages fr | |||
83 | <para>After these preparations, installing a package is very | 81 | <para>After these preparations, installing a package is very | |
84 | easy:</para> | 82 | easy:</para> | |
85 | 83 | |||
86 | <screen> | 84 | <screen> | |
87 | &rprompt; <userinput>pkg_add openoffice2</userinput> | 85 | &rprompt; <userinput>pkg_add openoffice2</userinput> | |
88 | &rprompt; <userinput>pkg_add kde-3.5.7</userinput> | 86 | &rprompt; <userinput>pkg_add kde-3.5.7</userinput> | |
89 | &rprompt; <userinput>pkg_add ap2-php5-*</userinput> | 87 | &rprompt; <userinput>pkg_add ap2-php5-*</userinput> | |
90 | </screen> | 88 | </screen> | |
91 | 89 | |||
92 | <para>Note that any prerequisite packages needed to run the | 90 | <para>Note that any prerequisite packages needed to run the | |
93 | package in question will be installed, too, assuming they are | 91 | package in question will be installed, too, assuming they are | |
94 | present where you install from.</para> | 92 | present where you install from.</para> | |
95 | 93 | |||
96 | <para>As mentioned above, packages for which vulnerabilities get | 94 | <para>Adding packages might install vulnerable packages. | |
97 | known are not stored in the <filename>All</filename> subdirectory. | 95 | Thus you should run <command>pkg_admin audit</command> | |
98 | They don't get deleted since that could be very frustrating if many | |||
99 | other packages depend on it. Instead, they are moved to the | |||
100 | <filename>vulnerable</filename> subdirectory. So you may need to add | |||
101 | this directory to the <varname>PKG_PATH</varname> variable. | |||
102 | However, you should run <command>pkg_admin audit</command> | |||
103 | regularly, especially after installing new packages, and verify | 96 | regularly, especially after installing new packages, and verify | |
104 | that the vulnerabilities are acceptable for your configuration.</para> | 97 | that the vulnerabilities are acceptable for your configuration.</para> | |
105 | 98 | |||
106 | <para>After you've installed packages, be sure to have | 99 | <para>After you've installed packages, be sure to have | |
107 | <filename>/usr/pkg/bin</filename> and <filename>/usr/pkg/sbin</filename> in your | 100 | <filename>/usr/pkg/bin</filename> and <filename>/usr/pkg/sbin</filename> in your | |
108 | <varname>PATH</varname> so you can actually start the just | 101 | <varname>PATH</varname> so you can actually start the just | |
109 | installed program.</para> | 102 | installed program.</para> | |
110 | </sect2> | 103 | </sect2> | |
111 | 104 | |||
112 | <sect2 id="using.pkg_delete"> | 105 | <sect2 id="using.pkg_delete"> | |
113 | <title>Deinstalling packages</title> | 106 | <title>Deinstalling packages</title> | |
114 | 107 | |||
115 | <para>To deinstall a package, it does not matter whether it was | 108 | <para>To deinstall a package, it does not matter whether it was |