| @@ -1,189 +1,195 @@ | | | @@ -1,189 +1,195 @@ |
1 | <!-- $NetBSD: using.xml,v 1.51 2020/05/22 20:57:15 rillig Exp $ --> | | 1 | <!-- $NetBSD: using.xml,v 1.52 2021/06/11 14:45:08 nia Exp $ --> |
2 | | | 2 | |
3 | <chapter id="using"> <?dbhtml filename="using.html"?> | | 3 | <chapter id="using"> <?dbhtml filename="using.html"?> |
4 | <title>Using pkgsrc</title> | | 4 | <title>Using pkgsrc</title> |
5 | | | 5 | |
6 | <para>Basically, there are two ways of using pkgsrc. The first | | 6 | <para>Basically, there are two ways of using pkgsrc. The first |
7 | is to only install the package tools and to use binary packages | | 7 | is to only install the package tools and to use binary packages |
8 | that someone else has prepared. This is the <quote>pkg</quote> | | 8 | that someone else has prepared. This is the <quote>pkg</quote> |
9 | in pkgsrc. The second way is to install the <quote>src</quote> | | 9 | in pkgsrc. The second way is to install the <quote>src</quote> |
10 | of pkgsrc, too. Then you are able to build your own packages, | | 10 | of pkgsrc, too. Then you are able to build your own packages, |
11 | and you can still use binary packages from someone else.</para> | | 11 | and you can still use binary packages from someone else.</para> |
12 | | | 12 | |
13 | <sect1 id="using-pkg"> | | 13 | <sect1 id="using-pkg"> |
14 | <title>Using binary packages</title> | | 14 | <title>Using binary packages</title> |
15 | | | 15 | |
16 | <!-- this URL needs to be kept at http, not https, since pkg_add cannot use https. --> | | 16 | <para>On the <ulink url="https://cdn.NetBSD.org/">cdn.NetBSD.org</ulink> |
17 | <para>On the <ulink url="http://cdn.NetBSD.org/">cdn.NetBSD.org</ulink> | | | |
18 | site and mirrors, there are collections of binary packages, | | 17 | site and mirrors, there are collections of binary packages, |
19 | ready to be installed. These binary packages have been built using the | | 18 | ready to be installed. These binary packages have been built using the |
20 | default settings for the directories, that is:</para> | | 19 | default settings for the directories, that is:</para> |
21 | | | 20 | |
22 | <itemizedlist> | | 21 | <itemizedlist> |
23 | <listitem><para><filename>/usr/pkg</filename> for <varname>LOCALBASE</varname>, where most of the files are installed,</para></listitem> | | 22 | <listitem><para><filename>/usr/pkg</filename> for <varname>LOCALBASE</varname>, where most of the files are installed,</para></listitem> |
24 | <listitem><para><filename>/usr/pkg/etc</filename> for configuration files,</para></listitem> | | 23 | <listitem><para><filename>/usr/pkg/etc</filename> for configuration files,</para></listitem> |
25 | <listitem><para><filename>/var</filename> for <varname>VARBASE</varname>, where those files are installed that may change after installation.</para></listitem> | | 24 | <listitem><para><filename>/var</filename> for <varname>VARBASE</varname>, where those files are installed that may change after installation.</para></listitem> |
26 | </itemizedlist> | | 25 | </itemizedlist> |
27 | | | 26 | |
28 | <para>If you cannot use these directories for whatever reasons (maybe | | 27 | <para>If you cannot use these directories for whatever reasons (maybe |
29 | because you're not root), you cannot use these binary packages, but | | 28 | because you're not root), you cannot use these binary packages, but |
30 | have to build the packages yourself, which is explained in <xref | | 29 | have to build the packages yourself, which is explained in <xref |
31 | linkend="bootstrapping-pkgsrc" />.</para> | | 30 | linkend="bootstrapping-pkgsrc" />.</para> |
32 | | | 31 | |
33 | <sect2 id="finding-binary-packages"> | | 32 | <sect2 id="finding-binary-packages"> |
34 | <title>Finding binary packages</title> | | 33 | <title>Finding binary packages</title> |
35 | | | 34 | |
36 | <para>To install binary packages, you first need to know from where | | 35 | <para>To install binary packages, you first need to know from where |
37 | to get them. The first place where you should look is on the main | | 36 | to get them. The first place where you should look is on the main |
38 | <!-- this URL needs to be kept at http, not https, since pkg_add cannot use https. --> | | 37 | pkgsrc CDN in the directory <ulink |
39 | pkgsrc FTP server in the directory <ulink | | 38 | url="https://cdn.NetBSD.org/pub/pkgsrc/packages/"><filename>/pub/pkgsrc/packages</filename></ulink>.</para> |
40 | url="http://cdn.NetBSD.org/pub/pkgsrc/packages/"><filename>/pub/pkgsrc/packages</filename></ulink>.</para> | | | |
41 | | | 39 | |
42 | <para>This directory contains binary packages for multiple | | 40 | <para>This directory contains binary packages for multiple |
43 | platforms. First, select your operating system. (Ignore the | | 41 | platforms. First, select your operating system. (Ignore the |
44 | directories with version numbers attached to it, they just exist for | | 42 | directories with version numbers attached to it, they just exist for |
45 | legacy reasons.) Then, select your hardware architecture, and in the | | 43 | legacy reasons.) Then, select your hardware architecture, and in the |
46 | third step, the OS version and the <quote>version</quote> of pkgsrc.</para> | | 44 | third step, the OS version and the <quote>version</quote> of pkgsrc.</para> |
47 | | | 45 | |
48 | <para>In this directory, you often find a file called | | 46 | <para>In this directory, you often find a file called |
49 | <filename>bootstrap.tar.gz</filename> which contains the package | | 47 | <filename>bootstrap.tar.gz</filename> which contains the package |
50 | management tools. If the file is missing, it is likely that your | | 48 | management tools. If the file is missing, it is likely that your |
51 | operating system already provides those tools. Download the file and | | 49 | operating system already provides those tools. Download the file and |
52 | extract it in the <filename>/</filename> directory. It will create | | 50 | extract it in the <filename>/</filename> directory. It will create |
53 | the directories <filename>/usr/pkg</filename> (containing the tools | | 51 | the directories <filename>/usr/pkg</filename> (containing the tools |
54 | for managing binary packages and the database of installed packages).</para> | | 52 | for managing binary packages and the database of installed packages).</para> |
55 | </sect2> | | 53 | </sect2> |
56 | | | 54 | |
57 | <sect2 id="installing-binary-packages"> | | 55 | <sect2 id="installing-binary-packages"> |
58 | <title>Installing binary packages</title> | | 56 | <title>Installing binary packages</title> |
59 | | | 57 | |
60 | <para>In the directory from the last section, there is a | | 58 | <para>In the directory from the last section, there is a |
61 | subdirectory called <filename>All/</filename>, which contains all the | | 59 | subdirectory called <filename>All/</filename>, which contains all the |
62 | binary packages that are available for the platform, excluding those | | 60 | binary packages that are available for the platform, excluding those |
63 | that may not be distributed via FTP or CDROM (depending on which | | 61 | that may not be distributed via HTTP or FTP.</para> |
64 | medium you are using).</para> | | | |
65 | | | 62 | |
66 | <para>To install packages directly from an FTP or HTTP server, run | | 63 | <para>To install packages directly from an FTP or HTTP server, run |
67 | the following commands in a Bourne-compatible shell (be sure to | | 64 | the following commands in a Bourne-compatible shell (be sure to |
68 | <command>su</command> to root first):</para> | | 65 | <command>su</command> to root first):</para> |
69 | | | 66 | |
70 | <screen> | | 67 | <screen> |
71 | &rprompt; <userinput>PATH="/usr/pkg/sbin:$PATH"</userinput> | | 68 | &rprompt; <userinput>PATH="/usr/pkg/sbin:/usr/pkg/bin:$PATH"</userinput> |
72 | <!-- this URL needs to be kept at http, not https, since pkg_add cannot use https. --> | | 69 | &rprompt; <userinput>PKG_PATH="https://cdn.NetBSD.org/pub/pkgsrc/packages"</userinput> |
73 | &rprompt; <userinput>PKG_PATH="http://cdn.NetBSD.org/pub/pkgsrc/packages"</userinput> | | | |
74 | &rprompt; <userinput>PKG_PATH="$PKG_PATH/<replaceable>OPSYS</replaceable>/<replaceable>ARCH</replaceable>/<replaceable>VERSIONS</replaceable>/All/"</userinput> | | 70 | &rprompt; <userinput>PKG_PATH="$PKG_PATH/<replaceable>OPSYS</replaceable>/<replaceable>ARCH</replaceable>/<replaceable>VERSIONS</replaceable>/All/"</userinput> |
75 | &rprompt; <userinput>export PATH PKG_PATH</userinput> | | 71 | &rprompt; <userinput>export PATH PKG_PATH</userinput> |
| | | 72 | &rprompt; <userinput>pkg_add pkgin</userinput> |
76 | </screen> | | 73 | </screen> |
77 | | | 74 | |
78 | <para>Instead of URLs, you can also use local paths, for example if | | 75 | <para>Instead of URLs, you can also use local paths, for example if |
79 | you are installing from a set of CDROMs, DVDs or an NFS-mounted | | 76 | you are installing from a set of CDROMs, DVDs or an NFS-mounted |
80 | repository. If you want to install packages from multiple sources, | | 77 | repository. If you want to install packages from multiple sources, |
81 | you can separate them by a semicolon in | | 78 | you can separate them by a semicolon in |
82 | <varname>PKG_PATH</varname>.</para> | | 79 | <varname>PKG_PATH</varname>.</para> |
83 | | | 80 | |
84 | <para>After these preparations, installing a package is very | | 81 | <para>After these preparations, installing a package is very |
85 | easy:</para> | | 82 | easy:</para> |
86 | | | 83 | |
87 | <screen> | | 84 | <screen> |
88 | &rprompt; <userinput>pkg_add libreoffice</userinput> | | 85 | &rprompt; <userinput>pkgin search nginx</userinput> |
89 | &rprompt; <userinput>pkg_add ap24-php71-*</userinput> | | 86 | nginx-1.19.6 Lightweight HTTP server and mail proxy server |
| | | 87 | nginx-1.18.0nb8 Lightweight HTTP server and mail proxy server |
| | | 88 | &rprompt; <userinput>pkgin install zsh nginx-1.19.6 vim</userinput> |
90 | </screen> | | 89 | </screen> |
91 | | | 90 | |
92 | <para>Note that any prerequisite packages needed to run the | | 91 | <para>Note that <command>pkgin</command> is a user-friendly frontend |
93 | package in question will be installed, too, assuming they are | | 92 | to the <command>pkg_*</command> tools.</para> |
94 | present where you install from.</para> | | | |
95 | | | 93 | |
96 | <para>Adding packages might install vulnerable packages. | | 94 | <para>Any prerequisite packages needed to run the |
97 | Thus you should run <command>pkg_admin audit</command> | | 95 | package in question will be installed, too, assuming they are |
98 | regularly, especially after installing new packages, and verify | | 96 | present in the repository.</para> |
99 | that the vulnerabilities are acceptable for your configuration.</para> | | | |
100 | | | 97 | |
101 | <para>After you've installed packages, be sure to have | | 98 | <para>After you've installed packages, be sure to have |
102 | <filename>/usr/pkg/bin</filename> and <filename>/usr/pkg/sbin</filename> in your | | 99 | <filename>/usr/pkg/bin</filename> and <filename>/usr/pkg/sbin</filename> in your |
103 | <varname>PATH</varname> so you can actually start the just | | 100 | <varname>PATH</varname> so you can actually start the just |
104 | installed program.</para> | | 101 | installed program.</para> |
105 | </sect2> | | 102 | </sect2> |
106 | | | 103 | |
| | | 104 | <sect2 id="using.pkgin_update"> |
| | | 105 | <title>Updating packages</title> |
| | | 106 | |
| | | 107 | <para>To update binary packages, it is recommended that you use |
| | | 108 | <command>pkgin upgrade</command>. This will compare the remote |
| | | 109 | package repository to your locally installed packages and safely |
| | | 110 | replace any older packages.</para> |
| | | 111 | |
| | | 112 | <para>Note that pkgsrc is released as quarterly branches. |
| | | 113 | If you are updating to a newer quarterly branch of pkgsrc, you may |
| | | 114 | need to adjust the repository in |
| | | 115 | <filename>/usr/pkg/etc/pkgin/repositories.conf</filename>.</para> |
| | | 116 | </sect2> |
| | | 117 | |
107 | <sect2 id="using.pkg_delete"> | | 118 | <sect2 id="using.pkg_delete"> |
108 | <title>Deinstalling packages</title> | | 119 | <title>Deinstalling packages</title> |
109 | | | 120 | |
110 | <para>To deinstall a package, it does not matter whether it was | | 121 | <para>To deinstall a package, it does not matter whether it was |
111 | installed from source code or from a binary package. The | | 122 | installed from source code or from a binary package. Neither the |
112 | <command>pkg_delete</command> command does not know it anyway. | | 123 | <command>pkgin</command> or the <command>pkg_delete</command> |
113 | To delete a package, you can just run <command>pkg_delete | | 124 | command need to know.</para> |
114 | <replaceable>package-name</replaceable></command>. The package | | | |
115 | name can be given with or without version number. Wildcards can | | | |
116 | also be used to deinstall a set of packages, for example | | | |
117 | <literal>*emacs*</literal>. Be sure to include them in quotes, | | | |
118 | so that the shell does not expand them before | | | |
119 | <literal>pkg_delete</literal> sees them.</para> | | | |
120 | | | | |
121 | <para>The <option>-r</option> option is very powerful: it | | | |
122 | removes all the packages that require the package in question | | | |
123 | and then removes the package itself. For example: | | | |
124 | | | | |
125 | <screen> | | | |
126 | &rprompt; <userinput>pkg_delete -r jpeg</userinput> | | | |
127 | </screen> | | | |
128 | | | | |
129 | will remove jpeg and all the packages that used it; this allows | | | |
130 | upgrading the jpeg package.</para> | | | |
131 | | | 125 | |
| | | 126 | <para>To delete a package, you can just run <command>pkgin remove |
| | | 127 | <replaceable>package-name</replaceable></command>. The package |
| | | 128 | name can be given with or without version number.</para> |
132 | </sect2> | | 129 | </sect2> |
133 | | | 130 | |
134 | <sect2 id="using.pkg_info"> | | 131 | <sect2 id="using.pkg_info"> |
135 | <title>Getting information about installed packages</title> | | 132 | <title>Getting information about installed packages</title> |
136 | | | 133 | |
137 | <para>The <command>pkg_info</command> shows information about | | 134 | <para>The <command>pkg_info</command> shows information about |
138 | installed packages or binary package files.</para> | | 135 | installed packages or binary package files. |
| | | 136 | As with other management tools, it works with packages installed |
| | | 137 | from source or binaries.</para> |
139 | | | 138 | |
140 | </sect2> | | 139 | </sect2> |
141 | | | 140 | |
142 | <sect2 id="vulnerabilities"> | | 141 | <sect2 id="vulnerabilities"> |
143 | <title>Checking for security vulnerabilities in installed packages</title> | | 142 | <title>Checking for security vulnerabilities in installed packages</title> |
144 | | | 143 | |
145 | <para> | | 144 | <para> |
146 | The pkgsrc Security Team and Packages Groups maintain a list of | | 145 | The pkgsrc Security Team and Packages Groups maintain a list of |
147 | known security vulnerabilities to packages which are (or have been) | | 146 | known vulnerabilities to packages which are (or have been) |
148 | included in pkgsrc. The list is available from the NetBSD | | 147 | included in pkgsrc. The list is available from the NetBSD |
149 | <!-- this URL needs to be kept at http, not https, since pkg_add cannot use https. --> | | 148 | CDN at <ulink url="https://cdn.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities"/>. |
150 | FTP site at <ulink url="http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities"/>. | | 149 | </para> |
| | | 150 | |
| | | 151 | <para> |
| | | 152 | Please note that not every "vulnerability" with a CVE assignment is |
| | | 153 | exploitable in every configuration. |
| | | 154 | Some bugs are marked as active simply because an fix was not |
| | | 155 | marked as such. |
| | | 156 | Operating system specific hardening and mitigation features may also |
| | | 157 | reduce the impact of bugs. |
151 | </para> | | 158 | </para> |
152 | | | 159 | |
153 | <para> | | 160 | <para> |
154 | Through <command>pkg_admin fetch-pkg-vulnerabilities</command>, | | 161 | Through <command>pkg_admin fetch-pkg-vulnerabilities</command>, |
155 | this list can be downloaded | | 162 | this list can be downloaded |
156 | automatically, and a security audit of all packages installed on a system | | 163 | automatically, and a security audit of all packages installed on a system |
157 | can take place. | | 164 | can take place. |
158 | </para> | | 165 | </para> |
159 | | | 166 | |
160 | <para> | | 167 | <para> |
161 | There are two components to auditing. The first | | 168 | There are two components to auditing. The first |
162 | step, <command>pkg_admin fetch-pkg-vulnerabilities</command>, | | 169 | step, <command>pkg_admin fetch-pkg-vulnerabilities</command>, |
163 | is for downloading | | 170 | is for downloading |
164 | the list of vulnerabilities from the NetBSD FTP site. The second | | 171 | the list of vulnerabilities from the NetBSD FTP site. The second |
165 | step, <command>pkg_admin audit</command>, checks to see if any of your | | 172 | step, <command>pkg_admin audit</command>, checks to see if any of your |
166 | installed packages are vulnerable. If a package is vulnerable, you | | 173 | installed packages are vulnerable. If a package is vulnerable, you |
167 | will see output similar to the following: | | 174 | will see output similar to the following: |
168 | </para> | | 175 | </para> |
169 | | | 176 | |
170 | <screen>Package samba-2.0.9 has a local-root-shell vulnerability, see | | 177 | <screen>Package samba-2.0.9 has a local-root-shell vulnerability, see |
171 | https://www.samba.org/samba/whatsnew/macroexploit.html</screen> | | 178 | https://www.samba.org/samba/whatsnew/macroexploit.html</screen> |
172 | | | 179 | |
173 | <para> | | 180 | <para> |
174 | You may wish to have the | | 181 | You may wish to have the |
175 | <!-- this URL needs to be kept at http, not https, since pkg_add cannot use https. --> | | 182 | <ulink url="https://cdn.NetBSD.org/pub/pkgsrc/distfiles/vulnerabilities">vulnerabilities</ulink> |
176 | <ulink url="http://ftp.NetBSD.org/pub/pkgsrc/distfiles/vulnerabilities">vulnerabilities</ulink> | | | |
177 | file downloaded daily so that | | 183 | file downloaded daily so that |
178 | it remains current. This may be done by adding an appropriate entry | | 184 | it remains current. This may be done by adding an appropriate entry |
179 | to the root users &man.crontab.5; entry. For example the entry | | 185 | to the root users &man.crontab.5; entry. For example the entry |
180 | <screen> | | 186 | <screen> |
181 | # Download vulnerabilities file | | 187 | # Download vulnerabilities file |
182 | 0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1 | | 188 | 0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1 |
183 | # Audit the installed packages and email results to root | | 189 | # Audit the installed packages and email results to root |
184 | 9 3 * * * /usr/pkg/sbin/pkg_admin audit |mail -s "Installed package audit result" \ | | 190 | 9 3 * * * /usr/pkg/sbin/pkg_admin audit |mail -s "Installed package audit result" \ |
185 | root >/dev/null 2>&1 | | 191 | root >/dev/null 2>&1 |
186 | </screen> | | 192 | </screen> |
187 | will update the vulnerability list every day at 3AM, followed by an audit | | 193 | will update the vulnerability list every day at 3AM, followed by an audit |
188 | at 3:09AM. The result of the audit are then emailed to root. | | 194 | at 3:09AM. The result of the audit are then emailed to root. |
189 | | | 195 | |
| @@ -198,36 +204,33 @@ fetch_pkg_vulnerabilities=YES | | | @@ -198,36 +204,33 @@ fetch_pkg_vulnerabilities=YES |
198 | <filename>/etc/security.conf</filename>: | | 204 | <filename>/etc/security.conf</filename>: |
199 | <screen> | | 205 | <screen> |
200 | check_pkg_vulnerabilities=YES | | 206 | check_pkg_vulnerabilities=YES |
201 | </screen> | | 207 | </screen> |
202 | see &man.daily.conf.5; and &man.security.conf.5; for more details. | | 208 | see &man.daily.conf.5; and &man.security.conf.5; for more details. |
203 | </para> | | 209 | </para> |
204 | </sect2> | | 210 | </sect2> |
205 | | | 211 | |
206 | <sect2 id="pkg_versions"> | | 212 | <sect2 id="pkg_versions"> |
207 | <title>Finding if newer versions of your installed packages are in pkgsrc</title> | | 213 | <title>Finding if newer versions of your installed packages are in pkgsrc</title> |
208 | <para> | | 214 | <para> |
209 | Install <filename role="pkg">pkgtools/lintpkgsrc</filename> and run | | 215 | Install <filename role="pkg">pkgtools/lintpkgsrc</filename> and run |
210 | <command>lintpkgsrc</command> with the <quote>-i</quote> | | 216 | <command>lintpkgsrc</command> with the <quote>-i</quote> |
211 | argument to check if your packages are up-to-date, e.g. | | 217 | argument to check if any packages are stale, e.g. |
212 | </para> | | 218 | </para> |
213 | <screen> | | 219 | <screen> |
214 | &cprompt; <userinput>lintpkgsrc -i</userinput> | | 220 | &cprompt; <userinput>lintpkgsrc -i</userinput> |
215 | ... | | 221 | ... |
216 | Version mismatch: 'tcsh' 6.09.00 vs 6.10.00 | | 222 | Version mismatch: 'tcsh' 6.09.00 vs 6.10.00 |
217 | </screen> | | 223 | </screen> |
218 | <para>You can then use <command>make update</command> to update the | | | |
219 | package on your system and rebuild any dependencies. | | | |
220 | </para> | | | |
221 | </sect2> | | 224 | </sect2> |
222 | | | 225 | |
223 | <sect2 id="using.pkg_admin"> | | 226 | <sect2 id="using.pkg_admin"> |
224 | <title>Other administrative functions</title> | | 227 | <title>Other administrative functions</title> |
225 | | | 228 | |
226 | <para>The <command>pkg_admin</command> executes various | | 229 | <para>The <command>pkg_admin</command> executes various |
227 | administrative functions on the package system.</para> | | 230 | administrative functions on the package system.</para> |
228 | | | 231 | |
229 | </sect2> | | 232 | </sect2> |
230 | </sect1> | | 233 | </sect1> |
231 | | | 234 | |
232 | <sect1 id="building-packages-from-source"> | | 235 | <sect1 id="building-packages-from-source"> |
233 | <title>Building packages from source</title> | | 236 | <title>Building packages from source</title> |