d7cc6db11b
- DB support is always included from libnbcompat if needed
- pkg_view and linkfarm are not installed any more; they are not moved
into the attic yet, so they can easily be installed as separte package
- common configuration file to customise the behavior of various
components; this supersedes the old audit-packages.conf
- support for PKSC7 signatures (using X509 certs) and GPG signatures for
packages in a secure way. See pkg_admin(8) for how to create them and
pkg_install.conf(5) for the options to use them
- audit-packages and download-vulnerability-list are wrapper scripts
around pkg_admin. They try to mimic the classic options if used sanely.
"pkg_admin audit" is now an order of magnitude faster than before
- pkg_add uses libarchive and libfetch instead of external ftp and tar:
- progress bar is currently missing for downloads
- "pkg_add -" is no longer supported
- no adhoc check for conficts between dependencies and already
installed packages
- "pkg_add -s" has been replaced with an option in pkg_install.conf,
verification of plain detached GPG signatures is no longer supported
- optional check for vulnerabilities before adding a package
- if /var and /usr/pkg are on different fileystems it is twice as fast
now
- conflicts due to overlapping plists are checked before installation
- pkg_add no longer plays with the process limits
- pkg_add and pkg_delete have a new destdir option; scripts have to
either be modified to use PKG_DESTDIR or should be disabled
- pkg_add -u for now can't be used to update to the exact same version
- internal "rm -rf" and "mkdir_p" code
- all memory allocation failures are not explicitly fatal
- if a file is not removed due to a failed checksum, still remove the
entry from pkgdb
37 lines
1.4 KiB
Text
37 lines
1.4 KiB
Text
===========================================================================
|
|
$NetBSD: MESSAGE,v 1.5 2009/02/02 12:34:59 joerg Exp $
|
|
|
|
You may wish to have the vulnerabilities file downloaded daily so that
|
|
it remains current. This may be done by adding an appropriate entry
|
|
to a user's crontab(5) entry. For example the entry
|
|
|
|
# download vulnerabilities file
|
|
0 3 * * * ${PREFIX}/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
|
|
|
|
will update the vulnerability list every day at 3AM. You may wish to do
|
|
this more often than once a day.
|
|
|
|
In addition, you may wish to run the package audit from the daily
|
|
security script. This may be accomplished by adding the following
|
|
lines to /etc/security.local
|
|
|
|
if [ -x ${PREFIX}/sbin/pkg_admin ]; then
|
|
${PREFIX}/sbin/pkg_admin audit
|
|
fi
|
|
|
|
Alternatively this can also be acomplished by adding an entry to a user's
|
|
crontab(5) file. e.g.:
|
|
|
|
# run audit-packages
|
|
0 3 * * * ${PREFIX}/sbin/pkg_admin audit
|
|
|
|
Both pkg_admin subcommands can be run as as an unprivileged user,
|
|
as long as the user chosen has permission to read the pkgdb and to write
|
|
the pkg-vulnerabilites to ${PKGVULNDIR}.
|
|
|
|
The behavior of pkg_admin and pkg_add can be customised with
|
|
pkg_install.conf. Please see pkg_install.conf(5) for details.
|
|
|
|
If you want to use GPG signature verification you will need to install
|
|
GnuPG and set the path for GPG appropriately in your pkg_install.conf.
|
|
===========================================================================
|