pkgsrc/pkgtools/pkg_install/MESSAGE
joerg d7cc6db11b Merge pkg_install-20090201 from pkg_install-renovation branch.
- DB support is always included from libnbcompat if needed
- pkg_view and linkfarm are not installed any more; they are not moved
into the attic yet, so they can easily be installed as separte package
- common configuration file to customise the behavior of various
components; this supersedes the old audit-packages.conf
- support for PKSC7 signatures (using X509 certs) and GPG signatures for
packages in a secure way. See pkg_admin(8) for how to create them and
pkg_install.conf(5) for the options to use them
- audit-packages and download-vulnerability-list are wrapper scripts
  around pkg_admin. They try to mimic the classic options if used sanely.
  "pkg_admin audit" is now an order of magnitude faster than before
- pkg_add uses libarchive and libfetch instead of external ftp and tar:
  - progress bar is currently missing for downloads
  - "pkg_add -" is no longer supported
  - no adhoc check for conficts between dependencies and already
    installed packages
  - "pkg_add -s" has been replaced with an option in pkg_install.conf,
    verification of plain detached GPG signatures is no longer supported
  - optional check for vulnerabilities before adding a package
  - if /var and /usr/pkg are on different fileystems it is twice as fast
    now
  - conflicts due to overlapping plists are checked before installation
  - pkg_add no longer plays with the process limits
- pkg_add and pkg_delete have a new destdir option; scripts have to
  either be modified to use PKG_DESTDIR or should be disabled
- pkg_add -u for now can't be used to update to the exact same version
- internal "rm -rf" and "mkdir_p" code
- all memory allocation failures are not explicitly fatal
- if a file is not removed due to a failed checksum, still remove the
  entry from pkgdb
2009-02-02 12:34:59 +00:00

37 lines
1.4 KiB
Text

===========================================================================
$NetBSD: MESSAGE,v 1.5 2009/02/02 12:34:59 joerg Exp $
You may wish to have the vulnerabilities file downloaded daily so that
it remains current. This may be done by adding an appropriate entry
to a user's crontab(5) entry. For example the entry
# download vulnerabilities file
0 3 * * * ${PREFIX}/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
will update the vulnerability list every day at 3AM. You may wish to do
this more often than once a day.
In addition, you may wish to run the package audit from the daily
security script. This may be accomplished by adding the following
lines to /etc/security.local
if [ -x ${PREFIX}/sbin/pkg_admin ]; then
${PREFIX}/sbin/pkg_admin audit
fi
Alternatively this can also be acomplished by adding an entry to a user's
crontab(5) file. e.g.:
# run audit-packages
0 3 * * * ${PREFIX}/sbin/pkg_admin audit
Both pkg_admin subcommands can be run as as an unprivileged user,
as long as the user chosen has permission to read the pkgdb and to write
the pkg-vulnerabilites to ${PKGVULNDIR}.
The behavior of pkg_admin and pkg_add can be customised with
pkg_install.conf. Please see pkg_install.conf(5) for details.
If you want to use GPG signature verification you will need to install
GnuPG and set the path for GPG appropriately in your pkg_install.conf.
===========================================================================