diff options
| -rw-r--r-- | doc/pkgsrc.html | 25 | ||||
| -rw-r--r-- | doc/pkgsrc.txt | 25 |
2 files changed, 16 insertions, 34 deletions
diff --git a/doc/pkgsrc.html b/doc/pkgsrc.html index 516f9d1ce33..46d1bdd0113 100644 --- a/doc/pkgsrc.html +++ b/doc/pkgsrc.html @@ -1661,9 +1661,11 @@ and you can still use binary packages from someone else.</p> subdirectory called <code class="filename">All</code>, which contains all the binary packages that are available for the platform, excluding those that may not be distributed via FTP or CDROM (depending on which - medium you are using), and the ones that have vulnerabilities and - therefore are considered insecure to install without thinking - before.</p> + medium you are using). There may be an extra directory for packages + that have vulnerabilities and therefore are considered insecure to install + without checking the implications first. This method has been replaced by + setting CHECK_VULNERABILITIES=yes in pkg_install.conf so pkg_add will + complain about vulnerabilities, instead.</p> <p>To install packages directly from an FTP or HTTP server, run the following commands in a Bourne-compatible shell (be sure to <span class="command"><strong>su</strong></span> to root first):</p> @@ -1687,15 +1689,6 @@ and you can still use binary packages from someone else.</p> <p>Note that any prerequisite packages needed to run the package in question will be installed, too, assuming they are present where you install from.</p> -<p>As mentioned above, packages for which vulnerabilities get - known are not stored in the <code class="filename">All</code> subdirectory. - They don't get deleted since that could be very frustrating if many - other packages depend on it. Instead, they are moved to the - <code class="filename">vulnerable</code> subdirectory. So you may need to add - this directory to the <code class="varname">PKG_PATH</code> variable. - However, you should run <span class="command"><strong>pkg_admin audit</strong></span> - regularly, especially after installing new packages, and verify - that the vulnerabilities are acceptable for your configuration.</p> <p>After you've installed packages, be sure to have <code class="filename">/usr/pkg/bin</code> and <code class="filename">/usr/pkg/sbin</code> in your <code class="varname">PATH</code> so you can actually start the just @@ -2616,9 +2609,7 @@ SKIP_LICENSE_CHECK= yes <li><p><code class="varname">ALLOW_VULNERABLE_PACKAGES</code> should be set to <code class="literal">yes</code>. The purpose of the bulk builds is creating binary packages, no matter if they are - vulnerable or not. When uploading the packages to a public - server, the vulnerable packages will be put into a directory of - their own. Leaving this variable unset would prevent the bulk + vulnerable or not. Leaving this variable unset would prevent the bulk build system from even trying to build them, so possible building errors would not show up.</p></li> <li><p><code class="varname">CHECK_FILES</code> @@ -2932,9 +2923,7 @@ chroot-<code class="prompt">#</code> <strong class="userinput"><code>exit</code> <p>The upload process may take quite some time. Use <a class="citerefentry" href="http://netbsd.gw.com/cgi-bin/man-cgi?ls+1+NetBSD-current"><span class="citerefentry"><span class="refentrytitle">ls</span>(1)</span></a> or <a class="citerefentry" href="http://netbsd.gw.com/cgi-bin/man-cgi?du+1+NetBSD-current"><span class="citerefentry"><span class="refentrytitle">du</span>(1)</span></a> on the FTP server to monitor progress of the upload. The upload script will take care of not uploading - restricted packages and putting vulnerable packages into the - <code class="filename">vulnerable</code> subdirectory.</p> -<p>After the upload has ended, first thing is to revoke ssh access:</p> + restricted packages.</p> <pre class="screen">nbftp% <strong class="userinput"><code>vi ~/.ssh/authorized_keys</code></strong> Gdd:x! </pre> <p>Use whatever is needed to remove the key you've entered diff --git a/doc/pkgsrc.txt b/doc/pkgsrc.txt index 15ba9278c31..6e662aab88e 100644 --- a/doc/pkgsrc.txt +++ b/doc/pkgsrc.txt @@ -1492,8 +1492,11 @@ packages). In the directory from the last section, there is a subdirectory called All, which contains all the binary packages that are available for the platform, excluding those that may not be distributed via FTP or CDROM (depending on -which medium you are using), and the ones that have vulnerabilities and -therefore are considered insecure to install without thinking before. +which medium you are using). There may be an extra directory for packages +that have vulnerabilities and therefore are considered insecure to install +without checking the implications first. This method has been replaced by +setting CHECK_VULNERABILITIES=yes in pkg_install.conf so pkg_add will +complain about vulnerabilities, instead. To install packages directly from an FTP or HTTP server, run the following commands in a Bourne-compatible shell (be sure to su to root first): @@ -1516,14 +1519,6 @@ After these preparations, installing a package is very easy: Note that any prerequisite packages needed to run the package in question will be installed, too, assuming they are present where you install from. -As mentioned above, packages for which vulnerabilities get known are not stored -in the All subdirectory. They don't get deleted since that could be very -frustrating if many other packages depend on it. Instead, they are moved to the -vulnerable subdirectory. So you may need to add this directory to the PKG_PATH -variable. However, you should run pkg_admin audit regularly, especially after -installing new packages, and verify that the vulnerabilities are acceptable for -your configuration. - After you've installed packages, be sure to have /usr/pkg/bin and /usr/pkg/sbin in your PATH so you can actually start the just installed program. @@ -2237,10 +2232,9 @@ Some other options are scattered in the pkgsrc infrastructure: * ALLOW_VULNERABLE_PACKAGES should be set to yes. The purpose of the bulk builds is creating binary packages, no matter if they are vulnerable or - not. When uploading the packages to a public server, the vulnerable - packages will be put into a directory of their own. Leaving this variable - unset would prevent the bulk build system from even trying to build them, - so possible building errors would not show up. + not. Leaving this variable unset would prevent the bulk build system + from even trying to build them, so possible building errors would not + show up. * CHECK_FILES (pkgsrc/mk/check/check-files.mk) can be set to "yes" to check that the installed set of files matches the PLIST. @@ -2520,8 +2514,7 @@ chroot-# exit The upload process may take quite some time. Use ls(1) or du(1) on the FTP server to monitor progress of the upload. The upload script will take care of -not uploading restricted packages and putting vulnerable packages into the -vulnerable subdirectory. +not uploading restricted packages. After the upload has ended, first thing is to revoke ssh access: |