Re: PKG not quite ready for prime time
On Sat, Oct 11, 2014 at 12:15:54AM +0200, Michelle Sullivan wrote:
Mark Felder wrote:
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)
Didn't on mine, I ran into the same problem - though it wasn't a show
stopper for me as I was trying to use my own repo - which also failed
using the docs... and nothing in the debug gave any clues or additional
information to the problem. Fortunately, I can read/write code, so I
fixed things myself.
Thanks for creating an PR.
pgpuYQLYjI3tQ.pgp
Description: PGP signature
Re: PKG not quite ready for prime time
Lars Engels wrote:
On Sat, Oct 11, 2014 at 12:15:54AM +0200, Michelle Sullivan wrote:
Mark Felder wrote:
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)
Didn't on mine, I ran into the same problem - though it wasn't a show
stopper for me as I was trying to use my own repo - which also failed
using the docs... and nothing in the debug gave any clues or additional
information to the problem. Fortunately, I can read/write code, so I
fixed things myself.
Thanks for creating an PR.
Actually I noticed about 72 hours ago, and I'm still trying to fix
everything that was broken by the forced change... so there is no way
I'm going to be doing any PRs until that's all done... and 23rd Oct my
boss has me flying to SFO to discuss with the Eng Ops team about
changing all my servers over from FreeBSD to Redhat - exactly what I
thought they would - been unable to update/patch any of my prod servers
against the Bash bug because the entire build system is broken because
of the 'End of life = This is the day its all going to break' issue...
so not really got any motivation to log any PRs now... or ever again.
Regards,
--
Michelle Sullivan
http://www.mhix.org/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 14:47:27 -0500, you wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Thank you for the pointer.
What puzzles me is why the problem wasn't fixed for o/s versions
prior to 10.0 since it was being made mandatory for those
versions. That doesn't seem like good practice.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
scratch65...@att.net wrote:
On Fri, 10 Oct 2014 14:47:27 -0500, you wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Thank you for the pointer.
What puzzles me is why the problem wasn't fixed for o/s versions
prior to 10.0 since it was being made mandatory for those
versions. That doesn't seem like good practice.
We have a winner! 3\
--
Michelle Sullivan
http://www.mhix.org/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 13:49:54 -0500, you wrote:
On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote:
I had it as ${ABI} to begin with, but had no luck that way either
(see below). Then I changed it, unaware that that first 8 was
the version, or even that there are o/s version-dependent
versions of pkg.
Pkg itself is compiled, not interpreted like Yum which is Python, so it
does matter.
And you of course want to ensure you're installing packages
built for FreeBSD 9 on your FreeBSD 9 server.
[sigh] Yes. I'm old enough that I'm always sleep-deprived, and
after 8-10 hours of concentrated work I'm so foggy that my brain
goes unserviceable.
The next error you're seeing is this:
pkg: Error loading trusted certificates
This is due to your missing certificates in /usr/share/keys/pkg which
are required due to your repository having:
signature_type: fingerprints,
fingerprints: /usr/share/keys/pkg,
You could remove those lines to work around that, but you are lowering
the security of your system as you cannot verify the integrity of your
packages anymore. The fix is to populate your /usr/share/keys/pkg. I do
not know why it did not come populated after your upgrade, but that's a
discussion for another day. Let's get your keys:
# mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
# fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605view=co;
# chown root:wheel
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
# chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
Thank you. Those seem to fill in the gap. It's a pity that the
installer for pkg didn't do that part of the job.
If you have problems with fetch because of the https you might have to
use --no-verify-peers but at least compare the certificate and/or ensure
the contents of the key match what's in the repository
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Hi, On 11/10/2014 14:34, Michelle Sullivan wrote: scratch65...@att.net wrote: You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. We have a winner! 3\ I've upgraded countless machines from 9.x to 10.x using freebsd-update and have never come across this issue. (have done a few 8.x to 10.x via 9.x and been fine too - but not many of these) What upgrade path did you use, what version did you come from, and what version did you go to? Thanks, Daniel. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Daniel Austin via freebsd-ports wrote: Hi, On 11/10/2014 14:34, Michelle Sullivan wrote: scratch65...@att.net wrote: You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. We have a winner! 3\ I've upgraded countless machines from 9.x to 10.x using freebsd-update and have never come across this issue. (have done a few 8.x to 10.x via 9.x and been fine too - but not many of these) What upgrade path did you use, what version did you come from, and what version did you go to? Not talking about changing versions - talking about machines that are forced to use pkg that are not 10.x and the freebsd-update tool was used to patch the box at the same major version. Michelle -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
PKG not quite ready for prime time
I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv -- olli ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 19:30:18 +0200, you wrote:
On 2014-10-10 19:13, scratch65...@att.net wrote:
I'm having quite a lot of trouble converting to pkg due to there
being no obvious source of accurate documentation. I got this
after I thought I had it solved and could install something:
11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100%2 MB 119.8k/s00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
All repositories are up-to-date.
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Updating database digests format: 100%
pkg: No packages available to install matching 'firefox' have
been found in the repositories
Just for the record, could someone knowledgeable please post the
real, current list of required config files and their contents OR
a pointer to known-good+complete documentation?
Thanks!
Please show us the following output
$ pkg info pkg
[momcat:root]~ pkg info pkg
pkg-1.3.8_3
Name : pkg
Version: 1.3.8_3
Installed on : Fri Oct 10 07:57:56 EDT 2014
Origin : ports-mgmt/pkg
Architecture : freebsd:9:x86:64
Prefix : /usr/local
Categories : ports-mgmt
Licenses : BSD2CLAUSE
Maintainer : port...@freebsd.org
WWW: http://wiki.freebsd.org/pkgng
Comment: Package manager
Shared Libs provided:
libpkg.so.3
Flat size : 8.18MiB
Description:
Package management tool
WWW: http://wiki.freebsd.org/pkgng
and from next command everything from Repositories: to the end (last ~10
lines)
$ pkg -vv
Repositories:
FreeBSD: {
url :
pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;,
enabled : yes,
mirror_type : SRV,
signature_type : FINGERPRINTS,
fingerprints: /usr/share/keys/pkg
}
13:41 Fri, 10 Oct [momcat:root]~
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 10/10/2014 12:43 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 19:30:18 +0200, you wrote:
On 2014-10-10 19:13, scratch65...@att.net wrote:
I'm having quite a lot of trouble converting to pkg due to there
being no obvious source of accurate documentation. I got this
after I thought I had it solved and could install something:
11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100%2 MB 119.8k/s00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
All repositories are up-to-date.
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Updating database digests format: 100%
pkg: No packages available to install matching 'firefox' have
been found in the repositories
Just for the record, could someone knowledgeable please post the
real, current list of required config files and their contents OR
a pointer to known-good+complete documentation?
Thanks!
Please show us the following output
$ pkg info pkg
[momcat:root]~ pkg info pkg
pkg-1.3.8_3
Name : pkg
Version: 1.3.8_3
Installed on : Fri Oct 10 07:57:56 EDT 2014
Origin : ports-mgmt/pkg
Architecture : freebsd:9:x86:64
Prefix : /usr/local
Categories : ports-mgmt
Licenses : BSD2CLAUSE
Maintainer : port...@freebsd.org
WWW: http://wiki.freebsd.org/pkgng
Comment: Package manager
Shared Libs provided:
libpkg.so.3
Flat size : 8.18MiB
Description:
Package management tool
WWW: http://wiki.freebsd.org/pkgng
and from next command everything from Repositories: to the end (last ~10
lines)
$ pkg -vv
Repositories:
FreeBSD: {
url :
pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;,
enabled : yes,
mirror_type : SRV,
signature_type : FINGERPRINTS,
fingerprints: /usr/share/keys/pkg
Show output of this please?
find /usr/share/keys/pkg -exec sha256 {} +
}
13:41 Fri, 10 Oct [momcat:root]~
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: PKG not quite ready for prime time
On 2014-10-10 19:43, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 19:30:18 +0200, you wrote:
On 2014-10-10 19:13, scratch65...@att.net wrote:
I'm having quite a lot of trouble converting to pkg due to there
being no obvious source of accurate documentation. I got this
after I thought I had it solved and could install something:
11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100%2 MB 119.8k/s00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
All repositories are up-to-date.
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Updating database digests format: 100%
pkg: No packages available to install matching 'firefox' have
been found in the repositories
Just for the record, could someone knowledgeable please post the
real, current list of required config files and their contents OR
a pointer to known-good+complete documentation?
Thanks!
Please show us the following output
$ pkg info pkg
[momcat:root]~ pkg info pkg
pkg-1.3.8_3
Name : pkg
Version: 1.3.8_3
Installed on : Fri Oct 10 07:57:56 EDT 2014
Origin : ports-mgmt/pkg
Architecture : freebsd:9:x86:64
Prefix : /usr/local
Categories : ports-mgmt
Licenses : BSD2CLAUSE
Maintainer : port...@freebsd.org
WWW: http://wiki.freebsd.org/pkgng
Comment: Package manager
Shared Libs provided:
libpkg.so.3
Flat size : 8.18MiB
Description:
Package management tool
WWW: http://wiki.freebsd.org/pkgng
and from next command everything from Repositories: to the end (last ~10
lines)
$ pkg -vv
Repositories:
FreeBSD: {
url :
pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;,
enabled : yes,
mirror_type : SRV,
signature_type : FINGERPRINTS,
fingerprints: /usr/share/keys/pkg
}
13:41 Fri, 10 Oct [momcat:root]~
There is a architecture mismatch, your pkg claims to be a 9.x package and your
repo wants to install 8.x packages.
I suspect this is a upgraded system that has maunualy changes in the repo file.
Locate the file /etc/pkg/FreeBSD.conf and make sure it looks like the
following lines (the variable ${ABI} instead freebsd:8:x86:64)
(it is possible a correct copy exists in /usr/src/etc/pkg/FreeBSD.conf)
FreeBSD: {
url: pkg+http://pkg.FreeBSD.org/${ABI}/latest;,
mirror_type: srv,
signature_type: fingerprints,
fingerprints: /usr/share/keys/pkg,
enabled: yes
}
after fixing the repo run
$ pkg update -f
--
olli
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 20:02:19 +0200, you wrote:
On 2014-10-10 19:43, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 19:30:18 +0200, you wrote:
On 2014-10-10 19:13, scratch65...@att.net wrote:
I'm having quite a lot of trouble converting to pkg due to there
being no obvious source of accurate documentation. I got this
after I thought I had it solved and could install something:
11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100%2 MB 119.8k/s00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
All repositories are up-to-date.
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Updating database digests format: 100%
pkg: No packages available to install matching 'firefox' have
been found in the repositories
Just for the record, could someone knowledgeable please post the
real, current list of required config files and their contents OR
a pointer to known-good+complete documentation?
Thanks!
Please show us the following output
$ pkg info pkg
[momcat:root]~ pkg info pkg
pkg-1.3.8_3
Name : pkg
Version: 1.3.8_3
Installed on : Fri Oct 10 07:57:56 EDT 2014
Origin : ports-mgmt/pkg
Architecture : freebsd:9:x86:64
Prefix : /usr/local
Categories : ports-mgmt
Licenses : BSD2CLAUSE
Maintainer : port...@freebsd.org
WWW: http://wiki.freebsd.org/pkgng
Comment: Package manager
Shared Libs provided:
libpkg.so.3
Flat size : 8.18MiB
Description:
Package management tool
WWW: http://wiki.freebsd.org/pkgng
and from next command everything from Repositories: to the end (last ~10
lines)
$ pkg -vv
Repositories:
FreeBSD: {
url :
pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;,
enabled : yes,
mirror_type : SRV,
signature_type : FINGERPRINTS,
fingerprints: /usr/share/keys/pkg
}
13:41 Fri, 10 Oct [momcat:root]~
There is a architecture mismatch, your pkg claims to be a 9.x package and your
repo wants to install 8.x packages.
I suspect this is a upgraded system that has maunualy changes in the repo file.
Locate the file /etc/pkg/FreeBSD.conf and make sure it looks like the
following lines (the variable ${ABI} instead freebsd:8:x86:64)
(it is possible a correct copy exists in /usr/src/etc/pkg/FreeBSD.conf)
FreeBSD: {
url: pkg+http://pkg.FreeBSD.org/${ABI}/latest;,
mirror_type: srv,
signature_type: fingerprints,
fingerprints: /usr/share/keys/pkg,
enabled: yes
}
after fixing the repo run
$ pkg update -f
I had it as ${ABI} to begin with, but had no luck that way either
(see below). Then I changed it, unaware that that first 8 was
the version, or even that there are o/s version-dependent
versions of pkg.
14:25 Fri, 10 Oct [momcat:root]/etc/pkg cat FreeBSD.conf
FreeBSD: {
url: pkg+http://pkg.freebsd.org/${ABI}/latest;,
enabled: true,
signature_type: fingerprints,
fingerprints: /usr/share/keys/pkg,
mirror_type: srv
}
14:25 Fri, 10 Oct [momcat:root]/etc/pkg pkg update -f
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to
re-create database
Fetching meta.txz: 100% 968 B 1.0k/s00:01
pkg: Error loading trusted certificates
pkg: repository FreeBSD has no meta file, using default settings
Fetching digests.txz: 100%2 MB 119.8k/s00:17
pkg: Error loading trusted certificates
pkg: Unable to update repository FreeBSD
14:25 Fri, 10 Oct [momcat:root]/etc/pkg
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote:
I had it as ${ABI} to begin with, but had no luck that way either
(see below). Then I changed it, unaware that that first 8 was
the version, or even that there are o/s version-dependent
versions of pkg.
Pkg itself is compiled, not interpreted like Yum which is Python, so it
does matter. And you of course want to ensure you're installing packages
built for FreeBSD 9 on your FreeBSD 9 server.
The next error you're seeing is this:
pkg: Error loading trusted certificates
This is due to your missing certificates in /usr/share/keys/pkg which
are required due to your repository having:
signature_type: fingerprints,
fingerprints: /usr/share/keys/pkg,
You could remove those lines to work around that, but you are lowering
the security of your system as you cannot verify the integrity of your
packages anymore. The fix is to populate your /usr/share/keys/pkg. I do
not know why it did not come populated after your upgrade, but that's a
discussion for another day. Let's get your keys:
# mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked
# fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605view=co;
# chown root:wheel
/usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
# chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301
If you have problems with fetch because of the https you might have to
use --no-verify-peers but at least compare the certificate and/or ensure
the contents of the key match what's in the repository
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014 at 11:55 AM, Mark Felder f...@freebsd.org wrote:
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)
I'm glad that Mark managed to get an answer to this question.
But could pkg be adapted to help uninitiated users to discover this
for themselves on the spot?
Royce
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Mark Felder wrote:
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote:
On 10/10/2014 1:12 PM, scratch65...@att.net wrote:
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote:
find /usr/share/keys/pkg -exec sha256 {} +
No such file
That's your problem. You are missing the signature fingerprints to
compare against. As such Pkg is refusing to do anything to prevent MITM
attacks.
You are missing this:
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc
freebsd-update can provide it.
Ahh, good point. This is better advice. Even if your system was
supposedly fully up to date freebsd-update would detect this is missing
and repair it as it was part of an SA. This is better advice than my
manual creation method :-)
Didn't on mine, I ran into the same problem - though it wasn't a show
stopper for me as I was trying to use my own repo - which also failed
using the docs... and nothing in the debug gave any clues or additional
information to the problem. Fortunately, I can read/write code, so I
fixed things myself.
Michelle
(and people wonder why I hadn't switched to pkgng by Sept 1.. but it was
deemed thou shalt use it whether you like it or not)
--
Michelle Sullivan
http://www.mhix.org/
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
