Re: PKG not quite ready for prime time
On Sat, Oct 11, 2014 at 12:15:54AM +0200, Michelle Sullivan wrote: Mark Felder wrote: On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Ahh, good point. This is better advice. Even if your system was supposedly fully up to date freebsd-update would detect this is missing and repair it as it was part of an SA. This is better advice than my manual creation method :-) Didn't on mine, I ran into the same problem - though it wasn't a show stopper for me as I was trying to use my own repo - which also failed using the docs... and nothing in the debug gave any clues or additional information to the problem. Fortunately, I can read/write code, so I fixed things myself. Thanks for creating an PR. pgpuYQLYjI3tQ.pgp Description: PGP signature
Re: PKG not quite ready for prime time
Lars Engels wrote: On Sat, Oct 11, 2014 at 12:15:54AM +0200, Michelle Sullivan wrote: Mark Felder wrote: On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Ahh, good point. This is better advice. Even if your system was supposedly fully up to date freebsd-update would detect this is missing and repair it as it was part of an SA. This is better advice than my manual creation method :-) Didn't on mine, I ran into the same problem - though it wasn't a show stopper for me as I was trying to use my own repo - which also failed using the docs... and nothing in the debug gave any clues or additional information to the problem. Fortunately, I can read/write code, so I fixed things myself. Thanks for creating an PR. Actually I noticed about 72 hours ago, and I'm still trying to fix everything that was broken by the forced change... so there is no way I'm going to be doing any PRs until that's all done... and 23rd Oct my boss has me flying to SFO to discuss with the Eng Ops team about changing all my servers over from FreeBSD to Redhat - exactly what I thought they would - been unable to update/patch any of my prod servers against the Bash bug because the entire build system is broken because of the 'End of life = This is the day its all going to break' issue... so not really got any motivation to log any PRs now... or ever again. Regards, -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 14:47:27 -0500, you wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
scratch65...@att.net wrote: On Fri, 10 Oct 2014 14:47:27 -0500, you wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. We have a winner! 3\ -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 13:49:54 -0500, you wrote: On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote: I had it as ${ABI} to begin with, but had no luck that way either (see below). Then I changed it, unaware that that first 8 was the version, or even that there are o/s version-dependent versions of pkg. Pkg itself is compiled, not interpreted like Yum which is Python, so it does matter. And you of course want to ensure you're installing packages built for FreeBSD 9 on your FreeBSD 9 server. [sigh] Yes. I'm old enough that I'm always sleep-deprived, and after 8-10 hours of concentrated work I'm so foggy that my brain goes unserviceable. The next error you're seeing is this: pkg: Error loading trusted certificates This is due to your missing certificates in /usr/share/keys/pkg which are required due to your repository having: signature_type: fingerprints, fingerprints: /usr/share/keys/pkg, You could remove those lines to work around that, but you are lowering the security of your system as you cannot verify the integrity of your packages anymore. The fix is to populate your /usr/share/keys/pkg. I do not know why it did not come populated after your upgrade, but that's a discussion for another day. Let's get your keys: # mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked # fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605view=co; # chown root:wheel /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 # chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 Thank you. Those seem to fill in the gap. It's a pity that the installer for pkg didn't do that part of the job. If you have problems with fetch because of the https you might have to use --no-verify-peers but at least compare the certificate and/or ensure the contents of the key match what's in the repository ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Hi, On 11/10/2014 14:34, Michelle Sullivan wrote: scratch65...@att.net wrote: You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. We have a winner! 3\ I've upgraded countless machines from 9.x to 10.x using freebsd-update and have never come across this issue. (have done a few 8.x to 10.x via 9.x and been fine too - but not many of these) What upgrade path did you use, what version did you come from, and what version did you go to? Thanks, Daniel. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Daniel Austin via freebsd-ports wrote: Hi, On 11/10/2014 14:34, Michelle Sullivan wrote: scratch65...@att.net wrote: You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Thank you for the pointer. What puzzles me is why the problem wasn't fixed for o/s versions prior to 10.0 since it was being made mandatory for those versions. That doesn't seem like good practice. We have a winner! 3\ I've upgraded countless machines from 9.x to 10.x using freebsd-update and have never come across this issue. (have done a few 8.x to 10.x via 9.x and been fine too - but not many of these) What upgrade path did you use, what version did you come from, and what version did you go to? Not talking about changing versions - talking about machines that are forced to use pkg that are not 10.x and the freebsd-update tool was used to patch the box at the same major version. Michelle -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
PKG not quite ready for prime time
I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv -- olli ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 19:30:18 +0200, you wrote: On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg [momcat:root]~ pkg info pkg pkg-1.3.8_3 Name : pkg Version: 1.3.8_3 Installed on : Fri Oct 10 07:57:56 EDT 2014 Origin : ports-mgmt/pkg Architecture : freebsd:9:x86:64 Prefix : /usr/local Categories : ports-mgmt Licenses : BSD2CLAUSE Maintainer : port...@freebsd.org WWW: http://wiki.freebsd.org/pkgng Comment: Package manager Shared Libs provided: libpkg.so.3 Flat size : 8.18MiB Description: Package management tool WWW: http://wiki.freebsd.org/pkgng and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv Repositories: FreeBSD: { url : pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;, enabled : yes, mirror_type : SRV, signature_type : FINGERPRINTS, fingerprints: /usr/share/keys/pkg } 13:41 Fri, 10 Oct [momcat:root]~ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 10/10/2014 12:43 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 19:30:18 +0200, you wrote: On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg [momcat:root]~ pkg info pkg pkg-1.3.8_3 Name : pkg Version: 1.3.8_3 Installed on : Fri Oct 10 07:57:56 EDT 2014 Origin : ports-mgmt/pkg Architecture : freebsd:9:x86:64 Prefix : /usr/local Categories : ports-mgmt Licenses : BSD2CLAUSE Maintainer : port...@freebsd.org WWW: http://wiki.freebsd.org/pkgng Comment: Package manager Shared Libs provided: libpkg.so.3 Flat size : 8.18MiB Description: Package management tool WWW: http://wiki.freebsd.org/pkgng and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv Repositories: FreeBSD: { url : pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;, enabled : yes, mirror_type : SRV, signature_type : FINGERPRINTS, fingerprints: /usr/share/keys/pkg Show output of this please? find /usr/share/keys/pkg -exec sha256 {} + } 13:41 Fri, 10 Oct [momcat:root]~ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: PKG not quite ready for prime time
On 2014-10-10 19:43, scratch65...@att.net wrote: On Fri, 10 Oct 2014 19:30:18 +0200, you wrote: On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg [momcat:root]~ pkg info pkg pkg-1.3.8_3 Name : pkg Version: 1.3.8_3 Installed on : Fri Oct 10 07:57:56 EDT 2014 Origin : ports-mgmt/pkg Architecture : freebsd:9:x86:64 Prefix : /usr/local Categories : ports-mgmt Licenses : BSD2CLAUSE Maintainer : port...@freebsd.org WWW: http://wiki.freebsd.org/pkgng Comment: Package manager Shared Libs provided: libpkg.so.3 Flat size : 8.18MiB Description: Package management tool WWW: http://wiki.freebsd.org/pkgng and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv Repositories: FreeBSD: { url : pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;, enabled : yes, mirror_type : SRV, signature_type : FINGERPRINTS, fingerprints: /usr/share/keys/pkg } 13:41 Fri, 10 Oct [momcat:root]~ There is a architecture mismatch, your pkg claims to be a 9.x package and your repo wants to install 8.x packages. I suspect this is a upgraded system that has maunualy changes in the repo file. Locate the file /etc/pkg/FreeBSD.conf and make sure it looks like the following lines (the variable ${ABI} instead freebsd:8:x86:64) (it is possible a correct copy exists in /usr/src/etc/pkg/FreeBSD.conf) FreeBSD: { url: pkg+http://pkg.FreeBSD.org/${ABI}/latest;, mirror_type: srv, signature_type: fingerprints, fingerprints: /usr/share/keys/pkg, enabled: yes } after fixing the repo run $ pkg update -f -- olli ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, 10 Oct 2014 20:02:19 +0200, you wrote: On 2014-10-10 19:43, scratch65...@att.net wrote: On Fri, 10 Oct 2014 19:30:18 +0200, you wrote: On 2014-10-10 19:13, scratch65...@att.net wrote: I'm having quite a lot of trouble converting to pkg due to there being no obvious source of accurate documentation. I got this after I thought I had it solved and could install something: 11:36 Fri, 10 Oct [momcat:root]~ pkg install firefox Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD All repositories are up-to-date. pkg: Repository FreeBSD has a wrong packagesite, need to re-create database pkg: Repository FreeBSD cannot be opened. 'pkg update' required Updating database digests format: 100% pkg: No packages available to install matching 'firefox' have been found in the repositories Just for the record, could someone knowledgeable please post the real, current list of required config files and their contents OR a pointer to known-good+complete documentation? Thanks! Please show us the following output $ pkg info pkg [momcat:root]~ pkg info pkg pkg-1.3.8_3 Name : pkg Version: 1.3.8_3 Installed on : Fri Oct 10 07:57:56 EDT 2014 Origin : ports-mgmt/pkg Architecture : freebsd:9:x86:64 Prefix : /usr/local Categories : ports-mgmt Licenses : BSD2CLAUSE Maintainer : port...@freebsd.org WWW: http://wiki.freebsd.org/pkgng Comment: Package manager Shared Libs provided: libpkg.so.3 Flat size : 8.18MiB Description: Package management tool WWW: http://wiki.freebsd.org/pkgng and from next command everything from Repositories: to the end (last ~10 lines) $ pkg -vv Repositories: FreeBSD: { url : pkg+http://pkg.freebsd.org/freebsd:8:x86:64/latest;, enabled : yes, mirror_type : SRV, signature_type : FINGERPRINTS, fingerprints: /usr/share/keys/pkg } 13:41 Fri, 10 Oct [momcat:root]~ There is a architecture mismatch, your pkg claims to be a 9.x package and your repo wants to install 8.x packages. I suspect this is a upgraded system that has maunualy changes in the repo file. Locate the file /etc/pkg/FreeBSD.conf and make sure it looks like the following lines (the variable ${ABI} instead freebsd:8:x86:64) (it is possible a correct copy exists in /usr/src/etc/pkg/FreeBSD.conf) FreeBSD: { url: pkg+http://pkg.FreeBSD.org/${ABI}/latest;, mirror_type: srv, signature_type: fingerprints, fingerprints: /usr/share/keys/pkg, enabled: yes } after fixing the repo run $ pkg update -f I had it as ${ABI} to begin with, but had no luck that way either (see below). Then I changed it, unaware that that first 8 was the version, or even that there are o/s version-dependent versions of pkg. 14:25 Fri, 10 Oct [momcat:root]/etc/pkg cat FreeBSD.conf FreeBSD: { url: pkg+http://pkg.freebsd.org/${ABI}/latest;, enabled: true, signature_type: fingerprints, fingerprints: /usr/share/keys/pkg, mirror_type: srv } 14:25 Fri, 10 Oct [momcat:root]/etc/pkg pkg update -f Updating FreeBSD repository catalogue... pkg: Repository FreeBSD has a wrong packagesite, need to re-create database Fetching meta.txz: 100% 968 B 1.0k/s00:01 pkg: Error loading trusted certificates pkg: repository FreeBSD has no meta file, using default settings Fetching digests.txz: 100%2 MB 119.8k/s00:17 pkg: Error loading trusted certificates pkg: Unable to update repository FreeBSD 14:25 Fri, 10 Oct [momcat:root]/etc/pkg ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014, at 13:29, Auld Besom wrote: I had it as ${ABI} to begin with, but had no luck that way either (see below). Then I changed it, unaware that that first 8 was the version, or even that there are o/s version-dependent versions of pkg. Pkg itself is compiled, not interpreted like Yum which is Python, so it does matter. And you of course want to ensure you're installing packages built for FreeBSD 9 on your FreeBSD 9 server. The next error you're seeing is this: pkg: Error loading trusted certificates This is due to your missing certificates in /usr/share/keys/pkg which are required due to your repository having: signature_type: fingerprints, fingerprints: /usr/share/keys/pkg, You could remove those lines to work around that, but you are lowering the security of your system as you cannot verify the integrity of your packages anymore. The fix is to populate your /usr/share/keys/pkg. I do not know why it did not come populated after your upgrade, but that's a discussion for another day. Let's get your keys: # mkdir -p /usr/share/keys/pkg/trusted /usr/share/keys/pkg/revoked # fetch -o /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 https://svnweb.freebsd.org/base/head/share/keys/pkg/trusted/pkg.freebsd.org.2013102301?revision=260605view=co; # chown root:wheel /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 # chmod 644 /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 If you have problems with fetch because of the https you might have to use --no-verify-peers but at least compare the certificate and/or ensure the contents of the key match what's in the repository ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Ahh, good point. This is better advice. Even if your system was supposedly fully up to date freebsd-update would detect this is missing and repair it as it was part of an SA. This is better advice than my manual creation method :-) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
On Fri, Oct 10, 2014 at 11:55 AM, Mark Felder f...@freebsd.org wrote: On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Ahh, good point. This is better advice. Even if your system was supposedly fully up to date freebsd-update would detect this is missing and repair it as it was part of an SA. This is better advice than my manual creation method :-) I'm glad that Mark managed to get an answer to this question. But could pkg be adapted to help uninitiated users to discover this for themselves on the spot? Royce ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: PKG not quite ready for prime time
Mark Felder wrote: On Fri, Oct 10, 2014, at 14:47, Bryan Drewery wrote: On 10/10/2014 1:12 PM, scratch65...@att.net wrote: On Fri, 10 Oct 2014 12:57:42 -0500, Brian Drewery wrote: find /usr/share/keys/pkg -exec sha256 {} + No such file That's your problem. You are missing the signature fingerprints to compare against. As such Pkg is refusing to do anything to prevent MITM attacks. You are missing this: https://www.freebsd.org/security/advisories/FreeBSD-EN-14:03.pkg.asc freebsd-update can provide it. Ahh, good point. This is better advice. Even if your system was supposedly fully up to date freebsd-update would detect this is missing and repair it as it was part of an SA. This is better advice than my manual creation method :-) Didn't on mine, I ran into the same problem - though it wasn't a show stopper for me as I was trying to use my own repo - which also failed using the docs... and nothing in the debug gave any clues or additional information to the problem. Fortunately, I can read/write code, so I fixed things myself. Michelle (and people wonder why I hadn't switched to pkgng by Sept 1.. but it was deemed thou shalt use it whether you like it or not) -- Michelle Sullivan http://www.mhix.org/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org