Re: pkg check --recompute and apache24 deleted files

[Rafal Lukawiecki]

For what it may be worth, I have submitted a bug report about this unexpected 
behaviour of pkg check --recompute. See 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226048 
 

Rafal

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: pkg check --recompute and apache24 deleted files

[Rafal Lukawiecki]

> On 16 Feb 2018, at 00:00, Ernie Luzar  wrote:
> 
> Hi Rafal;
> 
> I also delete the /usr/local/www/apache24/cgi-bin directory as a
> security leak because I don't use the cgi-bin method.
> 
> I noticed this pkg checksum test came into being after the 11.1-p4
> security update.
> 
> As you have shown, this security update is only highlighting the user
> customizing of installed ports/packages. These types of customization
> are not things that need security warnings.
> 
> This is part of the daily security run report.
> /usr/local/etc/periodic/security/460.pkg-checksum
> 
> To make this stop add;
> security_status_pkgchecksum_enable="NO"
> to /etc/periodic.conf

Thank you, Ernie, this is very helpful—and I fully agree with you that 
reporting our intended customisations, especially as they have been intended to 
improve security, as security warnings is not helpful unless it can be 
disabled. Your solution, if I understood it, will disable checksum 
verification. However, I think it is valuable having it on for “everything 
else” that might be surreptitiously changed and that I may be unaware of. 
Ideally, I would like to switch it off just for the Apache, or other specified 
packages. Which is why I hoped pkg check --recompute would do that. Maybe it is 
a bug/missing functionality in pkg check --recompute?

Rafal
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"