# [Help] port installation stopped due to dependency with vulnerabilities



## revivaloflostart (Aug 9, 2018)

Hi guys,
I'm new to FreeBSD and ports in generally so hopefully someone can help guide me through this the right way.

port I was installing: audio/supercollider
command I ran: `portmaster audio/supercollider`

After finished selecting all the options, it started compiling and installing, however, the process stopped when it found a vulnerability in a dependency. After which the system said I could continue the install process where I left off by using the command it saved in /tmp/portmasterfail.txt 

here is the content of the file:
[_Mod: URL removed_]

How exactly do I continue the install without making a mess of everything? I'm assuming a lot of the other dependencies already got installed?

I tried making a shell script with the content of that portmasterfail.txt and put a #!/bin/sh in the first line and made the script executable with +x, but it said cannot open flags: no such file or directory  ..... probably due to the <flag> in portmasterfail.txt. so do i just remove <flag> and run it? and how does that differ to just simply running portmaster audio/supercollider again? (then again, aren't some stuff already installed? is this even ok to do?)

1. this is the correct way to continue the install if i want to ignore the vulnerabilities right?
`portmaster -m DISABLE_VULNERABILITIES=yes -a audio/supercollider`

2.  but what do I do if I want to just remove and undone whatever was already installed by supercollider before it found out there was a vulnerabilities in one of the dependencies?


----------



## SirDice (Aug 9, 2018)

Can't read the link, SSL errors and MalwareBytes is throwing a fit on that URL. So I removed it from your post.



revivaloflostart said:


> the process stopped when it found a vulnerability in a dependency.


_Which_ dependency?



revivaloflostart said:


> but what do I do if I want to just remove and undone whatever was already installed by supercollider before it found out there was a vulnerabilities in one of the dependencies?


`pkg autoremove`


----------



## ShelLuser (Aug 9, 2018)

First of all: don't forget that manual pages exist. The `man ports` command will point you to the ports(7) manual page which lists all the build targets you may need. And some environmental settings, amongst which:

```
DISABLE_VULNERABILITIES
                       If defined, disable check for security vulnerabilities
                       using pkg-audit(8) when installing new ports.
```
Of course the error message(s) you got during the build should also have informed you about this.



revivaloflostart said:


> After finished selecting all the options, it started compiling and installing, however, the process stopped when it found a vulnerability in a dependency. After which the system said I could continue the install process where I left off by using the command it saved in /tmp/portmasterfail.txt


This is why it's also important to keep a logfile. I always use: `# portmaster <port> |& tee build.log` (using the C Shell), so that you can then check the build.log file for any possible causes if something goes wrong.

As said: the error output will also tell you how you can fix your problems.



revivaloflostart said:


> How exactly do I continue the install without making a mess of everything? I'm assuming a lot of the other dependencies already got installed?


Don't assume anything. Check your logs. By default pkg will log the installation ("addition") of packages, you can check /var/log/messages for that. Another good source is looking into /tmp/portmasterfail.txt which will show you exactly which port(s) are still on the "todo list" of your installation run.

First you need to determine which port caused this. Generally speaking this is often the first port mentioned in /tmp/portmasterfail.txt. Warning: I said _generally_ speaking, meaning that this isn't always the case.

Next you need to determine for yourself if you really want that possibly vulnerable port installed. If so then use the build property I mentioned above. I'd personally recommend installing the port manually (using the old fashioned way of `# make DISABLE_VULNERABILITIES=yes install clean`).

After that is done you can then use /tmp/portmasterfail.txt. One way to do this is to remove the portmaster command itself (and the flag setup) as well as the port you manually installed. Then simply run: `# portmaster `cat /tmp/portmasterfail.txt`` and the installation process should easily continue.

But I strongly suggest that you don't run portmaster without a log: `portmaster <port> |& tee build.log` on csh and/or `portmaster <port> 2>&1 | tee build.log` for an sh environment. (the extra addition(s) makes sure that tee will also capture the output of /dev/stderr which is usually where you'll get any error messages).

(edit)

What FreeBSD version are you using and what port caused the vulnerability error? I'm wondering because I got curious and then tried running this: `# for a in `make all-depends-list | cut -d '/' -f4-`; do pkg audit -q $a; done` within the audio/supercollider directory, however it turned up empty. Considering the huge dependency list it's probably a dependency somewhere, but it still left me curious.


----------



## revivaloflostart (Aug 10, 2018)

I'm running 11.2
it's one of the "lib" dependencies, not sure which one though (should've written it down)
https://www.freshports.org/audio/supercollider
there's quite a few listed, but libsndfile seems familiar (i'm not positive though) 

anyone adventurous enough to try installing and figuring out exactly which dependency it was? 

by the way, is this a common occurrence at all? and is there any way to prevent running into this issue in the future?
something similar to pkg audit -F, but instead of checking all your installed packages, checks for all the dependencies of a package prior to installing? i mean, the fact that it detected it as a package having vulnerabilities means that it's already a package that's been flagged, shouldn't there be a way to check ahead of time?


----------



## ShelLuser (Aug 10, 2018)

revivaloflostart said:


> by the way, is this a common occurrence at all? and is there any way to prevent running into this issue in the future?


Well, it is common in the sense that it can happen more often. But it's not common enough to happen a lot on my setup.



revivaloflostart said:


> something similar to pkg audit -F, but instead of checking all your installed packages, checks for all the dependencies of a package prior to installing?


I gave you a solution for that in my previous post. Of course that doesn't recurse into more dependencies, but it should be adjustable for that.

Even so, this is avoidable by relying on binary packages and not ports. Of course you can permanently set up certain build properties in /etc/make.conf but I strongly suggest against that because warnings like these are given for a good reason and are best not ignored.

Anyway, I usually never prepare for this up front and simply let the build process run and detect them. Then I decide on a per-port basis if I really want to go through with it.


----------

