# erroneous charlie root warnings



## apolinsky (Feb 23, 2014)

Fairly recently I converted from the old package repository to the new one. I used `pkg2ng` to convert the old entries. Since that time I have been getting messages from 'Charlie Root' on a nightly basis warning me to upgrade two packages with security problems, referencing Thunderbird and PostgreSQL, even though I have already upgraded to the corrected versions. I am assuming, though I might be wrong, that I may have missed some step in the conversion. I am running FreeBSD 8.4. I did run the `pkg clean` and `pkg autoremove` after the conversion. Can some suggest what I missed?

Thank you.

Alan


----------



## junovitch@ (Feb 24, 2014)

My first thought is to check if something like ports-mgmt/portaudit or ports-mgmt/jailaudit is installed.  Last I checked, they looked at directories under /var/db/pkg while pkg just uses the /var/db/pkg/local.sqlite database.  The extra directories can be archived or removed after upgrading to pkg.

If you don't have either of those packages installed, are you absolutely sure you are using good versions?  Both software packages you mentioned have vulnerabilities from the past month.  The "charlie root" warnings you mentioned are just what gets fired off by the periodic scripts that run security checks daily, specifically /usr/local/etc/periodic/security/410.pkg-audit which calls `pkg audit`.  So if the command `pkg audit` says they are vulnerable, then pkg thinks they are based off it's database.


----------



## apolinsky (Feb 24, 2014)

Thank you very much. I was aware that `pkg` just uses the local.sqlite database. When I converted to pkg after all the steps, I did not remove anything from the /var/db/pkg directory. My Thunderbird and PostgreSQL server have been upgraded. I'll remove the extraneous files tonight.

Alan


----------



## wblock@ (Feb 24, 2014)

portmaster(8) keeps some distfile information in the port directories in /var/db/pkg, but it probably does no harm to remove them.  I've just been removing all the data files that start with a + in the subdirectories.


----------



## junovitch@ (Feb 24, 2014)

Again, those extra directories under /var/db/pkg were only used by ports-mgmt/portaudit or ports-mgmt/jailaudit for auditing purposes last I checked (it's been a while though), along with portmaster.  Since you have switched, those packages can be removed.  You don't have to remove those directories but you can.


----------

