# hashicorp vault



## andrewm659 (Aug 13, 2020)

I am running FreeBSD 12.1 and I am getting ready to install hasicorp vault into a jail.  However when I go to install it, version 1.4.1 is what is available.  But when I search ports version 1.5.0 is what is available.  Has it not been updated in the pkg repos yet?  Just curious.






						FreeBSD Ports Search
					






					www.freebsd.org


----------



## T-Daemon (Aug 13, 2020)

andrewm659 said:


> Has it not been updated in the pkg repos yet?



Not on _quarterly,_ but on _latest_ ( see "_Packages_" ) :






						FreshPorts -- security/vault: Tool for securely accessing secrets
					

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.




					www.freshports.org


----------



## Mjölnir (Aug 13, 2020)

Unfortunately, the handbook is missing to teach the information how to use the _quarterly_ ports branch vs. using _head_ -- aka _latest_ in pkg world.  portsnap(8) uses _latest_ & can not download the _quarterly_ branch.  You can use Subversion to do that.  If you do not want to delete the existing ports tree under /usr/ports, you can download _quarterly_ to another directory, e.g. add a suffix -YYYYQx.
`mkdir /usr/ports-2020Q3`
`cd /usr && ln -s ports-2020Q3 quarterly && cd -`
`/usr/bin/nohup svnlite checkout https://svn.FreeBSD.org/ports/branches/2020Q3 /usr/ports-2020Q3 &`
`less nohup.out`


----------



## T-Daemon (Aug 13, 2020)

mjollnir said:


> Unfortunately, the handbook is missing to teach the information how to use the _quarterly_ ports branch vs. using _head_ -- aka _latest_ in pkg world. portsnap(8) uses _latest_ & can not download the _quarterly_ branch. You can use Subversion to do that.



For the time being the 2020Q3 quarterly security/vault port is on version 1.4.1. It won't do any good to pull in a quarterly ports tree now. If the quarterly port is updated a package is build for repository a few days later, then there is no need to build it yourself. That is, the quarterly port will be updated only if there is a security vulnerability to fix, or a bug, or the ports compliance/framework changes. If not, the version won't change until 2020Q4.

*andrewm659* you could file a bug report to force the issue to update the quarterly port on grounds of vulnerability fixes ( version 1.4.2 ), numerous bug fixes, and improvements. To justify the issue point to the  changelog, eventually provide a patch.

Or simpler, if it doesn't interfere with any requirements, change to latest repository.


----------



## andrewm659 (Aug 13, 2020)

Thanks for responses on this!  I know that I have done this using Debian Linux, but is there a way to do pinning the with the repository?  Where you can pick and choose what apps are updated to the latest?


----------



## Mjölnir (Aug 13, 2020)

RTFM `pkg help lock`, ports-mgmt/portconf and I forgot how to pin a port to a specific version...


----------



## andrewm659 (Aug 13, 2020)

This is what I was referring to -
_View: https://www.reddit.com/r/freebsd/comments/awlzb6/quarterly_vs_latest/_


----------



## Mjölnir (Aug 13, 2020)

You will have to solve runtime dependency issues.  Thus, you'll need some type of sandboxing.  TrueOS had a means to install application-bundles, i.e. each application bundles it's specific versions of foreign libraries it depends on, and the wrapper to fire up that application sets all neccessary environment knobs.


----------



## acheron (Aug 13, 2020)

mjollnir said:


> You will have to solve runtime dependency issues.


It's a go app


----------



## T-Daemon (Aug 13, 2020)

andrewm659 said:


> I know that I have done this using Debian Linux, but is there a way to do pinning the with the repository? Where you can pick and choose what apps are updated to the latest?



There is no such function on FreeBSD. What *mjollnir* suggests with `pkg lock` would mean tracking the latest repository and locking certain packages to a certain version to prevent them being updated/upgraded . The reverse, tracking quarterly and updating/upgrading certain packages to latest is not intended nor advised, therefore no such functionality is provided ( in theory you can force latest packages besides quarterly installed packages, but that would mean asking for trouble ).

That reddit procedure of the OP there won't work ( Besides the fact the -R option doesn't exist, it's -r, and the repository name is not provided. A ( incomplete ) path to a repository file is not a valid repository name. ).

You have two options, change to latest repository or if you want to track the default quarterly repository ( "a more predictable and stable experience for port and package installation and upgrades" ) file a bug report. If you ask why file a bug report, the maintainer seems not to track the quarterly port, maybe unaware it's being left  on 1.4.1, behind a necessary update ( I refer to the vulnerability fixes in 1.4.2 ). The current port, 1.5.0 version, is updated on July 24th, the quarterly 1.4.1 on July 2, version 1.4.3 is skipped on quarterly, that suggests the quarterly port might not be updated until 2020Q4 ( packages from the repositories are build from those ports ).

Tracking the quarterly repository doesn't mean you are on the save side, as you can see with the 1.4.1 version being left vulnerable. The latest repository is as good as the quarterly. On both it's advised, particularly on production systems, to check for security updates or bugs of the installed packages yourself upstream, then, if the port is not updated/upgraded within a reasonable time, file a bug report.


----------



## andrewm659 (Aug 13, 2020)

This is exactly the answer I was looking for!  Thank you.


----------



## swills@ (Aug 15, 2020)

I tend not to MFH updates to vault, figuring that folks on quarterly want fewer updates, but I can if there's demand


----------



## T-Daemon (Aug 15, 2020)

swills@ said:


> I tend not to MFH updates to vault, figuring that folks on quarterly want fewer updates, but I can if there's demand



Please do update on quarterly to version 1.5.0. Version 1.4.1 has some security issues ( corrected with version 1.4.2 ), see the changelog. Also bug fixes and improvements up to 1.5.0 deserve an update. And thank you for maintaining the port.


----------



## swills@ (Aug 15, 2020)

Done


----------

