# Fixing Vulnerabilities



## markbsd (Nov 18, 2013)

Please see the results of my `pkg audit -F`:


```
# [CMD]pkg audit -F[/CMD]
auditfile.tbz                          100%   91KB  90.7KB/s  80.7KB/s   00:01    
gnupg-2.0.20_1 is vulnerable:
gnupg -- possible infinite recursion in the compressed packet parser

WWW: [url]http://portaudit.FreeBSD.org/749b5587-2da1-11e3-b1a9-b499baab0cbe.html[/url]

gstreamer-ffmpeg-0.10.13 is vulnerable:
gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav

WWW: [url]http://portaudit.FreeBSD.org/4d087b35-0990-11e3-a9f4-bcaec565249c.html[/url]

libgcrypt-1.5.2 is vulnerable:
GnuPG and Libgcrypt -- side-channel attack vulnerability

WWW: [url]http://portaudit.FreeBSD.org/689c2bf7-0701-11e3-9a25-002590860428.html[/url]

py27-pycrypto-2.6_1 is vulnerable:
pycrypto -- PRNG reseed race condition

WWW: [url]http://portaudit.FreeBSD.org/c0f122e2-3897-11e3-a084-3c970e169bc2.html[/url]

4 problem(s) in your installed packages found.
#
```

How do I go about securing these vulnerabilities? Thanks.


----------



## wblock@ (Nov 18, 2013)

Update your ports and build the new versions.


----------



## markbsd (Nov 18, 2013)

Thanks @wblock@. I'm trying to figure out how to do this now. Could you please just give me the command(s) to do this? I've been reading:


http://www.wonkity.com/~wblock/docs/html/portupgrade.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pkgng-intro.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading-freebsdupdate.html
http://lists.freebsd.org/pipermail/freebsd-questions/2012-February/237901.html
http://www.asep.us/2013/06/30/how-to-update-freebsd-software-package/

Among a few other pages and am not sure what exactly to do!

I also keep getting this error:


```
gtk2-2.24.19_2.txz                     100% 6432KB 428.8KB/s 661.7KB/s   00:15    
firefox-25.0_1,1.txz                   100%   24MB 654.5KB/s   1.1MB/s   00:37    
Checking integrity...pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/a2p with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/c2ph with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/config_data with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/corelist with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpan with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpan2dist with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpanp with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/cpanp-run-perl with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/enc2xs with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/find2perl with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/h2ph with:
	- perl5-5.16.3_2

<snip>
```

When I try to `pkg install` firefox or xombrero!

By the way, I don't want to upgrade by building ports. I want to perform the upgrade by installing the binary packages. If you can please provide me with the commands I need to input I will be very grateful. Thank you.


----------



## markbsd (Nov 18, 2013)

For an example of some of the things I've been trying and the problems I have encountered:


```
# [CMD]pkg info perl[/CMD]
perl-5.14.4
# [CMD]portupgrade -iRP perl[/CMD]
Packages are not yet suported. Use pkg(8) directly.
# [CMD]pkg upgrade -iRP perl[/CMD]
pkg: illegal option -- i
usage: pkg upgrade [-fInFqUy] [-r reponame]
# [CMD]pkg upgrade perl[/CMD]
usage: pkg upgrade [-fInFqUy] [-r reponame]
```

As you can see, I don't know what I'm doing!


----------



## markbsd (Nov 18, 2013)

The strange thing is, this is a brand new install on a virtual machine and all the packages have been installed in the last 48 hours. How is it they need upgrading?


----------



## wblock@ (Nov 18, 2013)

I have not used pkg enough to be very familiar with it yet.  However, it is certain that pkg does not take the same options as portupgrade.  I recommend not using portupgrade anyway.  ports-mgmt/portmaster is preferred, and should be able to upgrade with binary packages with the -P and -PP options.

/usr/ports/UPDATING often shows exactly the commands needed to update, in three different versions depending on what is being used.  There is one for Perl.

The "locally installed" messages are probably because the old package tools (pkg_*, note the underscore) were mixed with new pkg tools.  That's probably fixable by forcing a deinstall of the old one, or forcing an install of the new one.


----------



## wblock@ (Nov 18, 2013)

markbsd said:
			
		

> The strange thing is, this is a brand new install on a virtual machine and all the packages have been installed in the last 48 hours. How is it they need upgrading?



If I may use a sandwich analogy: packages are pre-made, frozen, and shipped to stores where they are thawed and served to customers.  They may be only a day old, or maybe a week.  Packages that come with install media were built on or before the release date, and are already a little old.  Or maybe a lot.

Ports, on the other hand, are made fresh, to-order (linked with the libraries already on the machine, with correctly-optimized instructions), using ingredients that have just been delivered (with `portsnap` or `svn`).


----------



## markbsd (Nov 18, 2013)

```
# [CMD]pkg version -vIL=[/CMD]
apache22-2.2.25                    <   needs updating (index has 2.2.25_1)
aspell-0.60.6.1_2                  <   needs updating (index has 0.60.6.1_3)
ca_root_nss-3.15.1                 <   needs updating (index has 3.15.2_1)
cairo-1.10.2_5,2                   <   needs updating (index has 1.10.2_6,2)
cantarell-fonts-0.0.13             <   needs updating (index has 0.0.15)
curl-7.31.0_1                      <   needs updating (index has 7.33.0_1)
cyrus-sasl-2.1.26_2                <   needs updating (index has 2.1.26_3)
dejavu-2.33                        <   needs updating (index has 2.34)
desktop-file-utils-0.21            <   needs updating (index has 0.22_1)
dmidecode-2.11                     <   needs updating (index has 2.12)
enchant-1.6.0_1                    <   needs updating (index has 1.6.0_2)
esound-0.2.41_1                    <   needs updating (index has 0.2.41_2)
evolution-data-server-2.32.1_4     <   needs updating (index has 2.32.1_5)
ffmpeg-0.7.15,1                    <   needs updating (index has 2.1,1)
fontconfig-2.10.93,1               <   needs updating (index has 2.10.95,1)
freetype2-2.4.12_1                 <   needs updating (index has 2.5.0.1)
gettext-0.18.3                     <   needs updating (index has 0.18.3.1)
gmp-5.1.2                          <   needs updating (index has 5.1.3)
gnome-icon-theme-2.31.0_3          <   needs updating (index has 3.6.2)
gnome2-2.32.1_4                    <   needs updating (index has 2.32.1_5)
gnupg-2.0.20_1                     <   needs updating (index has 2.0.22)
gnutls-2.12.23_1                   <   needs updating (index has 2.12.23_2)
gobject-introspection-1.36.0_1     <   needs updating (index has 1.36.0_2)
gpac-libgpac-0.4.5_6,1             <   needs updating (index has 0.5.0,1)
gpgme-1.3.2                        <   needs updating (index has 1.4.3)
gstreamer-ffmpeg-0.10.13           <   needs updating (index has 0.10.13_1)
gtar-1.26                          <   needs updating (index has 1.27)
gtk-2.24.19_1                      <   needs updating (index has 2.24.19_2)
gtkglext-1.2.0_11                  <   needs updating (index has 1.2.0_12)
gtkmm-2.24.2_1                     <   needs updating (index has 2.24.4)
hal-0.5.14_20                      <   needs updating (index has 0.5.14_22)
iso-codes-3.43                     <   needs updating (index has 3.46)
libSM-1.2.1,1                      <   needs updating (index has 1.2.2,1)
libX11-1.6.0,1                     <   needs updating (index has 1.6.2,1)
libXaw-1.0.11,2                    <   needs updating (index has 1.0.12,2)
libXfont-1.4.5,1                   <   needs updating (index has 1.4.6,1)
libXmu-1.1.1,1                     <   needs updating (index has 1.1.2,1)
libXpm-3.5.10                      <   needs updating (index has 3.5.11)
libXrandr-1.4.1                    <   needs updating (index has 1.4.2)
libXv-1.0.9,1                      <   needs updating (index has 1.0.10,1)
libassuan-2.0.3                    <   needs updating (index has 2.1.1)
libaudiofile-0.2.7                 <   needs updating (index has 0.3.6)
libdiscid-0.2.2_1                  <   needs updating (index has 0.6.1)
libgcrypt-1.5.2                    <   needs updating (index has 1.5.3)
libgnome-keyring-2.32.0_5          <   needs updating (index has 2.32.0_6)
libgphoto2-2.4.14_3                <   needs updating (index has 2.4.14_4)
libgsf-1.14.27                     <   needs updating (index has 1.14.28)
libidn-1.27                        <   needs updating (index has 1.28_1)
libltdl-2.4.2                      <   needs updating (index has 2.4.2_2)
libmpeg2-0.5.1_1                   <   needs updating (index has 0.5.1_3)
libmusicbrainz-3.0.3_2             <   needs updating (index has 3.0.3_3)
libpciaccess-0.13.1_3              <   needs updating (index has 0.13.2)
libpthread-stubs-0.3_3             <   needs updating (index has 0.3_4)
libtasn1-2.14                      <   needs updating (index has 3.3)
libvpx-1.1.0                       <   needs updating (index has 1.2.0)
lsof-4.88.d,8                      <   needs updating (index has 4.88.e_1,8)
nspr-4.10                          <   needs updating (index has 4.10.1)
nss-3.15.1                         <   needs updating (index has 3.15.2)
opencv-core-2.3.1_7                <   needs updating (index has 2.3.1_9)
openldap-client-2.4.35             <   needs updating (index has 2.4.37)
orc-0.4.17                         <   needs updating (index has 0.4.18)
p11-kit-0.16.3                     <   needs updating (index has 0.20.1)
p5-IO-Socket-IP-0.22               <   needs updating (index has 0.24)
p5-IO-Socket-SSL-1.953             <   needs updating (index has 1.960)
p5-Socket-2.011                    <   needs updating (index has 2.013)
p5-Time-HiRes-1.9725,1             <   needs updating (index has 1.9726,1)
p5-XML-LibXML-2.0018,1             <   needs updating (index has 2.0106_1,1)
p5-XML-SAX-0.99                    <   needs updating (index has 0.99_1)
pciids-20130718                    <   needs updating (index has 20131110)
perl-5.14.4                        <   needs updating (index has 5.14.4_2)
pixman-0.30.0                      <   needs updating (index has 0.30.2)
pkg-1.1.4_8                        <   needs updating (index has 1.1.4_9)
pkgconf-0.9.2_1                    <   needs updating (index has 0.9.3)
portupgrade-2.4.11,2               <   needs updating (index has 2.4.11.2_1,2)
py27-cairo-1.8.10_1                <   needs updating (index has 1.10.0_1)
py27-gtk-2.24.0_1                  <   needs updating (index has 2.24.0_2)
py27-pycrypto-2.6_1                <   needs updating (index has 2.6.1)
python27-2.7.5_1                   <   needs updating (index has 2.7.5_4)
samba36-libsmbclient-3.6.17        <   needs updating (index has 3.6.20)
seahorse-2.32.0_9                  <   needs updating (index has 2.32.0_10)
speex-1.2.r1_4,1                   <   needs updating (index has 1.2.r1_5,1)
sqlite3-3.7.17_1                   <   needs updating (index has 3.8.0.2)
taglib-1.8                         <   needs updating (index has 1.9.1)
twm-1.0.7                          <   needs updating (index has 1.0.8)
upower-0.9.7_1                     <   needs updating (index has 0.9.7_2)
virtualbox-ose-additions-4.2.16    <   needs updating (index has 4.2.18)
webcamd-3.10.0.7                   <   needs updating (index has 3.11.0.2)
x264-0.125.2201                    <   needs updating (index has 0.136.2358_1)
xauth-1.0.7                        <   needs updating (index has 1.0.8)
xbacklight-1.2.0                   <   needs updating (index has 1.2.1)
xclock-1.0.6_1                     <   needs updating (index has 1.0.7_1)
xf86-video-intel-2.7.1_4           <   needs updating (index has 2.7.1_5)
xf86-video-r128-6.8.4_3            <   needs updating (index has 6.9.2)
xf86-video-vesa-2.3.2              <   needs updating (index has 2.3.3)
xinit-1.3.2,1                      <   needs updating (index has 1.3.3,1)
xinput-1.6.0                       <   needs updating (index has 1.6.1)
xkeyboard-config-2.9               <   needs updating (index has 2.9_1)
xkill-1.0.3                        <   needs updating (index has 1.0.4)
xlsclients-1.1.2                   <   needs updating (index has 1.1.3)
xmodmap-1.0.7                      <   needs updating (index has 1.0.8)
xorg-server-1.7.7_8,1              <   needs updating (index has 1.7.7_11,1)
xprop-1.2.1                        <   needs updating (index has 1.2.2)
xrdb-1.0.9                         <   needs updating (index has 1.1.0)
xset-1.2.2_1                       <   needs updating (index has 1.2.3_1)
xterm-296                          <   needs updating (index has 297)
xwd-1.0.5                          <   needs updating (index has 1.0.6)
#
```
 
I know you prefer portmaster: is `portmaster -DaP` the right command to update the above packages using *packages*, not ports?


----------



## wblock@ (Nov 18, 2013)

It will try, but if the right package is not available, it will build from ports.


----------



## markbsd (Nov 18, 2013)

wblock@ said:
			
		

> I have not used pkg enough to be very familiar with it yet.  However, it is certain that pkg does not take the same options as portupgrade.  I recommend not using portupgrade anyway.  ports-mgmt/portmaster is preferred, and should be able to upgrade with binary packages with the -P and -PP options.



Thanks. See above post I just made. I just installed portmaster, so I can now use that if I knew the right command(s)?



> /usr/ports/UPDATING often shows exactly the commands needed to update, in three different versions depending on what is being used.  There is one for Perl.
> 
> The "locally installed" messages are probably because the old package tools (pkg_*, note the underscore) were mixed with new pkg tools.  That's probably fixable by forcing a deinstall of the old one, or forcing an install of the new one.



After my dramas with GNOME. I did this:


Deleted virtual image.
Created new image.
Installed fresh FreeBSD 9.2
Ran: `freebsd-update fetch`, `freebsd-update install`, `portsnap fetch`, `portsnap extract`, `portsnap update`
Installed GNOME2 with `pkg_add -r gnome2`
Ran `/usr/sbin/pkg`
Ran `pkg2ng` (according to Handbook, this converts all previously installed pkg_add packages to the new pkg database)
Tried to `pkg install xombrero`, but I got the perl error, so ran `make install clean` from www/xombrero
Am now trying to update my packages and install firefox via `pkg install`.

So, my machine should be up-to-date and the only package I installed using `pkg_add` was GNOME2, but I then ran the correct command to convert the database. Right?



			
				wblock@ said:
			
		

> If I may use a sandwich analogy: packages are pre-made, frozen, and shipped to stores where they are thawed and served to customers.  They may be only a day old, or maybe a week.  Packages that come with install media were built on or before the release date, and are already a little old.  Or maybe a lot.
> 
> Ports, on the other hand, are made fresh, to-order (linked with the libraries already on the machine, with correctly-optimized instructions), using ingredients that have just been delivered (with `portsnap` or `svn`).



Ports simply take far too long to build for me. I don't have the luxury of waiting for one port to build when I could literally install a dozen or more packages in that same time.


----------



## markbsd (Nov 18, 2013)

wblock@ said:
			
		

> It will try, but if the right package is not available, it will build from ports.



Oh no! Look:


```
# [CMD]portmaster -DaP[/CMD]
===>>> Package installation support cannot be used with pkgng yet,
       it will be disabled

===>>> Starting check of installed ports for available updates
===>>> Launching child to update pkg-1.1.4_8 to pkg-1.1.4_9

===>>> All >> pkg-1.1.4_8 (1/1)

===>>> Currently installed version: pkg-1.1.4_8
===>>> Port directory: /usr/ports/ports-mgmt/pkg

===>>> Launching 'make checksum' for ports-mgmt/pkg in background
===>>> Gathering dependency list for ports-mgmt/pkg from ports
===>>> No dependencies for ports-mgmt/pkg

===>>> Returning to update check of installed ports

^C
===>>> Exiting due to signal
===>>> Killing background jobs
Terminated
Terminated
Terminated
===>>> Exiting
#
```

Does this mean what I think it means? I simply cannot upgrade packages, I have to use ports? Surely there must be some way to upgrade with packages? Or do I have to again delete this image, make a new one, install FreeBSD again and stick with `pkg_add`? This is killing me!


----------



## wblock@ (Nov 18, 2013)

The first thing it's trying to do is update pkg.  That may improve the situation.  Don't be afraid of ports, most do not take long to build.

Don't go back to pkg_install, that's a dead end.


----------



## kpa (Nov 18, 2013)

There is of course a way to update with packages but that requires new packages that are built and updated at the package repositories. They are now being built but only once a week:

http://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html

You are in luck, it wasn't too long ago when there was no packages available (or some very old packages at best) for any version of FreeBSD because of the fallout from the security incident of nov 2012 that forced all FreeBSD.org package building systems offline for security review. That combined with that fact that at the same time there was a major restructuring planned for the FreeBSD.org servers resulted in no packages at all for almost a year.

http://www.freebsd.org/news/2012-compromise.html


----------



## kpa (Nov 18, 2013)

markbsd said:
			
		

> After my dramas with GNOME. I did this:
> 
> 
> Installed GNOME2 with `pkg_add -r gnome2`
> ...



These steps resulted in awful lot of extra and unnecessary and error-prone work. If you're going to use the new pkg(8) packages anyway then why install anything with pkg_add(1)?

This is what I would have done instead:


`/usr/sbin/pkg`
`echo 'WITH_PKGNG="YES"' >>/etc/make.conf`
`pkg -v` and verify it matches the version of ports-mgmt/pkg, important!!!
`pkg update`
`pkg install portmaster`
`pkg install gnome2` If this fails, try the next step
`portmaster x11/gnome2`


----------



## markbsd (Nov 18, 2013)

kpa said:
			
		

> These steps resulted in awful lot of extra and unnecessary and error-prone work. If you're going to use the new pkg(8) packages anyway then why install anything with pkg_add(1)?
> 
> This is what I would have done instead:
> 
> ...



@kpa, don't you remember the thread from yesterday? I couldn't `pkg install gnome2`! That's precisely why I deleted the image, made a new one and reinstalled FreeBSD. So I could install gnome2 as a package with pkg_add! And then convert to pkgng. And, I _do not_ want to install anything via ports if possible -- it takes far too long. So `portmaster x11/gnome2` isn't desirable.

So, basically, I can't update with packages? The only way to update installs on FreeBSD is by using ports?


----------



## markbsd (Nov 18, 2013)

wblock@ said:
			
		

> The first thing it's trying to do is update pkg.  That may improve the situation.  Don't be afraid of ports, most do not take long to build.



Update pkg? How, with `pkg update`? That's been done. And ports take an eternity to build -- I quite literally despise them! I don't say that lightly either. For an example, it took 1.5 hours to build xombrero! Xombrero!!! You know how long it takes to install xombrero as a package? *5 minutes*.



> Don't go back to pkg_install, that's a dead end.



But if I don't, ALL updates/upgrades must be done with ports, right?


----------



## Savagedlight (Nov 18, 2013)

markbsd said:
			
		

> So, basically, I can't update with packages? The only way to update installs on FreeBSD is by using ports?



I don't know why you're unable to install gnome2. Do execute `# pkg search gnome2` to see if you find the correct package name. Perhaps gnome2-lite is what you're looking for?

As for upgrading all installed packages (when an update is available), this can be done by executing `# pkg upgrade` and then inspect the list of tasks which will be performed.



			
				markbsd said:
			
		

> Update pkg? How, with `pkg update`?


`# pkg update` just fetches the latest package index. I believe pkg does this automatically when relevant, if the local index is old enough.

EDIT: According to x11/gnome2, it's just a meta-port. This might be why it's not currently available in pkgng format, although I don't know whether this is intended. Inspect that page and see which packages you'll have to install to get a full gnome2 desktop.


----------



## markbsd (Nov 18, 2013)

Savagedlight said:
			
		

> I don't know why you're unable to install gnome2. Do execute `# pkg search gnome2` to see if you find the correct package name. Perhaps gnome2-lite is what you're looking for?



See this thread. I want the full gnome2 package -- not the lite install -- but it is not available as a package right now. A PR has been lodged.



> As for upgrading all installed packages (when an update is available), this can be done by executing `# pkg upgrade` and then inspect the list of tasks which will be performed.



THANK YOU! Will `pkg upgrade` fix these vulnerabilities:


```
#  [CMD]pkg audit -F[/CMD]
auditfile.tbz                          100%   91KB  90.7KB/s  80.7KB/s   00:01    
gnupg-2.0.20_1 is vulnerable:
gnupg -- possible infinite recursion in the compressed packet parser

WWW: [url]http://portaudit.FreeBSD.org/749b558...9baab0cbe.html[/url]

gstreamer-ffmpeg-0.10.13 is vulnerable:
gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav

WWW: [url]http://portaudit.FreeBSD.org/4d087b3...ec565249c.html[/url]

libgcrypt-1.5.2 is vulnerable:
GnuPG and Libgcrypt -- side-channel attack vulnerability

WWW: [url]http://portaudit.FreeBSD.org/689c2bf...590860428.html[/url]

py27-pycrypto-2.6_1 is vulnerable:
pycrypto -- PRNG reseed race condition

WWW: [url]http://portaudit.FreeBSD.org/c0f122e...70e169bc2.html[/url]

4 problem(s) in your installed packages found.
#
```

and eliminate this error I keep encountering:


```
pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/c2ph with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/config_data with:
	- perl5-5.16.3_2

pkg: WARNING: locally installed perl-5.14.4 conflicts on /usr/local/bin/corelist with:
	- perl5-5.16.3_2
```
???


----------



## markbsd (Nov 18, 2013)

@Savagedlight, you're an absolute champion, my friend!!!


----------



## kpa (Nov 18, 2013)

You can try to use something like this:

`make -C /usr/ports/x11/gnome missing | xargs -n1 pkg install -y`

What it does is to generate a list of ports that the meta-port x11/gnome2 requires and then feeds the lines one by one to `pkg install -y` (install without questions).

However, I can now possibly see why x11/gnome2 isn't in the package repo, some of the dependencies of it require perl version 5.14 while the default version is now 5.16. Such conflicts can not be yet handled gracefully because the ports(7) system has never been able to handle that situation properly but only to complain about conflicting versions.


----------



## markbsd (Nov 18, 2013)

kpa said:
			
		

> You can try to use something like this:
> 
> `make -C /usr/ports/x11/gnome missing | xargs -n1 pkg install -y`
> 
> What it does is to generate a list of ports that the meta-port x11/gnome2 requires and then feeds the lines one by one to `pkg install -y` (install without questions).



Thank you for this! I don't need it now because, as you know, I already went to great lengths to get GNOME2 on this install, but this is handy to know.



> However, I can now possibly see why x11/gnome2 isn't in the package repo, some of the dependencies of it require perl version 5.14 while the default version is now 5.16.



This makes sense now! perl 5.14 is causing all these errors for me when I try to `pkg install` packages that require perl 5.16. Obviously, using `pkg_add gnome2` installed the older perl, which, for some reason, won't automagically be updated with its later version when I try to install Firefox, for example. Why doesn't `pkg install firefox` just update perl 5.14 to 5.16 though? Why must it be done manually?

By the way, that security breach you linked me to is very disconcerting! I can't believe the FreeBSD.org servers were hacked!!! You'd think that would be one of the hardest hacks in the world. It makes news like this:



> Pkg 1.2 will be released in the coming month which will bring many
> improvements including officially signed packages.



very reassuring because, frankly, FreeBSD is quite a bit behind in package management.


----------



## markbsd (Nov 18, 2013)

Okay. This is starting to really annoy me. `pkg upgrade` was going great, and then:


```
orca-2.32.1_2.txz                                  100% 1496KB 748.2KB/s   1.2MB/s   00:02    
Checking integrity...
Conflict found on path /usr/local/bin/a2p between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/c2ph between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/config_data between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/corelist between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)

Conflict found on path /usr/local/bin/cpan between perl5.14-5.14.4_2(lang/perl5.14) and perl5-5.16.3_2(lang/perl5.16)
```

What do I do?


----------



## markbsd (Nov 18, 2013)

I need to update perl-5.14 or delete it entirely and install perl-5.16.


----------



## markbsd (Nov 18, 2013)

See:


```
# [CMD]pkg delete perl[/CMD]
pkg: Error while trying to delete packages, dependencies that are still required:
lang/perl5.14: devel/glib20, devel/gobject-introspection, devel/dbus-glib, sysutils/policykit, sysutils/polkit, sysutils/consolekit, sysutils/hal, x11-servers/xorg-server, x11-drivers/xf86-video-vesa, x11-drivers/xf86-video-radeonhd, x11-drivers/xf86-video-r128, x11-drivers/xf86-video-openchrome, x11-drivers/xf86-video-nv, x11-drivers/xf86-video-mach64, x11-drivers/xf86-video-i
<snip>
#
```

It won't even let me delete the damn thing!

I don't understand why this is happening. According to `pkg help upgrade`:



> Finally, the work list is executed in dependency order.  Package rein-
> stall or update j*obs are processed by removing the currently installed
> package and immediately installing the replacement.*  New dependencies are
> processed as installation jobs as part of the work list.



So, why isn't the process removing perl-5.14?


----------



## kpa (Nov 18, 2013)

The security incident didn't have anything to do with the servers directly. What happened was that an SSH secret key (that is used for public key logins) got leaked from a client machine of one of the developers that had access to the package building cluster. Such breach could have happened to just about anybody and it's not know if the developer was using FreeBSD on the said client machine, it could have been Windows or OS X just as well.


----------



## kpa (Nov 18, 2013)

To fix those perl conflict you'd have to compile the ports that depend on perl 5.14 so that they depend only on perl version 5.16. I'm not sure if it's that simple at the moment because if it was the packages in the repository should have dependencies only to 5.16. It's possible that those ports are broken at the moment and would need fixing to make them respect the new default version 5.16 properly.


----------



## markbsd (Nov 18, 2013)

That's a catch 22 situation. Hopefully he wasn't using FreeBSD, as that would mean a BSD box wasn't hacked or jeopardized. But if he wasn't, why is a FreeBSD developer not using FreeBSD?


----------



## markbsd (Nov 18, 2013)

kpa said:
			
		

> To fix those perl conflict you'd have to compile the ports that depend on perl 5.14 so that they depend only on perl version 5.16. I'm not sure if it's that simple at the moment because if it was the packages in the repository should have dependencies only to 5.16. It's possible that those ports are broken at the moment and would need fixing to make them respect the new default version 5.16 properly.



How would I do this? Honestly, why can I just `pkg delete perl`? That's madness that I can't delete a damn package!

I just need to upgrade perl, surely it's a simple command or two. I can't believe how counter-intuitive this whole process is turning out to be. I can't wait for my new Mac.


----------



## Savagedlight (Nov 18, 2013)

markbsd said:
			
		

> That's a catch 22 situation. Hopefully he wasn't using FreeBSD, as that would mean a BSD box wasn't hacked or jeopardized. But if he wasn't, why is a FreeBSD developer not using FreeBSD?



This is getting very off topic for this thread, but anyway: Not using FreeBSD on some desktop doesn't mean you're not using FreeBSD. For example, I don't use FreeBSD on any client machines, but I do use it almost exclusively on all my servers and firewalls.



			
				markbsd said:
			
		

> How would I do this? Honestly, why can I just `pkg delete perl`? That's madness that I can't delete a damn package!
> 
> I just need to upgrade perl, surely it's a simple command or two. I can't believe how counter-intuitive this whole process is turning out to be. I can't wait for my new Mac.



I see that pkg(8) and pkg-delete(8) doesn't work. However, you can still look at those manpages in the console (see man(1) if you don't know how) to find out how to achieve what you want to do. Hint: Look at the -f flag.


----------



## markbsd (Nov 18, 2013)

Savagedlight said:
			
		

> This is getting very off topic for this thread, but anyway: Not using FreeBSD on some desktop doesn't mean you're not using FreeBSD. For example, I don't use FreeBSD on any client machines, but I do use it almost exclusively on all my servers and firewalls.



True (on both counts), but it's interesting.

On topic: please tell me you know how to resolve this perl problem?!


----------



## kpa (Nov 18, 2013)

markbsd said:
			
		

> How would I do this? Honestly, why can I just `pkg delete perl`? That's madness that I can't delete a damn package!
> 
> I just need to upgrade perl, surely it's a simple command or two. I can't believe how counter-intuitive this whole process is turning out to be. I can't wait for my new Mac.




Well, my view is that we are all suffering from years of neglect with the ports system. There are number of things that should have happened years ago but they were always postponed because of lack of resources or just plain change resistance. It's only recently that those important improvements have started to happen. Much credit has to go to the PKGNG project.


----------



## markbsd (Nov 18, 2013)

kpa said:
			
		

> Well, my view is that we are all suffering from years of neglect with the ports system. There are number of things that should have happened years ago but they were always postponed because of lack of resources or just plain change resistance. It's only recently that those important improvements have started to happen. Much credit has to go to the PKGNG project.



Do you think I need to:


```
# rm -R /usr/local
# rm -R /var/db/pkg
```

And start again? I feel like throwing this computer out the window right now.

Or what if I find the perl-5.14 directory and `rm -r` that and then try `pkg install perl-5.16`?


----------



## kpa (Nov 18, 2013)

I would give up with Gnome2 at the moment and look for alternate window managers/desktop environments. XFCE4 was pretty nice when I used it.


----------



## markbsd (Nov 18, 2013)

I'm happy to do that, but I still need to upgrade perl to 5.16 for other packages I want to install, like firefox, and xfce4! This has really screwed me.


----------



## Deleted member 9563 (Nov 18, 2013)

I've recently installed KDE4 on two machines which get a lot of use, and it's running quite well. I had Xfce on one before, it's a very functional desktop, but it doesn't take care of a number of common tasks like automounting so I think blackbox is about as good. I know little about Gnome, but the day before yesterday I set up a special purpose Linux box with it and it is very solid in that environment. However, it seems to require more complex key operations to be fast. Perhaps I just don't get it. 

@markbsd, remember that perl is a bit of a special case, because it has involvement with so many (most?) of the other programs.


----------



## markbsd (Nov 18, 2013)

I prefer KDE, but last time I installed it on a FreeBSD box it wouldn't even start! Lol. Besides, it's a bit more resource heavy than GNOME, hence why I decided on GNOME for this VM. So far, it's great, really great! But I need to upgrade perl, and this godforsaken OS simply will not let me!

I've created a new virtual image and am going to start from scratch...again! Needless to say, this is beyond ridiculous right now. It's completely ass-backwards and has me at the limit of the crap I'm willing to put up with from a desktop OS. I can't imagine the hell people are going to have to endure when they're forced to convert from pkg_add to pkgng. I'll be praying for them.

When I learn how to code and have enough experience to develop for FreeBSD (about 20 years from now), I'll make it my number 1 priority and life mission to develop a consistent and reliable package management protocol to avoid all this crap. Lord knows we'll still be in need of one


----------



## kpa (Nov 18, 2013)

Contribute to the existing projects instead of trying to re-invent the wheel.

The PKGNG project:

https://github.com/freebsd/pkg

Poudriere:

https://fossil.etoilebsd.net/poudriere/doc/trunk/doc/index.wiki

I constantly see numerous new people appear here on the forums and on the mailing lists saying they have developed their own "better" alternative for some part of FreeBSD, after a while they have disappeared never to be seen again.


----------



## markbsd (Nov 18, 2013)

I've been asking around for a Bitcoin wallet address, no one has come forth. I'd love to make a donation. I think even pkgng has a loooooong way to go though. This is such a nothing task that has all but crippled the whole package management system. It's a joke.


----------



## rusty (Nov 18, 2013)

Why not just run PCBSD in a vm?


----------



## Savagedlight (Nov 18, 2013)

markbsd said:
			
		

> (...)Needless to say, this is beyond ridiculous right now. It's completely ass-backwards and has me at the limit of the crap I'm willing to put up with from a desktop OS.(...)


As an aside: FreeBSD isn't a desktop OS, per se. You may want to look into PC-BSD for this use case.

PS: Please read my earlier post for info on how to remove the old version of perl.


----------



## kpa (Nov 18, 2013)

markbsd said:
			
		

> I've been asking around for a Bitcoin wallet address, no one has come forth. I'd love to make a donation. I think even pkgng has a loooooong way to go though. This is such a nothing task that has all but crippled the whole package management system. It's a joke.



Call it a joke when you have properly looked at what PKGNG is and have used it long enough to make a judgement. As noted many times before, PKGNG is nothing but the packaging backend for the ports system. The same problems that you have encountered are still present if you leave out the PKGNG package management and use the old pkg_* packaging tools.


----------



## markbsd (Nov 18, 2013)

I half agree with you; there's nothing in the literature that states FreeBSD is purely a server OS, or cannot be used as a desktop OS.

To which post do you refer:



> I see that pkg(8) and pkg-delete(8) doesn't work. However, you can still look at those manpages in the console (see man(1) if you don't know how) to find out how to achieve what you want to do. Hint: Look at the -f flag.



You think `pkg delete -f perl` is the only option I have? And then `pkg install perl-5.16` will get everything depending on perl working again?


----------



## markbsd (Nov 18, 2013)

kpa said:
			
		

> Call it a joke when you have properly looked at what PKGNG is and have used it long enough to make a judgement.



The joke is this situation. It wasn't a reference to the pkgng project. You have a habit of either not reading my posts, or not properly reading them.


----------



## Deleted member 9563 (Nov 18, 2013)

markbsd said:
			
		

> I prefer KDE, but last time I installed it on a FreeBSD box it wouldn't even start! Lol. Besides, it's a bit more resource heavy than GNOME, . . .



I don't think that resources are very important any more. I just built a new machine with middle of the road parts (Intel i3) and KDE runs fast. As for HDD space as a resource, the size of an OS is completely irrelevant these days.

Mind you, I do understand the aesthetics of the basic concept. I still run, and use daily, a machine which is extremely fast and runs perfectly after more than 20 years of tweaking my setup and OS setup skills. The processor is an Intel P1, and the OS is MS-DOS-6.22 - and yes I use it on the net too. The elegance of high functionality with very low resources is intoxicating. But since we got Gigabyte harddrives and multicore processors, that game is over. 



> I can't imagine the hell people are going to have to endure when they're forced to convert from pkg_add to pkgng.



The only thing that happened here is that my left shift key gets less use. Go figure.

I do feel your pain though. I've come close to quitting FreeBSD on several occasions recently. I didn't publish my rants, but they weren't pretty.


----------



## markbsd (Nov 18, 2013)

OJ said:
			
		

> I don't think that resources are very important any more. I just built a new machine with middle of the road parts (Intel i3) and KDE runs fast. As for HDD space as a resource, the size of an OS is completely irrelevant these days.
> 
> Mind you, I do understand the aesthetics of the basic concept. I still run, and use daily, a machine which is extremely fast and runs perfectly after more than 20 years of tweaking my setup and OS setup skills. The processor is an Intel P1, and the OS is MS-DOS-6.22 - and yes I use it on the net too. The elegance of high functionality with very low resources is intoxicating. But since we got Gigabyte harddrives and multicore processors, that game is over.



My concern was moreso due to it being run in a VM on a Win7 host which often has other guest OSs run simultaneously, so, unfortunately, resources were a bit of a concern. Even still, I have FreeBSD installed on an old laptop where, similarly, resources are also a concern. So, resources are still an issue for me at times.




> The only thing that happened here is that my left shift key gets less use. Go figure.
> 
> I do feel your pain though. I've come close to quitting FreeBSD on several occasions recently. I didn't publish my rants, but they weren't pretty.



I don't know how lucky you were, or how unlucky I am. I'm pretty much at that point. Not quite flipping yet, but damn close


----------



## Juanitou (Nov 18, 2013)

markbsd said:
			
		

> You think `pkg delete -f perl` is the only option I have? And then `pkg install perl-5.16` will get everything depending on perl working again?




```
#pkg updating perl
20131023:
  AFFECTS: users of lang/perl5.12 lang/perl5.14
  AUTHOR: mat@FreeBSD.org

  The default Perl has been switched to lang/perl5.16.  These examples
  are for switching from lang/perl5.14, if you are running another
  version, replace lang/perl5.14 with the origin of the Perl you have
  installed.

  Pkgng users:

    # pkg set -o lang/perl5.14:lang/perl5.16
    # pkg install -Rf lang/perl5.16

  Portupgrade users:
    0) Fix pkgdb.db (for safety):
	pkgdb -Ff

    1) Reinstall new version of Perl (5.16):
	portupgrade -o lang/perl5.16 -f perl-5.14.\*

    2) Reinstall everything that depends on Perl:
	portupgrade -fr perl

  Portmaster users:
	portmaster -o lang/perl5.16 lang/perl5.14

	Conservative:
	portmaster p5-

	Comprehensive (but perhaps overkill):
	portmaster -r perl-

  Note: If the "perl-" glob matches more than one port you will need to specify
        the name of the Perl directory in /var/db/pkg explicitly.
```

Following these instructions worked here, but with ports and portmaster. I wonâ€™t dare to suggest you again reading the pkg manuals, Iâ€™ve perfectly understood that you donâ€™t have time to wasteâ€¦


----------



## markbsd (Nov 18, 2013)

Juanitou said:
			
		

> ```
> #pkg updating perl
> 20131023:
> AFFECTS: users of lang/perl5.12 lang/perl5.14
> ...



No need to be a smart ass, @@Juanito. I've already read /usr/ports/UPDATING and applied the steps from 20120630 after a google search led me there. But thanks for going out of your way to suggest the obvious after presuming manual pages hadn't been read -- that's a great way to try and help people 

And that's not what you posted before, you suggest using the -f flag like you knew what you were doing. Now you've done some googling and want to share? Yeah. Thanks!

Oh, and by the way. For those, like me, who don't want to use ports:



> 2) Reinstall everything that depends on Perl:
> portupgrade -fr perl



Can be done with `pkg upgrade` instead.


----------



## Juanitou (Nov 18, 2013)

markbsd said:
			
		

> And that's not what you posted before, you suggest using the -f flag like you knew what you were doing. Now you've done some googling and want to share? Yeah. Thanks!


I donâ€™t remember suggesting anything related to updating perl, but you certainly have verified it. Iâ€™m only insisting, as the beginner I am, to read the manual pages: Google was not needed here to upgrade perl several weeks ago and have all ports needed for a nice desktop experience updated and running. Anyway, who am I to provide advice, isnâ€™t it? The number and volume of the threads you have initiated show that youâ€™re in the perfect mood for tinkering with FreeBSD as a desktop OS, so Iâ€™m not willing to irritate you any more and Iâ€™ll refrain from posting on them any more.

Good luck!


----------



## markbsd (Nov 18, 2013)

You're right -- I confused you with someone else!

Nevertheless, if you'd actually exercised due diligence in required reading ITT before trying to be a smartass you'd see I'd not only read the man pages for the relevant commands, but the Handbook, the Wiki, and several other pages of documentation in an attempt to rectify the problem. But you just wanted to make some sideways remark trying to compare my reticence in using ports to save time with not reading manual pages to save time! Really? That was not only unfounded, but stupid! The amount of time saved in using packages instead of ports doesn't even compare to any time used _productively_ in reading manual pages. You obviously -- and you have a history of it -- just wanted to make a snide remark. Good for you. Your post was actually informative and would otherwise be appreciated if not for your childish attempt at being a smart aleck:



			
				Juanito said:
			
		

> I wonâ€™t dare to suggest you again reading the pkg manuals, Iâ€™ve perfectly understood that you donâ€™t have time to wasteâ€¦



How about next time, instead of trying to come off as a condescending newb, you take a little look at the other posts in the thread. You might not make yourself look like a goose and a patronizing jerk.

_[ Forum rule violations -- Mod. ]_


----------



## jb_fvwm2 (Nov 18, 2013)

markbsd said:
			
		

> I'm happy to do that, but I still need to upgrade perl to 5.16 for other packages I want to install, like firefox, and xfce4! This has really screwed me.



This thread is why I wish the  /var/db/pkg/portname-#  >> `pkg` conversion had a problem > solution flowchart... ( for instance often in perl upgrades (I run  perl5-14  but packages I expect now use  perl5-16  ...) ) in the sense that packages may contain often dependencies that locally have not been updated to the default version, etc...  I don't believe that the new packages system has too many bugs, per se, just that it has enough missing features that it should have been delayed as the default.  I can grep  /var/db/pkg  files in a pipe to reinstall ports which have been installed via package when they should have been installed via ports... fiddle with the directories in  /var/db/pkg  (temporarily rename to allow duplicate installs of conflicting ports which for some reason may both need to be installed, etc... )  and countless other fixes/workarounds which with more effort, one would just choose to not install, instead. 
Howsoever, I could write on and on... but have been outvoted.  Meanwhile, `pkg` has not been building here for months, with a sqlite3.so error. 
My point is not to disparage `/pkg/` but am posting in the hopes that one or two or more persons reading the post will concur that the package system would be served by such a flowchart, constantly revised...  making it more user-friendly even to those not yet using FreeBSD but who may be swayed by simply reading the flowchart should it ever appear. [Not to discourage a multipage EXAMPLES section that would contain all the fixes/workarounds in a more verbose manner than is common except in exceptionally informative manpages, a few of which exist already.  And common problems could be fixed by code to make the EXAMPLES list or flowchart size less sizable, a problem repository immediately available to all without further search, so to speak.
[edit...]
In the freebsd-questions list this week, (Vol 494 # 1 of the digest form...) there is a long thread about "How to install two freebsd9.2 on one disk?" which has many command-line examples, several scenarios, the bootloader, GPT vs MBR... re the FLOWCHART method of user help, if all the information in that thread (for example ) were combined with the short EXAMPLES in `man gpart` and summarized (I know, a wiki, but many do not look there "first", as a matter of recourse...) it could be helpful in a similar manner to the topic of this thread, maybe having first recourse to a flowchart or very verbose EXAMPLES section.


----------



## DutchDaemon (Nov 18, 2013)

I suggest everyone in here stops calling anyone else anything. We have forum rules dealing with that type of belligerent and combative behavior, and we will enforce them. If this resumes, the topic will be closed and infractions will be handed out. Period.


----------



## markbsd (Nov 19, 2013)

jb_fvwm2 said:
			
		

> This thread is why I wish the  /var/db/pkg/portname-#  >> `pkg` conversion had a problem > solution flowchart... ( for instance often in perl upgrades (I run  perl5-14  but packages I expect now use  perl5-16  ...) ) in the sense that packages may contain often dependencies that locally have not been updated to the default version, etc...  I don't believe that the new packages system has too many bugs, per se, just that it has enough missing features that *it should have been delayed as the default*.



I feel very much the same way. To be fair, it's not the default on 9.2, but given pkg_add is set to be redundant in ~6 months, I figured it is only right to run with pkg from the beginning of every new install.




> I can grep  /var/db/pkg  files in a pipe to reinstall ports which have been installed via package when they should have been installed via ports... fiddle with the directories in  /var/db/pkg  (temporarily rename to allow duplicate installs of conflicting ports which for some reason may both need to be installed, etc... )  and countless other fixes/workarounds which with more effort, one would just choose to not install, instead.
> Howsoever, I could write on and on... but have been outvoted.  Meanwhile, `pkg` has not been building here for months, with a sqlite3.so error.
> My point is not to disparage `/pkg/` but am posting in the hopes that one or two or more persons reading the post will concur that the package system would be served by such a flowchart, constantly revised...  making it more user-friendly even to those not yet using FreeBSD but who may be swayed by simply reading the flowchart should it ever appear. [Not to discourage a multipage EXAMPLES section that would contain all the fixes/workarounds in a more verbose manner than is common except in exceptionally informative manpages, a few of which exist already.  And common problems could be fixed by code to make the EXAMPLES list or flowchart size less sizable, a problem repository immediately available to all without further search, so to speak.
> [edit...]
> In the freebsd-questions list this week, (Vol 494 # 1 of the digest form...) there is a long thread about "How to install two freebsd9.2 on one disk?" which has many command-line examples, several scenarios, the bootloader, GPT vs MBR... re the FLOWCHART method of user help, if all the information in that thread (for example ) were combined with the short EXAMPLES in `man gpart` and summarized (I know, a wiki, but many do not look there "first", as a matter of recourse...) it could be helpful in a similar manner to the topic of this thread, maybe having first recourse to a flowchart or very verbose EXAMPLES section.



I also agree. FreeBSD has exceptional documentation, but there's always room for something extra. I really would like to see it appeal to new users too, and I think this would help. Thanks for your post.


----------



## markbsd (Nov 19, 2013)

DutchDaemon said:
			
		

> I suggest everyone in here stops calling anyone else anything. We have forum rules dealing with that type of belligerent and combative behavior, and we will enforce them. If this resumes, the topic will be closed and infractions will be handed out. Period.



I had no intent to be combative at all; just pull someone up as, I believe, anyone would. I don't mean to commit any infractions, however.


----------



## Juanitou (Nov 19, 2013)

markbsd said:
			
		

> I had no intent to be combative at all; just pull someone up as, I believe, anyone would. I don't mean to commit any infractions, however.


Not, anyone wouldnâ€™t do it, since in my honest opinion there was no reason to do so, and so violently, but I am maybe wrong and will try from now on to be less humorous, more factual or simply shut up instead of putting mirrors in front of people, something that I understand now is useless and bound to create conflicts. Lesson learnt!

So please, moderators, accept this as a â€œright of replyâ€ last message, noting that I havenâ€™t insulted anybody, neither made false assumptions or mixed up posters when replying, so I hope to not be handled an infraction.


----------



## markbsd (Nov 19, 2013)

You made a deliberate smart ass remark. Which can earn some laughs when they're actually accurate and funny. But yours was, firstly, wrong, and, secondly, stupid. So all it did was make you come off like an asshat being rude. Not humorous, and not "putting mirrors in front of people", but, yes, you were being presumptuous and condescending. Just ignorant douchebag behaviour, with no intention to be anything else but that, and for no reason at all.

_[ User infracted for rule violations // topic closed -- Mod. ]_


----------



## DutchDaemon (Nov 19, 2013)

Let this serve as a reminder to anyone posting on these forums: you can walk away from a topic if you don't like it, and you can stop responding to people that rub you the wrong way. We will never allow threads to devolve into name-calling or other personal attacks, nor will we allow the (continued) expression of personal opinions/experiences in an overly dramatic or exasperated way. It serves no communal purpose.


----------

