hashicorp vault

andrewm659

andrewm659

I am running FreeBSD 12.1 and I am getting ready to install hasicorp vault into a jail. However when I go to install it, version 1.4.1 is what is available. But when I search ports version 1.5.0 is what is available. Has it not been updated in the pkg repos yet? Just curious.

FreeBSD Ports Search

www.freebsd.org www.freebsd.org
 
andrewm659 said:
Has it not been updated in the pkg repos yet?
Click to expand...

Not on quarterly, but on latest ( see "Packages" ) :

FreshPorts -- security/vault: Tool for securely accessing secrets

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
www.freshports.org www.freshports.org
 
Unfortunately, the handbook is missing to teach the information how to use the quarterly ports branch vs. using head -- aka latest in pkg world. portsnap(8) uses latest & can not download the quarterly branch. You can use Subversion to do that. If you do not want to delete the existing ports tree under /usr/ports, you can download quarterly to another directory, e.g. add a suffix -YYYYQx.
mkdir /usr/ports-2020Q3
cd /usr && ln -s ports-2020Q3 quarterly && cd -
/usr/bin/nohup svnlite checkout https://svn.FreeBSD.org/ports/branches/2020Q3 /usr/ports-2020Q3 &
less nohup.out
 
mjollnir said:
Unfortunately, the handbook is missing to teach the information how to use the quarterly ports branch vs. using head -- aka latest in pkg world. portsnap(8) uses latest & can not download the quarterly branch. You can use Subversion to do that.
Click to expand...

For the time being the 2020Q3 quarterly security/vault port is on version 1.4.1. It won't do any good to pull in a quarterly ports tree now. If the quarterly port is updated a package is build for repository a few days later, then there is no need to build it yourself. That is, the quarterly port will be updated only if there is a security vulnerability to fix, or a bug, or the ports compliance/framework changes. If not, the version won't change until 2020Q4.

andrewm659 you could file a bug report to force the issue to update the quarterly port on grounds of vulnerability fixes ( version 1.4.2 ), numerous bug fixes, and improvements. To justify the issue point to the changelog, eventually provide a patch.

Or simpler, if it doesn't interfere with any requirements, change to latest repository.
 
Thanks for responses on this! I know that I have done this using Debian Linux, but is there a way to do pinning the with the repository? Where you can pick and choose what apps are updated to the latest?
 
You will have to solve runtime dependency issues. Thus, you'll need some type of sandboxing. TrueOS had a means to install application-bundles, i.e. each application bundles it's specific versions of foreign libraries it depends on, and the wrapper to fire up that application sets all neccessary environment knobs.
 
andrewm659 said:
I know that I have done this using Debian Linux, but is there a way to do pinning the with the repository? Where you can pick and choose what apps are updated to the latest?
Click to expand...

There is no such function on FreeBSD. What mjollnir suggests with pkg lock would mean tracking the latest repository and locking certain packages to a certain version to prevent them being updated/upgraded . The reverse, tracking quarterly and updating/upgrading certain packages to latest is not intended nor advised, therefore no such functionality is provided ( in theory you can force latest packages besides quarterly installed packages, but that would mean asking for trouble ).

That reddit procedure of the OP there won't work ( Besides the fact the -R option doesn't exist, it's -r, and the repository name is not provided. A ( incomplete ) path to a repository file is not a valid repository name. ).

You have two options, change to latest repository or if you want to track the default quarterly repository ( "a more predictable and stable experience for port and package installation and upgrades" ) file a bug report. If you ask why file a bug report, the maintainer seems not to track the quarterly port, maybe unaware it's being left on 1.4.1, behind a necessary update ( I refer to the vulnerability fixes in 1.4.2 ). The current port, 1.5.0 version, is updated on July 24th, the quarterly 1.4.1 on July 2, version 1.4.3 is skipped on quarterly, that suggests the quarterly port might not be updated until 2020Q4 ( packages from the repositories are build from those ports ).

Tracking the quarterly repository doesn't mean you are on the save side, as you can see with the 1.4.1 version being left vulnerable. The latest repository is as good as the quarterly. On both it's advised, particularly on production systems, to check for security updates or bugs of the installed packages yourself upstream, then, if the port is not updated/upgraded within a reasonable time, file a bug report.
 
I tend not to MFH updates to vault, figuring that folks on quarterly want fewer updates, but I can if there's demand
 
swills@ said:
I tend not to MFH updates to vault, figuring that folks on quarterly want fewer updates, but I can if there's demand
Click to expand...

Please do update on quarterly to version 1.5.0. Version 1.4.1 has some security issues ( corrected with version 1.4.2 ), see the changelog. Also bug fixes and improvements up to 1.5.0 deserve an update. And thank you for maintaining the port.
 
You must log in or register to reply here.
Back
Top