Solved curl not updating, but maybe that's how pkg works?

[drtebi]

Hello,

I am a bit confused... :

I have FreeBSD 13.1-RELEASE-p7 installed. I noticed that curl is out of date. Thus I figured doing a pkg update, pkg upgrade would bring it to the newest version.

Well, my daily status report still tells me curl is out of date (curl-7.88.1).

In ports, curl is at version 8.0.1.

I read through the handbook... and now this is what I understand:
- The binary packages are compiled from ports, and that happens every quarter.
- None of these binary packages will be updated until the next quarter, with the exception of severe security flawed packages

And thus... my curl with stay at version 7.88-1 until I update to FreeBSD 13.2.

Did I get this right?

Thanks

 

[Alain De Vos]

No not right.
Curl will stay with version 7.88-1 on "quarterly". This for any kernel/userland/world upgrade.
For versions see:

FreshPorts -- ftp/curl: Command line tool and library for transferring data with URLs

curl is used in command lines or scripts to transfer data. It is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, media players and is the internet transfer backbone for thousands of software applications affecting billions of humans...

www.freshports.org

 

[yuripv79]

Or better yet, 4.4.2 here (by default you are on quarterly):

Chapter 4. Installing Applications: Packages and Ports

FreeBSD provides two complementary technologies for installing third-party software: the FreeBSD Ports Collection, for installing from source, and packages, for installing from pre-built binaries

docs.freebsd.org

 

[zirias@]

- The binary packages are compiled from ports, and that happens every quarter.

No, it happens continuously (soon after a specific build is finished, it starts again). But the quarterly branch (from which the quarterly pkg repo is built) normally isn't updated, except:

- None of these binary packages will be updated until the next quarter, with the exception of severe security flawed packages

Yep, almost like that. Other severe issues that e.g. render a package unusable should be fixed on quarterly as well.

As others said, there's also a "latest" repository, which is built from the main ports branch, so it always contains the latest versions (minus a few days for the time needed to batch-build them).

Which repo you want to use is your decision. "quarterly" reduces the amount of updates you have to install. "latest" provides the latest software versions.

 

[suntzu00]

No not right.
Curl will stay with version 7.88-1 on "quarterly". This for any kernel/userland/world upgrade.
For versions see:

FreshPorts -- ftp/curl: Command line tool and library for transferring data with URLs

curl is used in command lines or scripts to transfer data. It is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, media players and is the internet transfer backbone for thousands of software applications affecting billions of humans...

www.freshports.org

curl will not stay on version 7.88.1 on quarterly. https://cgit.freebsd.org/ports/commit/?h=2023Q2&id=8c231c32ec19ad809270d847bef16cd231736119
You'll have to wait a wee bit before the packages are build though.

 

[drtebi]

Thank you for all your replies.

What's the best way to go now if I want curl to be up-to-date?

Or maybe I should explain my situation and goal a bit:
My FreeBSD machine is purely used as a web server. There really isn't much else running besides Apache and TinyDNS. I just want to be sure to have no security vulnerabilities on the web server.

Are there any other downsides in using the "Latest" repository? That's how Arch Linux works, which I use for my desktop computer. It's fairly rare that being "on the edge" has caused some incompatibilities between libraries, or other issues...

 

[Alain De Vos]

Just reguarly:
"pkg update"
"pkg upgrade".
And curl will be to the latest quarterly version.

 

[zirias@]

What's the best way to go now if I want curl to be up-to-date?

In general: use "latest". Here, you might just as well wait for it on quarterly, takes a few days...

I just want to be sure to have no security vulnerabilities on the web server.

The goal of "quarterly" is to fix security vulns (and other severe issues) only. I won't say it always works perfectly. But here you see, the curl update landed in quarterly.

Are there any other downsides in using the "Latest" repository?

No. You'll just have a lot more updates to download and install than on "quarterly".

 

[astyle]

Hello,

I am a bit confused... :

I have FreeBSD 13.1-RELEASE-p7 installed. I noticed that curl is out of date. Thus I figured doing a pkg update, pkg upgrade would bring it to the newest version.

Well, my daily status report still tells me curl is out of date (curl-7.88.1).

In ports, curl is at version 8.0.1.

I read through the handbook... and now this is what I understand:
- The binary packages are compiled from ports, and that happens every quarter.
- None of these binary packages will be updated until the next quarter, with the exception of severe security flawed packages

And thus... my curl with stay at version 7.88-1 until I update to FreeBSD 13.2.

Did I get this right?

Thanks

Nah, not quite...

curl-7.88.1 is not THAT out of date... You can still run pkg upgrade ftp/curl if you want to upgrade just curl to the latest available.

When packages get compiled, the dependency rules in the Makefiles usually specify a minimum acceptable version. Curl is a dependency to several packages. Anything in quarterly that you have installed (and depends on curl), I bet it specifies the minimum acceptable version to be at 7.80.0... or something like that. My point is, dependencies don't always specify the very latest curl, but don't prohibit it, either. Very old stuff can be prohibited as a dependency.

So, no, OP is not stuck with 7.88_1, upgrading to 8.0_1 on 13.1-RELEASE-p7 is easy, shouldn't break anything, but is probably pointless (unless OP has a real interest in having the very latest curl installed).

 

[SirDice]

OP is referring to pkg-audit(8) complaining about ftp/curl, which is reported in the daily periodic(8) emails.

 

[drtebi]

Thanks once again.

I will stick to pkg update, pkg upgrade. And no, I don't need the latest curl package for its features; I was just generally curious.

My questions have been answered

Great forum.

 

[gotnull]

Well it looks like curl received an update :


~ : curl --version
curl 8.0.1 (amd64-portbld-freebsd13.1) libcurl/8.0.1 OpenSSL/1.1.1o zlib/1.2.12 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10.0 nghttp2/1.52.0
Release-Date: 2023-03-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets


Rejoice

 

[Jose]

Anybody build this version from source? Has it Rusted?

 

[yuripv79]

Has it Rusted?

make build-depends-list does not list rust.

 

[Tieks]

Anybody build this version from source?

Built that version from ports yesterday, no problems.