[Help] port installation stopped due to dependency with vulnerabilities

revivaloflostart

New Member


Messages: 4

#1
Hi guys,
I'm new to FreeBSD and ports in generally so hopefully someone can help guide me through this the right way.

port I was installing: audio/supercollider
command I ran: portmaster audio/supercollider

After finished selecting all the options, it started compiling and installing, however, the process stopped when it found a vulnerability in a dependency. After which the system said I could continue the install process where I left off by using the command it saved in /tmp/portmasterfail.txt

here is the content of the file:
[Mod: URL removed]

How exactly do I continue the install without making a mess of everything? I'm assuming a lot of the other dependencies already got installed?

I tried making a shell script with the content of that portmasterfail.txt and put a #!/bin/sh in the first line and made the script executable with +x, but it said cannot open flags: no such file or directory ..... probably due to the <flag> in portmasterfail.txt. so do i just remove <flag> and run it? and how does that differ to just simply running portmaster audio/supercollider again? (then again, aren't some stuff already installed? is this even ok to do?)

1. this is the correct way to continue the install if i want to ignore the vulnerabilities right?
portmaster -m DISABLE_VULNERABILITIES=yes -a audio/supercollider

2. but what do I do if I want to just remove and undone whatever was already installed by supercollider before it found out there was a vulnerabilities in one of the dependencies?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,228
Messages: 27,205

#2
Can't read the link, SSL errors and MalwareBytes is throwing a fit on that URL. So I removed it from your post.

the process stopped when it found a vulnerability in a dependency.
Which dependency?

but what do I do if I want to just remove and undone whatever was already installed by supercollider before it found out there was a vulnerabilities in one of the dependencies?
pkg autoremove
 

ShelLuser

Son of Beastie

Thanks: 1,377
Messages: 2,939

#3
First of all: don't forget that manual pages exist. The man ports command will point you to the ports(7) manual page which lists all the build targets you may need. And some environmental settings, amongst which:
Code:
     DISABLE_VULNERABILITIES
                       If defined, disable check for security vulnerabilities
                       using pkg-audit(8) when installing new ports.
Of course the error message(s) you got during the build should also have informed you about this.

After finished selecting all the options, it started compiling and installing, however, the process stopped when it found a vulnerability in a dependency. After which the system said I could continue the install process where I left off by using the command it saved in /tmp/portmasterfail.txt
This is why it's also important to keep a logfile. I always use: # portmaster <port> |& tee build.log (using the C Shell), so that you can then check the build.log file for any possible causes if something goes wrong.

As said: the error output will also tell you how you can fix your problems.

How exactly do I continue the install without making a mess of everything? I'm assuming a lot of the other dependencies already got installed?
Don't assume anything. Check your logs. By default pkg will log the installation ("addition") of packages, you can check /var/log/messages for that. Another good source is looking into /tmp/portmasterfail.txt which will show you exactly which port(s) are still on the "todo list" of your installation run.

First you need to determine which port caused this. Generally speaking this is often the first port mentioned in /tmp/portmasterfail.txt. Warning: I said generally speaking, meaning that this isn't always the case.

Next you need to determine for yourself if you really want that possibly vulnerable port installed. If so then use the build property I mentioned above. I'd personally recommend installing the port manually (using the old fashioned way of # make DISABLE_VULNERABILITIES=yes install clean).

After that is done you can then use /tmp/portmasterfail.txt. One way to do this is to remove the portmaster command itself (and the flag setup) as well as the port you manually installed. Then simply run: # portmaster `cat /tmp/portmasterfail.txt` and the installation process should easily continue.

But I strongly suggest that you don't run portmaster without a log: portmaster <port> |& tee build.log on csh and/or portmaster <port> 2>&1 | tee build.log for an sh environment. (the extra addition(s) makes sure that tee will also capture the output of /dev/stderr which is usually where you'll get any error messages).

(edit)

What FreeBSD version are you using and what port caused the vulnerability error? I'm wondering because I got curious and then tried running this: # for a in `make all-depends-list | cut -d '/' -f4-`; do pkg audit -q $a; done within the audio/supercollider directory, however it turned up empty. Considering the huge dependency list it's probably a dependency somewhere, but it still left me curious.
 
OP
OP
revivaloflostart

revivaloflostart

New Member


Messages: 4

#4
I'm running 11.2
it's one of the "lib" dependencies, not sure which one though (should've written it down)
https://www.freshports.org/audio/supercollider
there's quite a few listed, but libsndfile seems familiar (i'm not positive though)

anyone adventurous enough to try installing and figuring out exactly which dependency it was? :p

by the way, is this a common occurrence at all? and is there any way to prevent running into this issue in the future?
something similar to pkg audit -F, but instead of checking all your installed packages, checks for all the dependencies of a package prior to installing? i mean, the fact that it detected it as a package having vulnerabilities means that it's already a package that's been flagged, shouldn't there be a way to check ahead of time?
 

ShelLuser

Son of Beastie

Thanks: 1,377
Messages: 2,939

#5
by the way, is this a common occurrence at all? and is there any way to prevent running into this issue in the future?
Well, it is common in the sense that it can happen more often. But it's not common enough to happen a lot on my setup.

something similar to pkg audit -F, but instead of checking all your installed packages, checks for all the dependencies of a package prior to installing?
I gave you a solution for that in my previous post. Of course that doesn't recurse into more dependencies, but it should be adjustable for that.

Even so, this is avoidable by relying on binary packages and not ports. Of course you can permanently set up certain build properties in /etc/make.conf but I strongly suggest against that because warnings like these are given for a good reason and are best not ignored.

Anyway, I usually never prepare for this up front and simply let the build process run and detect them. Then I decide on a per-port basis if I really want to go through with it.
 
Top