Solved Problem with upgrade package

Hi,

I have a FreeBSD 12.0 machine where I was obliged to apply a diff patch on a kernel source (PR 229852). I used svnlite just two months ago, applied the patch, compiled and installed the kernel. So far, so good (Revision: 345996).

I didn't patch the system (no -p4 or -p5) because I would have to recompile and reinstall kernel & world (too long).

But now pkg audit reports a vulnerability on samba47. And pkg upgrade samba47 returns that my package is up to date.

For another machine with 12.0-RELEASE but patched p4/p5, the upgrade went (samba47-4.7.12_1).

So I think the FreeBSD version is the problem. Shall I have to recompile all for each patch if I want to set the packages up to date?

Seems strange to me. Packages shouldn't consider the patch level, no?
 
So I think the FreeBSD version is the problem.
No, these are unrelated.

I'm thinking one machine is 'stuck' with older packagesite information, try forcing it with pkg update -f. Then try pkg upgrade again. You can also easily compare the versions between your installed packages and the locally cached remote repository info: pkg version -vR.

Packages shouldn't consider the patch level, no?
Sometimes they do (because they need to), but it's going to complain loudly about a version difference in that case. Not silently refuse to update something.
 
After pkg update -f, pkg version -vR returns:
samba47-4.7.12 = up-to-date with remote

And obviously, pkg upgrade samba47 tells me it's up to date...
 
Hmm. Looking a little further, the change between 4.7.12 and 4.7.12_1 is a dependency:

The last change to the port happened 4 weeks ago:
More than enough time for the packages to get built.

I assume pkg-audit(8) complains about this one? https://www.vuxml.org/freebsd/793a0072-7822-11e9-81e2-005056a311d1.html

I don't think that's actually fixed yet. So pkg-audit(8) should complain on both both machines.

That said, this doesn't explain why one machine has an update available while the other doesn't. Different mirrors? latest vs. quarterly perhaps? Compare pkg -vv on both machines.
 
You're right on all your statements. The machine where the upgrade went is set to latest repository. The other is on quaterly.

There is no magic, it's me who changed to latest but I can't remember why.

I have just to wait until it'll be fixed on quaterly repository. Unless I set to latest on this machine. Is latest repository less stable or more risky than quaterly?
 
Is latest repository less stable or more risky than quaterly?
There's a lot more "churn", there are constantly things being updated. So there's always a small risk an update might break things. But overall it's been working fine for me.
 
Back
Top