Seeking recommendations for upgrading ports/packages

J

J65nko

After spending most of the last years with OpenBSD I am building a new FreeBSD 9.1 webserver now. I am using a FreeBSD box at home to compile the ports into packages.

I have set the PACKAGES environment variable
Code: 
[cmd=#] env | grep pack[/cmd]
PACKAGES=/home/packages
This way a # make config-recursive and # make package-recursive results in nice package hierarchy:
Code: 
[cmd=#] ls -l /home/packages | head -5[/cmd]
total 104
drwxr-xr-x  2 root  wheel  3072 May  1 08:33 All
drwxr-xr-x  2 root  wheel  2560 May  1 08:33 Latest
drwxr-xr-x  2 root  wheel   512 Apr 28 00:57 archivers
drwxr-xr-x  2 root  wheel   512 Apr 30 21:36 converters

I have about 100 packages built:
Code: 
[cmd=#]ls /home/packages/All | wc -l[/cmd]
      98

With rsync these packages are copied to /home/packages on the webserver. That way I can install them with # pkg_add.

portaudit(1) now tells me two ports have security issues:
Code: 
[cmd=#]portaudit[/cmd]
Affected package: joomla-2.5.6
Type of problem: Joomla  -- XXS and DDoS vulnerabilities.
Reference: http://portaudit.FreeBSD.org/57df803e-af34-11e2-8d62-6cf0490a8c18.html

Affected package: phpMyAdmin-3.5.7
Type of problem: phpMyAdmin -- Multiple security vulnerabilities.
Reference: http://portaudit.FreeBSD.org/8c8fa44d-ad15-11e2-8cea-6805ca0b3d42.html

Affected package: phpMyAdmin-3.5.7
Type of problem: phpMyAdmin -- XSS due to unescaped HTML output in GIS visualisation page.
Reference: http://portaudit.FreeBSD.org/7280c3f6-a99a-11e2-8cef-6805ca0b3d42.html

3 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
I have not rsynced nor installed these packages on the webserver yet.

On April 7 I did a portsnap(8) to get the ports tree on the package building box.

What would be be the best way to upgrade these ports on my package building box without going through the ports/packages equivalent of the Windows 2.x or 3.x DLL upgrade hell ;)?
 
  • Uninstall them all on the build box.
  • Build them all on the build box, and create the packages.
  • Copy the packages over to the web server.
  • Uninstall all old packages on the web server.
  • Install all new packages on the web server.
That way, you are guaranteed that everything is built/installed in sync. Meaning, no old libraries or files or anything to conflict with.

It's how Poudriere works and how the PKGNG repos are handled.
 
Thanks for the answer ;)

This is what I was afraid of. But in terms of server downtime, this is quite a painful procedure. Considering the security track record of both Joomla and phpMyAdmin this probably will be something I will have to go through monthly.x(
 
J65nko said:
What would be be the best way to upgrade these ports on my package building box without going through the ports/packages equivalent of the Windows 2.x or 3.x DLL upgrade hell ;)?
Click to expand...
I can't really comment on the "best" part because that would require some experience with all of the other options, which is something I don't have.

Having that out of the way I'd like to recommend ports-mgmt/portmaster as a possible alternative. One of its key features is the ability to keep track of dependencies. To this end it separates all the ports in 4 sections: Root ports; these are "individual" ports. They have no dependency on others nor are there others depending on them. Trunk ports; these ports have no dependencies of their own but others are depending on them. Branch ports; these ports have both dependencies of their own as well as other ports which depend on their presence. And finally Leaf ports; these ports only have dependencies of their own but others do not depend on them.

The best part, as I mentioned, is that it can do most of the work for you. Or to quote the manualpage: "The focus of this tool is to keep the dependency tracking information for your ports up to date. This allows you to safely update a specific port without having to update all of the ports "above" it. In the rare case where you do need to recompile ports which depend on a port you are updating, the -r option exists to accomplish this."

Hope this can help out too.

And thanks for mentioning the option to recursively create the binary packages. I'll be needing that option myself in the near future and this saved me some research :)
 
J65nko said:
This is what I was afraid of. But in terms of server downtime, this is quite a painful procedure. Considering the security track record of both Joomla and phpMyAdmin this probably will be something I will have to go through monthly.x(
Click to expand...
As you must surely know, Joomla now has its own built-in updating mechanism. If a new minor version is available, this is displayed in the control panel, and it usually takes less than a minute to apply the update.

Why would you want to go through all the trouble of building a package and installing that instead of using Joomla's own very convenient facility?
 
RE: ports-mgmt/portmaster

Thanks for the tip, you have more experience in this regard than me ;) My last experience with the FreeBSD ports system was in the days of 4.x and 5.x releases and I don't recall things like this existed back then.
Surely I will give it a try.

RE: Joomla native updating mechanism

One of the few things I know about Joomla, is this updating mechanism. The reason for preferring the ports system is that I get a email from portaudit(1) in case of an security issue.

I read the server logs and see all those probes and attack attempts for Wordpress, Joomla and phpMyAdmin so I have to add an extra layer of protection with htpasswd(1) authentication.

Why cannot these CMS just spit out a website similar to a compiler producing an executable from source code?

RE: phpMyAdmin update

Just before I read your post, I updated the ports with portsnap(8) and did a # make deinstall and # make package in /usr/ports/databases/phpmyadmin. Sometimes you have to live dangerously ;)

While make all-depends-list showed a huge list, the the actual dependencies being checked were a lot less:
Code: 
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/include/php/main/php.h - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/ctype.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/session.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/filter.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/mbstring.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/json.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/apc.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/bz2.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/gd.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/mcrypt.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/openssl.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/pdf.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/zip.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/zlib.so - found
===>   phpMyAdmin-3.5.8.1 depends on file: /usr/local/lib/php/20100525-zts/mysqli.so - found
 
Programs that modify themselves after installation are heavily frowned upon in ports/packages. That's why you won't see support for self updating programs in FreeBSD ports. The reason is that the installed package must be verifiable with checksums and if the program modifies files that are in the package list the checksums won't match what is in the package database.
 
Yes, I can appreciate that. While normally I stick to installing stuff on the server via ports or packages, Joomla is one case when I prefer installing it myself -- and keeping it updated using the built-in facility. No disrespect intended towards the port maintainer, but it can sometimes take a while for the port to get updated. Also, since normally one adds third-party templates and extensions to a Joomla site, the package list and so on is never going to match.

databases/phpmyadmin on the other hand I'm perfectly happy install as a port and let the system handle upgrades. For a little added security, you could add something like this to your apache config:
Code: 
Alias /phpmyadmin /usr/local/www/phpMyAdmin
        <Directory /usr/local/www/phpMyAdmin>
        Order allow,deny
        Allow from [color="Red"]MYIPNUMBER[/color]
        </Directory>


The reason for preferring the ports system is that I get a email from portaudit(1) in case of an security issue.
Click to expand...
For this, you could also subscribe to the Joomla security team mails. I don't have the address handy; will look it up. See: http://docs.joomla.org/Security_Checklist/Getting_Started
 
Code: 
# da0 is a thumbdrive on [CMD]/mnt[/CMD]
mkdir -p /mnt/portmaster-download
cd /usr/ports/packages/All
cp -iv *.tbz /mnt/portmaster-download
umount /mnt
# now on the machine to be upgraded
mount -t unionfs /dev/da0 /usr/ports/packages
portmaster -d -B -P -i -g apache joomla php
Portmaster should install directly from the thumbdrive [finding its /usr/ports/packages/portmaster-download there, but gotchas exist which would mean fetching from the internet (a package) or building from source. Still, it is a reliable and quick method if both machines (the build machine and the server) are in the same vicinity.
 
You must log in or register to reply here.
Back
Top