Re: Package automation in /etc/daily

[Julio Merino <jmmv%NetBSD.org@localhost>]

On Sun, Jan 17, 2010 at 4:32 PM, Joerg Sonnenberger
<joerg%britannica.bec.de@localhost> wrote:
> On Sun, Jan 17, 2010 at 04:00:48PM +0000, Julio Merino wrote:
>>      check_packages             Checks the digital signature of all files
>>                                 installed by packages against the expected
>>                                 values stored in the packages database.
>
> Doesn't have practical value to prevent "attacks" -- MD5 is simply too
> weak.

Most, if not all, of the checks in daily are not bullet proof.  See
"check_network".

Still, running this is cheap and can let admins catch obvious
problems.  Certainly not simple attacks, but mistakes and/or broken
packages overriding files.

>>      fetch_pkg_vulnerabilities  Refreshes the local database of package vul-
>>                                 nerabilities.
>
> Must be done by default, should be done with -u.
>
>>      pkg_dbdir  Location of the packages database.  If unset, defaults to the
>>                 value of the PKG_DBDIR environment variable (typically set
>>                 from /etc/profile) or to /var/db/pkg.
>
> I don't think support for non-default locations should be included...
> E.g. use whatever pkg_admin is configured for.

Can the default value of pkg_admin be changed in the base system?

I constantly set PKG_DBDIR in /etc/profile in all my installs because
the /var/db/pkg value is broken.  And I want this to "just work".

-- 
Julio Merino