RE: install/46646: sysinst should configure fetch-pkg-vulnerabilities automatically if you choose to install pkgsrc

[David Ross <dross%pobox.com@localhost>]

The following reply was made to PR install/46646; it has been noted by GNATS.

From: David Ross <dross%pobox.com@localhost>
To: <gnats-bugs%netbsd.org@localhost>, <install-manager%netbsd.org@localhost>,
        <gnats-admin%netbsd.org@localhost>, <netbsd-bugs%netbsd.org@localhost>
Cc: 
Subject: RE: install/46646: sysinst should configure
 fetch-pkg-vulnerabilities automatically if you choose to install pkgsrc
Date: Wed, 4 Jul 2012 09:45:09 -0700

 --_5a57876b-4d9b-4df0-8ad3-24f5ee9a1d5e_
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 
 Regarding fetch_pkg_vulnerabilities=3DYES in daily.conf=2C I'm wondering if=
  this will run immediately on the first boot.  Otherwise the user will like=
 ly just start building from pkgsrc right away without the benefit of the vu=
 lnerability check.   Looks like there was a previous discussion of this:htt=
 p://mail-index.netbsd.org/tech-userlevel/2010/01/oindex.htmlSee "fetch_pkg_=
 vulnerabilities enabled by default (was: CVS commit: src/etc)"
  There was a privacy concern in that thread concerning the default behavior=
 . So how about a separate option in the new sysinst menu to enable the vuln=
 erability check=2C positioned right under the option to install pkgsrc?  Th=
 at seems like a reasonable compromise. Regarding Julian's concern about the=
  MTA being configured...  The nice thing about the vulnerability check=2C f=
 or me at least=2C is that it prevents you from accidentally installing vuln=
 erable packages.  I haven't been paying attention to any mail it's sending =
 me.  =3D) I also understand the need to keep sysinst minimal=2C but providi=
 ng an option to check for package vulnerabilities seems very fundamental. D=
 avid Rossdross%pobox.com@localhost > From: jdf%NetBSD.org@localhost
 > To: install-manager%netbsd.org@localhost=3B 
 > gnats-admin%netbsd.org@localhost=3B netbsd-bugs@n=
 etbsd.org=3B dross%pobox.com@localhost
 > Subject: Re: install/46646: sysinst should configure fetch-pkg-vulnerabil=
 ities automatically if you choose to install pkgsrc
 > CC:=20
 > Date: Tue=2C 3 Jul 2012 19:25:02 +0000
 >=20
 > The following reply was made to PR install/46646=3B it has been noted by =
 GNATS.
 >=20
 > From: Julian Djamil Fagir <jdf%NetBSD.org@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc:=20
 > Subject: Re: install/46646: sysinst should configure
 >  fetch-pkg-vulnerabilities automatically if you choose to install pkgsrc
 > Date: Tue=2C 3 Jul 2012 21:24:46 +0200
 >=20
 >  --Sig_/Z8CSwKJiH/T260RDTpu3/.j
 >  Content-Type: text/plain=3B charset=3DUS-ASCII
 >  Content-Transfer-Encoding: quoted-printable
 > =20
 >  Hi=2C
 > =20
 >  > >Synopsis:       sysinst should configure fetch-pkg-vulnerabilities
 >  > >automatically if you choose to install pkgsrc Confidential:   no
 >  >
 >  > It's great that sysinst now provides the option to automatically insta=
 ll
 >  > pkgsrc.  It would be fantastic if this would also set up
 >  > fetch-pkg-vulnerabilities.
 >  >=3D20
 >  > The way I've been doing this manually is to run:
 >  > mkdir /var/db/pkg
 >  > pkg_admin rebuild
 >  > pkg_admin fetch-pkg-vulnerabilities
 >  >=3D20
 >  > Then in crontab:
 >  > 0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&=
 1
 >  > 0 4 * * * /usr/sbin/pkg_admin audit=3D20
 >  there are many tasks one could add to sysinst that would be useful=2C bu=
 t it's
 >  all at the cost of usability.
 >  For fetch-pkg-vulnerabilities to be useful in most scenarios the MTA mus=
 t be
 >  set up=2C thus network being set up=2C etc=2C a long ist of dependencies=
 .
 >  I would consider this fine-tuning rather than setup. And I think sysinst
 >  should stay minimal=2C with only a selected set of actions to be perform=
 ed
 >  which are really needed for initial setup.
 > =20
 >  Regards=2C Julian
 > =20
 >  --Sig_/Z8CSwKJiH/T260RDTpu3/.j
 >  Content-Type: application/pgp-signature=3B name=3Dsignature.asc
 >  Content-Disposition: attachment=3B filename=3Dsignature.asc
 > =20
 >  -----BEGIN PGP SIGNATURE-----
 >  Version: GnuPG v1.4.9 (GNU/Linux)
 > =20
 >  iEYEARECAAYFAk/zRv4ACgkQc7h7cu1Hpp7y/QCfdAQhk/ACbmynMUkpAe/d8S6N
 >  0+cAoJNhqjA/N/vIU2cy0KPtNErjxNQN
 >  =3DkOnN
 >  -----END PGP SIGNATURE-----
 > =20
 >  --Sig_/Z8CSwKJiH/T260RDTpu3/.j--
 > =20
                                          =
 
 --_5a57876b-4d9b-4df0-8ad3-24f5ee9a1d5e_
 Content-Type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 <html>
 <head>
 <style><!--
 .hmmessage P
 {
 margin:0px=3B
 padding:0px
 }
 body.hmmessage
 {
 font-size: 10pt=3B
 font-family:Tahoma
 }
 --></style></head>
 <body class=3D'hmmessage'><div dir=3D'ltr'>
 Regarding fetch_pkg_vulnerabilities=3DYES in daily.conf=2C I'm wondering if=
  this will run immediately on the&nbsp=3Bfirst boot.&nbsp=3B Otherwise&nbsp=
 =3Bthe user will likely&nbsp=3Bjust start building from pkgsrc right away w=
 ithout the benefit of the vulnerability check.&nbsp=3B <BR>&nbsp=3B<BR>Look=
 s like there was a previous discussion of this:<BR><a href=3D"http://mail-i=
 ndex.netbsd.org/tech-userlevel/2010/01/oindex.html">http://mail-index.netbs=
 d.org/tech-userlevel/2010/01/oindex.html</a><BR>See&nbsp=3B"fetch_pkg_vulne=
 rabilities enabled by default (was: CVS commit: src/etc)"<br>&nbsp=3B<BR>Th=
 ere was a privacy concern&nbsp=3Bin that thread&nbsp=3Bconcerning the defau=
 lt behavior.<BR>&nbsp=3B<BR>So how about a separate option in the new sysin=
 st menu to enable the vulnerability check=2C positioned right under the opt=
 ion to install pkgsrc?&nbsp=3B That seems like a reasonable compromise.<BR>=
 &nbsp=3B<BR>Regarding Julian's concern about the MTA being configured...&nb=
 sp=3B The nice thing about the vulnerability check=2C for me at least=2C is=
  that it prevents you from accidentally installing vulnerable packages.&nbs=
 p=3B I haven't been paying attention to any mail it's sending me.&nbsp=3B =
 =3D)<BR>&nbsp=3B<BR>I also understand the need to keep sysinst minimal=2C b=
 ut providing an option to check for package vulnerabilities seems very fund=
 amental.<BR>&nbsp=3B<BR>David Ross<BR><a 
href=3D"mailto:dross%pobox.com@localhost";>dr=
 oss%pobox.com@localhost</a><BR>&nbsp=3B<BR><div><div 
id=3D"SkyDrivePlaceholder"></div=
 >&gt=3B From: jdf%NetBSD.org@localhost<br>&gt=3B To: 
 >install-manager%netbsd.org@localhost=3B gn=
 ats-admin%netbsd.org@localhost=3B netbsd-bugs%netbsd.org@localhost=3B 
dross%pobox.com@localhost<br>&gt=3B=
  Subject: Re: install/46646: sysinst should configure fetch-pkg-vulnerabili=
 ties automatically if you choose to install pkgsrc<br>&gt=3B CC: <br>&gt=3B=
  Date: Tue=2C 3 Jul 2012 19:25:02 +0000<br>&gt=3B <br>&gt=3B The following =
 reply was made to PR install/46646=3B it has been noted by GNATS.<br>&gt=3B=
  <br>&gt=3B From: Julian Djamil Fagir 
&lt=3Bjdf%NetBSD.org@localhost&gt=3B<br>&gt=3B =
 To: gnats-bugs%NetBSD.org@localhost<br>&gt=3B Cc: <br>&gt=3B Subject: Re: 
install/466=
 46: sysinst should configure<br>&gt=3B  fetch-pkg-vulnerabilities automatic=
 ally if you choose to install pkgsrc<br>&gt=3B Date: Tue=2C 3 Jul 2012 21:2=
 4:46 +0200<br>&gt=3B <br>&gt=3B  --Sig_/Z8CSwKJiH/T260RDTpu3/.j<br>&gt=3B  =
 Content-Type: text/plain=3B charset=3DUS-ASCII<br>&gt=3B  Content-Transfer-=
 Encoding: quoted-printable<br>&gt=3B  <br>&gt=3B  Hi=2C<br>&gt=3B  <br>&gt=
 =3B  &gt=3B &gt=3BSynopsis:       sysinst should configure fetch-pkg-vulner=
 abilities<br>&gt=3B  &gt=3B &gt=3Bautomatically if you choose to install pk=
 gsrc Confidential:   no<br>&gt=3B  &gt=3B<br>&gt=3B  &gt=3B It's great that=
  sysinst now provides the option to automatically install<br>&gt=3B  &gt=3B=
  pkgsrc.  It would be fantastic if this would also set up<br>&gt=3B  &gt=3B=
  fetch-pkg-vulnerabilities.<br>&gt=3B  &gt=3B=3D20<br>&gt=3B  &gt=3B The wa=
 y I've been doing this manually is to run:<br>&gt=3B  &gt=3B mkdir /var/db/=
 pkg<br>&gt=3B  &gt=3B pkg_admin rebuild<br>&gt=3B  &gt=3B pkg_admin fetch-p=
 kg-vulnerabilities<br>&gt=3B  &gt=3B=3D20<br>&gt=3B  &gt=3B Then in crontab=
 :<br>&gt=3B  &gt=3B 0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities=
  &gt=3B/dev/null 2&gt=3B&amp=3B1<br>&gt=3B  &gt=3B 0 4 * * * /usr/sbin/pkg_=
 admin audit=3D20<br>&gt=3B  there are many tasks one could add to sysinst t=
 hat would be useful=2C but it's<br>&gt=3B  all at the cost of usability.<br=
 >&gt=3B  For fetch-pkg-vulnerabilities to be useful in most scenarios the M=
 TA must be<br>&gt=3B  set up=2C thus network being set up=2C etc=2C a long =
 ist of dependencies.<br>&gt=3B  I would consider this fine-tuning rather th=
 an setup. And I think sysinst<br>&gt=3B  should stay minimal=2C with only a=
  selected set of actions to be performed<br>&gt=3B  which are really needed=
  for initial setup.<br>&gt=3B  <br>&gt=3B  Regards=2C Julian<br>&gt=3B  <br=
 >&gt=3B  --Sig_/Z8CSwKJiH/T260RDTpu3/.j<br>&gt=3B  Content-Type: applicatio=
 n/pgp-signature=3B name=3Dsignature.asc<br>&gt=3B  Content-Disposition: att=
 achment=3B filename=3Dsignature.asc<br>&gt=3B  <br>&gt=3B  -----BEGIN PGP S=
 IGNATURE-----<br>&gt=3B  Version: GnuPG v1.4.9 (GNU/Linux)<br>&gt=3B  <br>&=
 gt=3B  iEYEARECAAYFAk/zRv4ACgkQc7h7cu1Hpp7y/QCfdAQhk/ACbmynMUkpAe/d8S6N<br>=
 &gt=3B  0+cAoJNhqjA/N/vIU2cy0KPtNErjxNQN<br>&gt=3B  =3DkOnN<br>&gt=3B  ----=
 -END PGP SIGNATURE-----<br>&gt=3B  <br>&gt=3B  --Sig_/Z8CSwKJiH/T260RDTpu3/=
 .j--<br>&gt=3B  <br></div>                                       </div></body>
 </html>=
 
 --_5a57876b-4d9b-4df0-8ad3-24f5ee9a1d5e_--