Unexpected dependencies of graphics/libGL

Polytropon freebsd at edvax.de
Tue Jan 19 05:23:55 UTC 2016 

On Tue, 19 Jan 2016 05:08:06 +0000, Luís Fernando Schultz Xavier da Silveira wrote:
> That is a very cool idea. However, it does not make sense to me.
> From a security point of view, it is not an improvement because malware
> in the build dependencies could still affect the results of the
> compilation within the jail and hence the final binaries and pkg
> scripts.

But this is not different from how ports are being built in
the regular ports tree: Compilation tools could be compromized
or package content could be affected. The typical "make install"
will generate a package which is then installed via pkg.



> Furthermore, theoretically if an uncessessary dependecy can break the
> vanilla system, it can also break it for the same reason with this
> trick (it is just less likely).

It's easier to revert a jail than a whole system. Additionally,
the jail is separated from the system so no harm can be done
there.



> Also, the build dependencies will be built over and over again
> inside the jails during updates (and there are a lot of them).

This also applies to regular port usage - unless, of course,
you are forcing non-standard behaviour (like keeping an old
library via "pkg lock").



> So, while Poudriere is useful for building packages from the point of
> view of the FreeBSD infrastructure (who does not install the packages
> itself), it does not make sense to me for a system that will be
> installing the packages.

In this case, check "pkg lock" and "pkg unlock". Maybe a custom
solution is possible for you: First lock all packages except
those that you really want to be affected by an upgrade, then
run "make configure" and "make install" (which, as I said, causes
a "pkg install" step), and then unlock things again if you wish.
If your system contains lots of software installed from ports,
and you're not planning to install from packages, this is not
a big problem, I think. Only the case "mixing ports and packages"
is still something where you need to pay attention to several
side effects.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list