Sunday, May 20, 2007

Binary Packages

I've been a Debian user for a while and I'm trying to get used to pkgsrc. My goals for pkgsrc are:
  • Only install what I need
  • Stay current with updates
Note that the first goal will make the second one easier. Eventually I'd like to keep a CVS synchronized pkgsrc tree but for now I'm going to start by using binary packages. One thing that I like about apt that I want to talk about in this post is dependency management and security updates. When I was using packages not managed by my operating system I didn't want to search for dependent packages or drop whatever I was doing just to manually build the latest version of a package because a new vulnerability came out. This security update feature got me addicted to apt-get. I would just "apt-get upgrade" every few days and not have to worry about those exploits. Note that an operating system could also provide a managed system for updates that you automatically build (as opposed to manually) rather than install binary packages. I'm looking to explore this further when I get to know the src side of pkgsrc, but today I'm focusing on the pkg side.

Dependencies

Pkgsrc will manage your dependencies provided those packages "are present where you install" your package from. I.e. you can specify an FTP location as an argument to pkg_add and it will then download and install the package along with its dependencies. The trick is to not download the binary package itself first since when you try to pkg_add it, the dependent packages may not be present and pkg_add will complain that it can't find the dependencies. This is like downloading a .deb file without its dependencies and then trying to dpkg it. Instead, just give pkg_add a URL to a package instead of a package file itself and let pkg_add handle the dependencies. So if you search around and find a package that you want you should be able to copy the link for your platform and then pass it to the pkg_add command. E.g. I wanted madplay to play my MP3s for i386 so I used
bash-3.2# pkg_add <URL>
pkg_add: Warning: package 
...
was built for a different version of the OS:
pkg_add: NetBSD/i386 3.0 (pkg) vs. 
NetBSD/i386 3.1 (this host)
bash-3.2# which madplay
/usr/pkg/bin/madplay
bash-3.2#
Note that I try to use ftp8 and ftp7 since they are the closest mirrors (for madplay it linked back to the master ftp.netbsd.org).

Finding Newer Versions and Vulnerabilities

Pkgsrc will provide you a list of vulnerabilities and a list of newer versions. After installing audit-packages I ran "download-vulnerability-list" and then "audit-packages" to get a list of security threats. After installing pkglint I could also see that there were newer packages:
bash-3.2# lintpkgsrc -i
Scan Makefiles: 6607 packages                              
Version mismatch: 'MesaLib' 6.4.2nb2 vs 6.4.2nb3
Version mismatch: 'Xft2' 2.1.7nb2 vs 2.1.7nb3
Version mismatch: 'Xrender' 0.9.0nb1 vs 0.9.0nb2
Version mismatch: 'atk' 1.12.3 vs 1.18.0
Version mismatch: 'bash' 3.2 vs 3.2.9,2.05.2.7nb8
Version mismatch: 'cairo' 1.2.6 vs 1.4.2nb1
Version mismatch: 'emacs' 20.7nb7 vs 21.4anb10,20.7nb8
Version mismatch: 'esound' 0.2.36nb1 vs 0.2.37
Version mismatch: 'firefox' 2.0.0.1 vs 2.0.0.3nb1,1.5.0.11
Version mismatch: 'fluxbox' 0.9.15.1nb1 vs 1.0rc3nb1
Version mismatch: 'fontconfig' 2.4.2 vs 2.4.2nb2
Version mismatch: 'freetype2' 2.2.1nb2 vs 2.3.4
Version mismatch: 'glib2' 2.12.4nb1 vs 2.12.11
Version mismatch: 'gtk2+' 2.10.6 vs 2.10.11
Version mismatch: 'libIDL' 0.8.7 vs 0.8.8
Version mismatch: 'pango' 1.14.9 vs 1.16.2
Version mismatch: 'perl' 5.8.8nb3 vs 5.8.8nb4
Version mismatch: 'pkglint' 4.74 vs 4.76
Version mismatch: 'png' 1.2.14nb1 vs 1.2.16
bash-3.2# 
The documentation claims that I can then use "make update" to update the package and rebuild any dependencies. AFAICT this means that you have to cd into /usr/pkgsrc and run the "make update" command to make an update from source. I.e. it doesn't mean that it will download a newer binary package. For example after running the above I cd'd into /usr/pkgsrc/editors/emacs20 and ran a "make update" and then after running the above command it no longer included emacs20 (note that I should really get emacs21, but that's not the point). Here is the new output after the "make update":
bash-3.2# lintpkgsrc -i
Scan Makefiles: 6607 packages                              
Version mismatch: 'MesaLib' 6.4.2nb2 vs 6.4.2nb3
Version mismatch: 'Xft2' 2.1.7nb2 vs 2.1.7nb3
Version mismatch: 'Xrender' 0.9.0nb1 vs 0.9.0nb2
Version mismatch: 'atk' 1.12.3 vs 1.18.0
Version mismatch: 'bash' 3.2 vs 3.2.9,2.05.2.7nb8
Version mismatch: 'cairo' 1.2.6 vs 1.4.2nb1
Version mismatch: 'esound' 0.2.36nb1 vs 0.2.37
Version mismatch: 'firefox' 2.0.0.1 vs 2.0.0.3nb1,1.5.0.11
Version mismatch: 'fluxbox' 0.9.15.1nb1 vs 1.0rc3nb1
Version mismatch: 'fontconfig' 2.4.2 vs 2.4.2nb2
Version mismatch: 'freetype2' 2.2.1nb2 vs 2.3.4
Version mismatch: 'glib2' 2.12.4nb1 vs 2.12.11
Version mismatch: 'gtk2+' 2.10.6 vs 2.10.11
Version mismatch: 'libIDL' 0.8.7 vs 0.8.8
Version mismatch: 'pango' 1.14.9 vs 1.16.2
Version mismatch: 'perl' 5.8.8nb3 vs 5.8.8nb4
Version mismatch: 'pkglint' 4.74 vs 4.76
Version mismatch: 'png' 1.2.14nb1 vs 1.2.16
bash-3.2# 
It seems that the binary packages can get you a package quickly but that you should probably build from source to begin with in order to have the newer versions. I'll post more about this later.

No comments: