How to Lock Packages to Specific Versions on FreeBSD Operating System

How to Lock Packages to Specific Versions on FreeBSD Operating System
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

FreeBSD, a powerful and flexible Unix-like operating system, offers a robust package management system for installing, updating, and managing software. However, system administrators and users often need to lock specific packages to prevent unwanted updates, ensuring stability and compatibility with their applications. This guide will cover the methods for locking packages to specific versions in FreeBSD, detailing both binary package management using pkg and source-based management with the FreeBSD Ports Collection.

Why Lock Packages to Specific Versions?

Before diving into the technical details, it’s important to understand why locking package versions is necessary:

  • Stability: Updates may introduce bugs or compatibility issues, affecting system performance and reliability.
  • Security: Some updates may introduce security vulnerabilities, whereas the current version has been vetted.
  • Dependency Management: Some software depends on a specific version of a library or application to function correctly.
  • Customization: In some cases, custom configurations or patches applied to a package could be lost if it is updated.

Using pkg to Lock Packages

FreeBSD’s package manager, pkg, provides a simple and effective way to lock packages at a specific version. The pkg lock command prevents a package from being upgraded, downgraded, or removed unintentionally.

Locking a Package

To lock a package, use the following command:

pkg lock <package_name>

For example, to lock nginx at its current installed version:

pkg lock nginx

Once locked, the package remains at its current version even when you run system-wide updates.

Verifying Locked Packages

To check which packages are currently locked, use:

pkg info -l

This command will list all locked packages, allowing you to verify that your changes have taken effect.

Unlocking a Package

If you later decide to upgrade or remove the package, you must unlock it first:

pkg unlock <package_name>

For example, to unlock nginx:

pkg unlock nginx

Pinning Specific Package Versions in pkg

While pkg lock prevents updates, it does not allow you to specify a version explicitly. However, you can control package versions by using a custom repository or manually installing a specific version.

Installing a Specific Version

To install a specific version of a package, use:

pkg install <package_name>-<version>

For example:

pkg install nginx-1.20.2

You can find available versions of a package in the FreeBSD package repository by running:

pkg search <package_name>

Using a Custom Repository for Version Control

If you need long-term control over package versions, consider creating a local package repository with specific versions:

  1. Mirror the desired package version: Fetch the required package versions from an official repository.
  2. Set up a local repository: Store the packages on your server and generate a package catalog.
  3. Modify /etc/pkg/FreeBSD.conf: Point to your local repository instead of the default FreeBSD repository.

Using Ports to Lock Packages

The FreeBSD Ports Collection allows users to build and install software from source, giving more control over package versions.

Preventing Updates in Ports

  1. Hold a package version by modifying pkg-lock:

    If you’re using portmaster to manage ports, you can prevent an update with:

    echo "<package_name>" >> /usr/local/etc/pkg-lock.conf

  2. Using /etc/make.conf to Specify a Version:

    You can specify a particular version of a package by setting constraints in /etc/make.conf. For example:

    DEFAULT_VERSIONS+=php=7.4

    This forces the system to install and maintain PHP 7.4 instead of upgrading to a newer version.

Installing a Specific Version from Ports

  1. Navigate to the ports directory:

    cd /usr/ports/<category>/<package>

    For example:

    cd /usr/ports/www/nginx

  2. Check the available versions using Git history:

    git log Makefile

    This will show previous commits, allowing you to identify older versions.

  3. Checkout the specific version:

    git checkout <commit_hash>

  4. Build and install the package:

    make install clean

Preventing Updates for Specific Ports

To prevent updates for a specific port, you can mark it as forbidden or ignore:

echo 'BROKEN= yes' >> /usr/ports/<category>/<package>/Makefile

This ensures that portmaster and portupgrade skip the package during updates.

Best Practices for Managing Locked Packages

  • Regularly review locked packages: Keeping outdated packages indefinitely may introduce security risks.
  • Use version constraints in dependencies: When developing software, specify the required package versions explicitly.
  • Test updates in a staging environment: Before unlocking and upgrading a package in production, test it in a controlled environment.
  • Monitor FreeBSD Security Advisories: Some security patches may necessitate unlocking and upgrading a package.

Conclusion

Locking package versions in FreeBSD ensures system stability and prevents unexpected disruptions due to automatic updates. Whether using pkg to lock packages or the Ports Collection to manage source-based installations, administrators have several tools to maintain precise control over software versions. By following best practices and carefully monitoring updates, you can achieve a balance between stability and security on your FreeBSD system.


< How to Install GUI Applications on FreeBSDHow to Search for Packages with `pkg search` >