The FreeBSD team has been hard at work for some time on pkgng, the successor to the soon-to-be deprecated pkg_* tools, and after extensive testing and internal use we can say it was definitely worth the wait.
The pkgng system brings together the best of both worlds: binary distribution while retaining the ability to custom build packages as needed. This can be via ports (which simply register themselves using the new system instead of the old) or via a custom repository.
Enter the A-Team Systems pkgng repository. One of the main benefits that ports have over traditional binary distribution systems is that they allow us to, at compile time, set options for a package. This is critical for a lot of pieces of software that we deploy on a wide scale, examples being enabling LDAP in Apache, NingX, and Sudo.
By maintaining our own repository we can have these packages, with the build options we desire, ready to go and be installed as binaries. This spares all of our client’s servers from having to manually compile a tool simply because we need some special options that aren’t enabled by default. The performance gain is especially profound for VMs and slower servers.
It also allows us to stay “at the bleeding edge” in terms of versions and security for key packages without waiting for the FreeBSD quarterly build cycle as needed.
At the same time pkgng supports multiple repositories with fallback, so we aren’t forced to compile all of the almost 25,000 ports simply because we want to customize a handful of them. If our repository doesn’t have the needed package the main FreeBSD repository is used seamlessly.
Finally pkgng supports cryptographic signatures and fingerprints for the best possible security. The FreeBSD repository uses SHA256 fingerprint verification and our A-Team repository uses a 4096 bit RSA key based certificate. With this there is no question if the binaries being installed have been tampered with, and are verified before a package is installed.
Even though the old pkg_* tools have almost seven more months to go (end of life for them is Sept. 1st, 2014) after our testing it quickly became apparent that pkgng not only is ready for prime time but also will save us time and our clients resources and money. We’ve just completed migrating all of our own servers as well as our clients and could not be happier.
Good night pkg_ tools, it’s been a swell 15+ years!