On 22.11.2014 15:45, John Merriam wrote:
On Sat, 22 Nov 2014, bodie wrote:
On 22.11.2014 03:40, John Merriam wrote:
On Fri, 21 Nov 2014, Comète wrote:
21 novembre 2014 23:00 "John Merriam" <j...@johnmerriam.net> a
écrit:
Hello. I am trying to write a script to check for updates to the
binary
packages by checking the output of pkg_add then sending an e-mail
if
something is found. ...
Maybe you're looking for this ?
http://www.mtier.org/index.php/solutions/apps/openup/
Morgan
Hmmm. Thanks for the suggestion. I'm looking for something much
simpler
though (KISS principle has been good to me in the past). My main
question
is is there something better than `pkg_add -Iusx | grep -v
"^quirks\-"` to
check for updates to packages?
You did not mention what version of OpenBSD you are using. Is it
-release,
-stable or -current?
At the moment I am on 5.6-release
For -release, -stable there are hardly any updates during 6 months
period
so checking it everyday is quite pointless. For -current you need to
follow
at least current.html and mirrors for new snapshots eg. and what's
most
important
you must keep system in sync so you will be doing update of packages
in any
case no matter how much of them updated.
Looking back at the past couple releases it looks like there haven't
been
any updates to the binary packages at all?
That seems kind of surprising to me. I'm used to running Debian
stable
where there are lots of package updates. Debian almost never updates
anything in their stable releases unless there is a security issue,
but
still there are lots of updates.
It's about man power and
http://www.openbsd.org/papers/asiabsdcon2009-release_engineering/
Yes, release has 1 year support, yes there are critical security fixes
(to OpenBSD), but
there's simply not enough people available to keep up with patches of
packages/ports
for -release/-stable.
It may sound bad coming from Linux world, but the fact is that a lot of
the people using
-current in production just fine, because -current in OpenBSD means
something like LTS
(from point of view of stability) elsewhere.
For companies -release/-stable is something what they are looking for
mostly to
show management that they are using "stable" OS. Here updates once a 6
months or once
a year are fine for them (or after every security fix in base OS, if
you have proper
infrastructure you can make it easily without downtime)
http://www.openbsd.org/faq/ports/ports.html#PortsLag
So for -release/-stable your script is of use (plus security.html of
course),
but doesn't need to be run everyday for sure. In organizations you
will need
to have some release/patching calendar anyway to make managers happy
and they
will not allow patching window quite often so something like once a
month
like Microsoft or quaterly will be more then enough.
About -current...new packages most of the time mean that you need
new OS too
so you will have process for complete upgrade anyway in place and
then your
script may fill mailbox daily with a lot of info which soon no one
will read
because it's simply not only info created out of one machine by cron
and all
other stuff like log monitors and such.
openup looks to be doing something similar for the update checking
portion by using pkg_info output then fed to pkg_add to check for
updates.
Not sure why it wouldn't just use pkg_add to check for the updates.
The
code is also kinda odd to me. Seems overly complicated and looks
to be
doing some things that I'm not so sure I would want to be doing on
my
machines.
Anyway, if there aren't any other tips or suggestions, I'll just go
with
what I have and adjust if I find issues down the road. Thanks!
Please forgive my ignorance on this issue since the last time I used
OpenBSD pkg_add didn't have all this update checking stuff.
I used binary packages because that's what the FAQ recommends. Would
I be
better off using ports instead? Are the ports updated more
frequently?
I really like the stability of -release (or -stable I guess) but I
don't
want to lose out on security updates to the packages/ports...
Try -current and you will be surprised. In fact with -current you have
easy
binary upgrade process of whole OS and packages. You can do it daily,
weekly,monthly or
simply whenever you want as long as you know why and what you are doing
:-)
Binary packages are recommended. Result of port install is package
anyway. Ports
are for porters and maintainers of those packages, for users in case
they need
some non-standard or not so widely used compile switches.
And yes, ports http://openports.se/ ,
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/
are updated more frequently because they must be kept in sync with
-current.
Devs are doing incredible work here and based on last 10 years
experience you will
hardly hit any problem (not that there are not sometimes, but did not
hit stopping one yet).
Of course there are always packages built out of that so still you
don't need to compile
that for yourself. In that magic having binary packages for most used
platforms daily
is http://undeadly.org/cgi?action=article&sid=20100618041150 ,
http://undeadly.org/cgi?action=article&sid=20140307130554
which is interesting reading (and other posts about it). Of course you
can use it
in your own infrastructure too.
Simply don't use Linux approach here (= current = unstable ; release =
stable/updates), but instead
release/stable = for machines where base OS is all you need or those
which will not use much packages and
where updating them once a 6 months or 1 year will be fine for you
current = laptops, desktops, servers with a lot of packages and such
and downtime you will avoid with proper HA