On 07/31/2017 03:56 PM, Marko Cupać wrote:
> Hi,
>
> first of all, thanx for syspatch. One-liner to apply all the errata
> patches instead of syncing source and rebuilding stuff are welcomed on
> my fleet of geographically remote OpenBSD firewalls running on PC
> Engines' apu2d4, not only because of its speed and simplicity, but also
> because of SDcard tear&wear minimisation.
>
> Now, I know I'm in unsupported waters because I noticed this on a box
> with only / mounted read-only, and /dev /var and /tmp as writable mfs
> file systems described (warning! blatant self-promotion below!) here:
> [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages]
>
> ...but the problem I am facing is that syspatch -l shows installed
> patches up to 013:
>
> pacija@zemun:~ $ doas syspatch -l
> 001_dhcpd
> 002_vmmfpu
> 003_libressl
> 004_softraid_concat
> 005_pf_src_tracking
> 006_libssl
> 007_freetype
> 008_exec_subr
> 009_icmp_opts
> 010_perl
> 012_wsmux
> 013_icmp6_linklocal
>
> ...whereas syspatch -c returns zero, while I guess it should return
> 014_libcrypto at the time of writing this. Another identical box which
> was patched up to 012 shows correct information (-l up to 012, -c 013
> and 014).
>
> I'm not whining or anything, I trust my OpenBSD firewalls to be more
> secure than any other solution out there even without these patches.
> But maybe someone with more knowledge of syspatch finds this behaviour
> worth investigating, even on unsupported setup.
>
> Finally, my question: How does syspatch check current patchlevel? By
> checking contents of /var/syspatch or some other way? I guess I'm
> showing my ignorance here :)
>
> Best regards,
>
If you file(1) /usr/sbin/syspatch, you'll see it's just a shell script;
that should probably help you understand what's going on, though it's
fairly terse shell script. I'll be tracing the execution of -c.
$ file /usr/sbin/syspatch
/usr/sbin/syspatch: Korn shell script text executable
syspatch -c contacts the mirrors in /etc/installurl at
${_MIRROR}/syspatch/${_KERNV[0]}/$(machine), for example:
https://ftp.fau.de/pub/OpenBSD/syspatch/6.1/amd64/ -- $_MIRROR is
https://ftp.fau.de/pub/OpenBSD, $_KERNV[0] is 6.1 (obtained from sysctl
-n kern.version), machine(1) returned amd64 and downloads SHA256 and
SHA256.sig. Then it verifies SHA256 against SHA256.sig.
It then parses the filenames in the SHA256 file in a format that's
compatible with syspatch -l and checks that list against the list
returned by syspatch -l.
syspatch -l checks /var/syspatch and lists directories those that have a
rollback.tgz inside them. It then sorts them using sort -V.
I'm not 100% sure on the details since I'm not the most experienced
shell scripter in the world, but this ought to be accurate enough for
debugging. If I'm wrong, I hope someone will come along and me.
My guess is that the mirror in /etc/installurl is either down or points
at a local file or something along those lines.
