On 07/31/2017 03:56 PM, Marko Cupać wrote: > Hi, > > first of all, thanx for syspatch. One-liner to apply all the errata > patches instead of syncing source and rebuilding stuff are welcomed on > my fleet of geographically remote OpenBSD firewalls running on PC > Engines' apu2d4, not only because of its speed and simplicity, but also > because of SDcard tear&wear minimisation. > > Now, I know I'm in unsupported waters because I noticed this on a box > with only / mounted read-only, and /dev /var and /tmp as writable mfs > file systems described (warning! blatant self-promotion below!) here: > [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] > > ...but the problem I am facing is that syspatch -l shows installed > patches up to 013: > > pacija@zemun:~ $ doas syspatch -l > 001_dhcpd > 002_vmmfpu > 003_libressl > 004_softraid_concat > 005_pf_src_tracking > 006_libssl > 007_freetype > 008_exec_subr > 009_icmp_opts > 010_perl > 012_wsmux > 013_icmp6_linklocal > > ...whereas syspatch -c returns zero, while I guess it should return > 014_libcrypto at the time of writing this. Another identical box which > was patched up to 012 shows correct information (-l up to 012, -c 013 > and 014). > > I'm not whining or anything, I trust my OpenBSD firewalls to be more > secure than any other solution out there even without these patches. > But maybe someone with more knowledge of syspatch finds this behaviour > worth investigating, even on unsupported setup. > > Finally, my question: How does syspatch check current patchlevel? By > checking contents of /var/syspatch or some other way? I guess I'm > showing my ignorance here :) > > Best regards, >
If you file(1) /usr/sbin/syspatch, you'll see it's just a shell script; that should probably help you understand what's going on, though it's fairly terse shell script. I'll be tracing the execution of -c. $ file /usr/sbin/syspatch /usr/sbin/syspatch: Korn shell script text executable syspatch -c contacts the mirrors in /etc/installurl at ${_MIRROR}/syspatch/${_KERNV[0]}/$(machine), for example: https://ftp.fau.de/pub/OpenBSD/syspatch/6.1/amd64/ -- $_MIRROR is https://ftp.fau.de/pub/OpenBSD, $_KERNV[0] is 6.1 (obtained from sysctl -n kern.version), machine(1) returned amd64 and downloads SHA256 and SHA256.sig. Then it verifies SHA256 against SHA256.sig. It then parses the filenames in the SHA256 file in a format that's compatible with syspatch -l and checks that list against the list returned by syspatch -l. syspatch -l checks /var/syspatch and lists directories those that have a rollback.tgz inside them. It then sorts them using sort -V. I'm not 100% sure on the details since I'm not the most experienced shell scripter in the world, but this ought to be accurate enough for debugging. If I'm wrong, I hope someone will come along and me. My guess is that the mirror in /etc/installurl is either down or points at a local file or something along those lines.