Re: Patch clusters

hilge wrote:
In article <1165402015.524798.279760@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
tfb+google@xxxxxxxx says...

Is there a link to a cluster of the free patches, or do I have to
download them individually and read all the release notes to figure out
the correct installation order?

Either Sun's patch management tools or (I'd recommend) the wonderful
pca script will do the whole downloading, dependency and installing
thing for you.

I installed Sol 10 on a system, registered it, and then ran smpatch
(first 'smpatch analyze' and then 'smpatch update').

The fucker ran for about nine hours before I gave up and killed it off.
During that time, it only authenticated roughly half a dozen or so
patches, but I didn't count. I don't think it actually installed any
patches at all.

It does 'seem' (from my limited experience) to be sensitive to network
problems (e.g. dodgy last mile services).


For God's sake. Do you know how long it takes me to download the
massive Sol 9 patch cluster and patch a fresh Sol 9 install? About four
hours. Four hours to successfully complete a task that smpatch -failed-
to complete in more than twice that much time.

I wasn't too happy about having to put a freshly built system on the
'net, either. I would prefer to keep a new system OFF the Internet
until it's been patched, so that most of the well-known holes are
closed.

Both problems (flakiness, avoid exposure to public net) can be resolved
by using a proxy or VPN.

In one case, where smpatch was misbehaving, using an ssh tunnel to an
external (squid) proxy in colocation made it work reliably and a lot
faster (even though the actual net service was the same). Or you could
do something similar over OpenVPN.

I've seen new systems attacked in as little as fifteen minutes;

Attempts, yes... that is a normal expectation for a machine on the
public internet. I've been running Linux/UNIX systems on the public net
for something like 200+ server years with no damage (touch wood). And
my experience is nothing unusual.

having a system -- probably with some unpatched security issues -- on
the 'net for 9+ hours is very stupid, IMO. The firewall didn't log
anything suspicious, though, so I doubt anything happened... But still.

This is Solaris we're talking about, not Windows :) There are layers
upon layers of security infrastructure... From the firewall, through
SST/JASS (you used that?), zones, and so on, etc.


Feh.

.