Re: List of installed software packages: pkg_info?

"Joachim Schipper" <jdNoOtSPAMschipper@xxxxxxxxxx> schreef in bericht
news:467c24b3$0$49489$dbd4f001@xxxxxxxxxxxxxxxxxx
Do
security upgrades for OpenBSD upgrade separate programs to higher
versions? Is sendmail version 8.14.0 the only possible version for
all
systems with OpenBSD 4.1?

A quick summary of the branches in the OpenBSD repository:
informal name description
-current is where development happens
-stable the last release with several fixes and updates
-patch the last release with critical fixes
-release the last release
4.0-stable,-patch,-release
idem, for the release before the last one

A serious security problem would cause a fix (either an upgrade, or,
more likely, a patch) to be committed to -current, and possibly a
few
days later a patch to be committed to -stable. A patch
against -release
would also be made available, to update a -patch machine.

Except possibly in -current, this would not generally cause the
version
numbers to increase.

You can, however, look at sysctl kern.version, which includes the
date
on which the kernel was built. Since people running -current
and -stable
will almost always build a complete new system when updating, this
would
allow you to at least detect changes. This scheme would fall flat
for
-patch, though; the patches almost always contain instructions on
what
to rebuild (see undeadly.org for examples), which means that
a -patch
system might well have a httpd that was built at a later date than
the
kernel.

While kern.version is obviously the place to be to check for kernel
changes, for the rest it might be a better idea to integrate with
/etc/security, which stores dates and checksums of important things
(and
sends nightly mail on changes). Or not; I have no idea on how much
work
that'd entail.

On a semi-related note, I'd find your software tremendously more
useful
if it could be told not to show configuration files that have not
been
modified from the default; the listing you have now is extremely
verbose
and far less informative than it could be. (Exactly how to implement
this is another question; including checksums is easy, but
time-consuming.)
Did you have a look at the logbook?
http://www.openeyet.nl/scc/examples/scc.openbsd41.log.html
It shows only the changes that have been recorded during all runs. It
only shows the lines that actually changed.
Wading through such a snapshot is not my favorite passtime. Snapshots
are sent to a server where they can be searched and compared.


If that is the case, registrating the
OpenBSD version would imply the contents of the software inventory.

I am afraid I do not understand this sentence.
From the release notes I know that all OpenBSD 4.1 systems start with:
- sendmail 8.14.0
- apache 1.3.29
- xxxx a.b.c
and so on. The names and versions of these products are what I meant
with the contents of the software inventory. Rephrasing the sentence:

When it is impossible to increase the version of any of these products
without upgrading to 4.2, registration of release 4.1 in the snapshot
would be sufficient to deduce the versions of all of these products.

Siem Korteweg


.

Relevant Pages

  • Re: Why FreeBSD not popular on hardware vendors
    ... we did use openbsd for 1 yr for our servers and it was ok though some ... in fact, the recommended upgrade process ...
    (freebsd-questions)
  • OpenBSD 4.2 upgrade to 4.3 breaks kde and konqueror
    ... (startkde fails even when started from X) ... and konqueror (konqueror will ... I did a vanilla upgrade of OpenBSD followed by pkg_add -u. ...
    (comp.windows.x.kde)
  • Re: dhclient-exit-hooks in 3.4
    ... > decided to upgrade the machine and also upgrade OpenBSD to 3.4. ... that dhclient worked with the dhclient-exit-hooks script. ... I had DHCP problems with the ...
    (comp.unix.bsd.openbsd.misc)
  • openoffice for AMD 64-bit OpenBSD 4.1
    ... I just upgraded AMD 64-bit OpenBSD 4.0 to 4.1. ... pkg_add -u to upgrade my packages. ... versions of these three libraries are on my system. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: SBS 2003 SP 1 on MSDN disks
    ... I've got that page, saved it as a .mht, and will bump the fonts to a readable size when it comes time to do the upgrade. ... I don't really give Microsoft high marks when their damned security upgrades broke those essential features. ... But, one of these days I will uninstall SUS, install WUS, and get that working. ...
    (microsoft.public.windows.server.sbs)
Loading