Contributed by jose on from the keeping-up-to-date dept.
"I have been developing a script to automatically patch OpenBSD installations, aimed mainly at sites running large numbers of OpenBSD machines. Although this program will never replace a security-conscious system administrator (in fact, it acts quite like a brain-dead one ;-) ), it will surely help many people manage the patching system.Read on ...
If you are interested, please visit http://www.gwolf.cx/soft/tepatcheI'm a bit gunshy about automatic updates, I tend to do this only after careful automatic review of the changes. This is even more so during hackathons and the like. Still, this can be useful if you have a farm to maintain, especially with the severity of recent security flaws.I quote a bit of information from the web site:
RATIONALE OpenBSD is a stable, robust and secure operating system. Systems administrators running OpenBSD tend to be also more security conscious than administrators running other operating systems. Nevertheless, patching an OpenBSD system can be a tedious process for many people. If a person manages multiple OpenBSD servers, patching each of them can be a long and repetitive task, ideal for automatization. Tepatche will periodically check the FTP site we indicate it to, and if there is a new patch to be applied, downloads, applies, builds and installs it. Tepatche mantains a small status database to know in what is the status of each of the system's patches.
NOTES
- Tepatche is released under a BSD license - read the COPYING file.
- This is EXPERIMENTAL code. It works for me. However, it is code intended to be run as root and to modify vital system binaries, and a programming error can have nasty consequences.
- Tepatche assumes that the patches published in the specified ftphost is trustable. If the ftphost (typically ftp.openbsd.org or one of its mirrors) were to be comprimised, anything can happen.
- If applying a patch requires kernel compilation, the system administrator MUST DO SO MANUALLY. Tepatche will patch the sources, but building the kernel involves many steps that do require manual operator involvement.
"
(Comments are closed)
By Anonymous Coward () on
2. I think it would be better to send the report to standard output and let cron deal with mailing the admin - why reinvent the wheel?
By chris () on
::chris
would be nice if this type of utility was more integrated into the project, possibly having a file on mirrors which lists patches, and versions that have been upgraded (ie the recent openssh business) This could be done via cvs. I mean I understand security really should be in the hands of the admin, but for the lonely home user, a util would be nice.
By Anonymous Coward () on
By Chris Lewis () chris@no-spam-dogcow.co.uk on http://www.dogcow.co.uk/
I think OpenBSD's patching system was just asking for automation in this way for us lazy admins (or those with huge server clusters they want looking after :).
Looking forward to poking at it.
Cheers,
Chris
By WB () on
By JC () on
I guess it could be as simple as having the admin sign the patches before putting them in the ftp patch repository using gpg for example and having tepatche simply verify the signature before running the patch and verify against the public key(s) stored locally by tepatche.
Heck, perhaps the OpenBSD team might even put out signed versions of the patches...
I think it might represent an acceptable amount of coding considering the safety it would bring...
JC
By Matt Van mater () vanmatmm@jmu.edu on mailto:vanmatmm@jmu.edu
I was thinking to myself how I kinda want to go over to gentoo and play around with their feature which is like this. now i won't have to! For a while i was thinking about looking into porting freebsd's portupgrade over to openbsd. maybe we can combine these two tools to effectively get gentoo's 'emerge update' functionality on our openbsd boxen!
By Thxix () thxix@ownzed.net on mailto:thxix@ownzed.net