From: Tru64 User (tru64user@yahoo.com)
Date: Thu May 23 2002 - 14:45:49 EDT
Thanks to Chris Ross and Vincent Kiely who confirmed
what i was doubting.
Response for disabling sendmail downgrade (since am
now running 8.12.3, not supported or distributed by
Compaq yet) during OS upgrade --mainly suggested to
backup binaries and conf files, then replace later.
Was looking for an option such as one i saw for
FreeBSD, whereby setting NO_SENDMAIL=true and
NO_MAILWRAPPER=true in /etc/make.conf is all what is
needed.
Seems to be no way out for taking advantage of new
security patches without loading the agregate patch
kit#3 (tru64 4.0g).
The pre-install check failed for patch B17-C0010303,
all of it ofcourse. Few boxes had space issues, so i
can't load just these security patches.
Well, more work ahead for me, probably will try to
determine the minimum number of patches req. from
kit#3 to qualify for security patches, thus try to
clear some space for them.
_Thanks
Responses I received (briefed):
> 1. How to disable automatic sendmail upgrade when
> performing system update install (eg. 4.0f -> 4.0G
or
> 4.0G ->5.1
> Got a nice sendmail setup i wouldn't like to
disturb.
If you find out how to do this, let me know, The
sendmail
binary and config are part of the OSFBASE package and
get
upgraded when it is. After fiddling with it for a
while I
eventually placed the sendmail config in another
directory
and fixed the binary by hand after every patch.
> With such a statement above ( i see these all the
> time), does it mean, if say i am running 4.0G with
NO
> aggregate patch kits installed at all (in this case
> kit#3), i am not affected?
It means that the kit was prepared for a system
running
4.0G with patch kit 3, and that the patch modifies
files
which are on a system with that OS and patch level.
It
may correct a problem that was introduced in patch kit
2
or it may have been there since the dawn of time --
They
don't tell us about that. But any new patch release
expects that you have applied all of the other patches
before it and may do strange things if that's not the
case.
What makes patch kits challenging is that they never
install themselves all-or-nothing. They just contain
a
hundred or so small individual patches which each
depend
on the presence of other installed kits or patches and
don't install unless everything looks just right. If
you have done anything rash with your system (like,
say,
installing patches provided by DEC / Compaq / HP which
were not part of a big patch kit) then key parts of
the
kit may decide not to install. So even if you are
running Tru64 4.0G with patch kit 3 installed, that
doesn't guarantee that you have the same patches as
any
other system running 4.0G, pk3.
> Would you agree that its generally a good idea to
keep
> pace with all agregate patch kits (and individual
> security kits -YES), even when system is running
> flawlessly?
Um... Yeah, I guess. (Can I get any less
enthusiastic
than that?) I still test each new patch kit out on a
non-critical system for a while before it ever sees
our
production servers, because they can be dangerous.
Always make your patch kits reversible, and be ready
to
back parts of them out when things start to go wrong.
Tru64 patch kits aren't as bad as NT service packs
(I
feel fairly confident that they won't go out of their
way
to break third party applications), but they still
have
their moments. We've had some headaches caused by
4.0F
patch kits in the past. One broke the binary.errlog
facility and needed to be fixed with a follow-up
patch,
which in turn broke the next patch kit (and so on),
while another changed the syntax of the /etc/printcap
file, shutting down a number of serial printers that
relied on things being the old way. A patch kit for
4.0D disabled remote syslog, but failed to update the
man page for syslogd to explain what it had done.
On the other hand, some of those patch kits have
actually solved problems that we were having, and
fixed
bugs which made our systems do naughty things. Go
figure.
On the gripping hand every time things go wrong and
we call DEC / Compaq / HP for support. the first thing
they ask is "Are you running the latest patch kit?"
The second thing is either "Well, install it and call
me back" or "That's good. Do you have the latest
firmware?" I'm not saying that their support staff
are
lazy -- They have done some pretty impressive things
for us in the past -- but it is much easier to get
help
with your system when it is running in a known and
supported configuration, even from people who you
aren't
paying the big support contract dollars to.
--- Tru64 User <tru64user@yahoo.com> wrote:
> Greetings,
> I have a few boxes running 4.0G, working
> perfectly....
> never patched, not critical....and am trying to
> figure
> out where its worth the effort to start patching
> them
> now from the ground up ...ie. patchkit#3, and all
> security releases after that, which brings the
> following questions::
>
> Requesting brief info on the following:
>
>
> 1. How to disable automatic sendmail upgrade when
> performing system update install (eg. 4.0f -> 4.0G
> or
> 4.0G ->5.1
> Got a nice sendmail setup i wouldn't like to
> disturb.
>
>
> 2.
> ECO Name: T64V40GB17-C0009303-12856-E-20020115.tar
> Kit Applies To: Tru64 UNIX 4.0G with PK3 (BL17)
> installed
>
> With such a statement above ( i see these all the
> time), does it mean, if say i am running 4.0G with
> NO
> aggregate patch kits installed at all (in this case
> kit#3), i am not affected?
> Or, I am affected, but can only apply the fix on top
> of patch kit described (in this case #3)? [guess
> this
> is the answer]
>
> 3. Agregate patch kits are almost a mandatory,
> regardless of whether what they describe to fix
> pertains 2 you or not?
> Would you agree that its generally a good idea to
> keep
> pace with all agregate patch kits (and individual
> security kits -YES), even when system is running
> flawlessly?
>
> 4. is the release date for aggregate patchkit #4
> (4.0G) known? maybe i could wait on these....?
>
> Richard
> =====
>
>
> __________________________________________________
> Do You Yahoo!?
> LAUNCH - Your Yahoo! Music Experience
> http://launch.yahoo.com
=====
__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:42 EDT