Very Computer

Recently I've noticed that Sun's Recommended and Security patch list
is becoming increasingly unreliable.  It contains patches that should
not be recommended, or are not security-related, are for the wrong OS,
or are not available.  I mentioned this to Sun a while back as part of
our maintenance contract, but the problems have continued.  I'm
starting to think that I should start ignoring Sun's list, or at least
discounting it.

Have other people noticed this problem?  If so, what are you doing about it?

Here is a sample of some bogus or possibly-bogus patches recommended
on today's list, which you can obtain from, for example,
<http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/pub-os&nav=pub...>.

The following are listed as a security patches, but I don't see why.
Their summaries don't say anything about security.

103295-01    SunOS 5.5: fold loses data if files contain no newline
103476-01    SunOS 5.5: bpp fixes

The following are listed as Y2k patches, but they don't seem to have
anything to do with Y2k.

103995-01    SunOS 5.5.1: rpc.nispasswdd patch
104810-01    SunOS 5.5.1: kernel/strmod/timod patch

The following security patch is listed for Solaris 8, but it's
actually a Solaris 2.5.1 / 2.6 patch.

106755-01    Sun WebServer 1.0: Security and Preformance international Patch

The following recommended patch is not available.

107261-01    SunOS 5.7: POINT PATCH: 1235385 - pkgtrans/pkgadd check std SVR4 ABI pkg

The following new patch is recommended, but given all the bugs above
I'm dubious as to whether I should install it.

108606-07    SunOS 5.8: M64 Graphics Patch

The following old patches recently switched from non-recommended to
recommended; I don't know why, as the bugs fixed don't seem to be that
important and general.

104644-01    SunOS 5.5.1: /usr/ucb/stty patch
108311-01    SunOS 5.7: /usr/bin/head patch
108800-01    SunOS 5.7: /usr/lib/fs/cachefs/cfsadmin patch
109279-01    SunOS 5.8: /kernel/drv/ip and /kernel/drv/sparcv9/ip patch
109552-01    SunOS 5.8: FIGSS-UTF.8, Removable media manager unlocalized

I'm also a bit dubious about the following old patches, which recently
became recommended, but the bugs they fix do appear to be important in
some cases so perhaps one really should install them....

108827-01    SunOS 5.8: libthread patch
109657-01    SunOS 5.8: isp driver patch

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

The patchdiag.xref file appears to have been seriously mangled;
or whatever source that is used as input for it.  The first
patches you listed are no longer security/Y2K anymore.

As for old patches being upgraded to recommended; yes, that does
happen.  (Depending on customer calls and such)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Hm, I checked on today's list, following you link below, but couldn't
find any of the patches you mentioned. Is it fixed already ?

Quote:> Have other people noticed this problem?  If so, what are you doing about it?

I don't use this list, but patchdiag.xref instead. I've seen a lot
of switching from recmd to non-recmd for single patches there, too,
but most of the time it was because a certain patch was a prerequisite
to another R or S patch.

Quote:> The following old patches recently switched from non-recommended to
> recommended; I don't know why, as the bugs fixed don't seem to be that
> important and general.

In doubt I'd say it's better they make it remcd than not, as people
without maintenance otherwise can not access the patch.

mp.
--
                         Martin Paul | Systems Administrator

Liechtensteinstrasse 22, A-1090 Wien | Tel: 01 4277 38803
        http://www.par.univie.ac.at/ | Fax: 01 4277 9388

[...]

Quote:

>The patchdiag.xref file appears to have been seriously mangled;
>or whatever source that is used as input for it.  The first
>patches you listed are no longer security/Y2K anymore.

At the European Sunsolve site I found that patchdiag.xref had suddenly
grown from c. 585 KB to 910 KB. I put the new one on one side for
later investigation, and the next day the Sunsolve copy was back down
again, with only minor changes from the one two days earlier...

I wrote it off as just of those things.

Chris Thompson
Email: cet1 [at] cam.ac.uk

Yes.  All the weirdnesses that I noticed on October 6, including the
somewhat plausible recommendations of 108827-01 (SunOS 5.8: libthread
patch) and 109657-01 (SunOS 5.8: isp driver patch), have been backed
out in the most recent recommended patch list, which is dated October
6 but was published early October 7.

Quote:> I don't use this list, but patchdiag.xref instead.

I use the files PatchSummary and public_patch_report from the FTP area
for contract users.  I gave the public URL because it can be checked
by everybody.  But I think all these patch lists are derived from the
same source as patchdiag.xref, which was also hosed by all reports.

And this is not the first time it has happened, unfortunately.  I
wonder what part of Sun's patch-reporting procedure is breaking down?

ah yes, I noticed that too. It was similar to the last probem on
Sep 21, where the size of patchdiag.xref had doubled, too.

Quote:> But I think all these patch lists are derived from the
> same source as patchdiag.xref, which was also hosed by all reports.

Looks like. So it's the central patch database which gets corrupted
from time to time. I really think that there should be a contact
email address from Sun to report such problems. Keeping up to date
on patches already takes up quite some time for an admin, it shouldn't
be made more complicated than it is.

Another thing that could be fixed is the problem that with new
HW releases often there are "patches" pre-installed (I assume these
are feature patches bringing in new stuff, which is not available
seperately) which are not in the patch database. Checking it with
Solaris 7 11/99 there is eg. 107917-02. It doesn't officially exist,
but patchdiag shows it without a description in the "Installed Patches"
section. Not sure if Solaris 8 suffers the same problem, as it seems
that recently the feature patches have been published seperately, too.

mp.
--
                         Martin Paul | Systems Administrator

Liechtensteinstrasse 22, A-1090 Wien | Tel: 01 4277 38803
        http://www.par.univie.ac.at/ | Fax: 01 4277 9388

Solaris 8 has the problem that some of the feature patches don't
install correctly (for me, at least).  I had problems when I tried
installing the project-related patches on hosts running Solaris 8.
The patches would fail during installation due to botched
dependencies, and afterwards the hosts would be unusable due to
problems with authentication.  I don't recommend these patches for
anyone but experts.

I'm willing to cut Sun some slack about the feature-patch problems.
After all, installation procedures always have bugs.  But corruption
of the public patch database is another story.

By the way, I got good results by avoiding the following patches for
Solaris 8 sparc.  Your mileage may differ of course.  None of these
patches are currently recommended by Sun.

108993-01 nss and ldap
108995-01 /usr/lib/libproc.so.1
108997-03 libexacct and libproject
108999-01 PAM
109003-01 /etc/init.d/acctadm and /usr/sbin/acctadm
109005-01 /sbin/su.static and /usr/bin/su
109007-03 at/atrm/batch/cron
109009-01 /etc/magic and /usr/bin/file
109011-01 /usr/bin/id and /usr/xpg4/bin/id
109013-02 /usr/bin/lastcomm
109015-01 /usr/bin/newtask
109017-01 /usr/bin/pgrep and /usr/bin/pkill
109019-01 /usr/bin/priocntl
109021-01 /usr/bin/projects
109023-01 /usr/bin/sparcv7/ps and /usr/bin/sparcv9/ps
109025-01 /usr/bin/sparcv7/truss and /usr/bin/sparcv9/truss
109027-01 /usr/bin/wracct
109029-01 perl
109031-01 projadd/projdel/projmod
109033-01 /usr/bin/sparcv7/prstat and /usr/bin/sparcv9/prstat
109035-01 useradd/userdel/usermod
109037-01 /var/yp/Makefile and /var/yp/nicknames
109954-01 /kernel/sys/pset and /kernel/sys/sparcv9/pset

In the 01 Sep Solaris7 cluster, two patches required patch 108374, but
it was not contained in the bundle. For sites that have to test evey
bundle and freeze on one for a while, this is a real bother.

Sent via Deja.com http://www.deja.com/
Before you buy.

Since then, PatchReport and patchdiag.xref seem to have remained unaltered
for several days. Would it be impolite to speculate that they have been
frozen until the software that generates them has been fixed?

Chris Thompson
Email: cet1 [at] cam.ac.uk

I'd say it's optimistic, taking into account how often it has
happened before that the patch database didn't get updated.

mp.
--
                         Martin Paul | Systems Administrator

Liechtensteinstrasse 22, A-1090 Wien | Tel: 01 4277 38803
        http://www.par.univie.ac.at/ | Fax: 01 4277 9388

Well, the saga continues. PatchReport is being updated daily again, but
patchdiag.xref remains frozen in its 9 October state. Also, interesting
new files have appeared which look like the innards of the mechanism
having become exposed: MASTER.CROSSREFERENCE, MASTER.CROSSREFERENCE.bak,
patch.index, patch.index.save, patch.index.last, ...

Anyone in the know from Sun care to tell us what's really going on?

Chris Thompson
Email: cet1 [at] cam.ac.uk

Are "Recommended" patches more "reliable" than those not "recommended"?
Or is "recommended" simply a distinction between public & Contract
access?

Paul, have you found your systems more reliable by avoiding the patches
you recently listed? Are they broken somehow?

Thanks,
Joe c/o Martha)

So there we are again - a new patchdiag.xref as of Oct 17. And it seems
as a lot has changed. Diff shows that the new file is sorted for patchID
now, a quick sort on the old file still reveals about 500 diffs.

They come from:

- Reintegration of old patches (Solaris 2.1 and some unbundled products)
  into patchdiag.xref.
- All the point patches have been removed from patchdiag.xref
- Hardware & Firmware patches are now in the xref file - good !
- StarOffice patches are now in the xref file - good, too.
- Patches for Trusted Solaris have been integrated, too.
- Some patches have changed R&S status, some Obsoletes/Obsoleted by
  entries seem to have been changed (corrected ?).
- and of course there are some new patches/revisions since Oct. 6.

The READMEs of the new patches look a little strange, the format has
changed (mostly removed empty lines, is more unreadable than the old
one). All occurences of ' and ` have been replaced by '' and `` -
probably not intentionally. A lot of work if you use diff on the
READMEs to see what has changed in a new patch.

Patch 108652 (X11 patch for Solaris 8) has disappeared from the xref
file.

And the most important thing - no one cares about putting up some
information about all this either on sunsolve or here in c.u.s.,
thanks a lot - not. Can we at least assume that the format stays
like this ?

mp.
--
                         Martin Paul | Systems Administrator

Liechtensteinstrasse 22, A-1090 Wien | Tel: 01 4277 38803
        http://www.par.univie.ac.at/ | Fax: 01 4277 9388

It's fixed in the new xref file - thanks. Looks like the format is
now stable, too.

But patch 108376-14 (X11 for Solaris 7, rev. 12 was the one with the
32bit libX11 in the sparcv9 directory) has a problem again - it has
a structure like this:

108376-14
  Patch files and dirs
  108376-14
    Patch files and dirs
    108376-14
      Patch files and dirs

so it's three times as big as it should be.

mp.
--
                         Martin Paul | Systems Administrator

Liechtensteinstrasse 22, A-1090 Wien | Tel: 01 4277 38803
        http://www.par.univie.ac.at/ | Fax: 01 4277 9388

Quote:>Are "Recommended" patches more "reliable" than those not "recommended"?
>Or is "recommended" simply a distinction between public & Contract
>access?

Perhaps both. Recommended patches should fix most of the problems that
people complain to Sun about. Chances are that they might be more reliable
because of, say, the larger number of people using them. I don't know
whether Sun does extra testing on a bug-fix just because it is going into
the recommended release, but it does sound reasonable that they would.

                        Yours Truly,
                        Jeffrey Boulier