Re: Manually getting security updates
On Thu, May 08, 2003 at 02:18:42PM +1000, Andrew Pollock wrote:
> I work in a secure environment where outbound HTTP access isn't permitted
> from the servers in our infrastructure that are running Debian. We still
> want to keep them up to date with security updates, and I'm currently
> writing a procedure to this.
>
> Within our NOC segment we have an apt-proxy, and partial local mirror.
>
> The procedure I've come with is basically:
>
> run an "apt-get update" against the apt-proxy on a server in the NOC
> copy /var/lib/apt/lists/* to the servers in the infrastructure
> run "apt-get -s dist-upgrade", observe the security updates that would be
> applied
> acquire the packages manually back in the NOC [1]
> transfer the .debs to the server that it has been determined requires them
> manually install them with dpkg
If the problem is with HTTP access out from this particular network segment,
why not put a proxy/mirror inside that network segment? Then you only need
to manually transfer the package lists to that one server, and the others
can point to that.
> [1] it's the manual acquisition back in the NOC that has me a bit stumped
> as how to achieve. I want to use our apt-proxy and I would have thought
> that apt-get would be the way to go, however if you try to do an "apt-get
> -d package" on a package that's already up to date locally (and you don't
> already have the .deb in /var/cache/apt/archives) there's no way to get
> apt-get to just download it.
It sounds like you want --print-uris instead of -s, no? That prints out
URLs for downloading the needed packages.
> debget seems to not be what I want, it doesn't appear to consult a local
> Packages file, it wants to pop off and check out an FTP site, which isn't
> feasible from our NOC. I really want something APT aware.
There is a debget in debian-goodies which uses apt to do its work, but I
don't think either debget is what you want. debget is for fetching
individual packages, and you want to get all of the packages necessary to
upgrade a server.
> I've sent an email to apt@packages.debian.org already, but I haven't heard
> anything back yet.
That's not a support address (neither is debian-devel, for that matter).
--
- mdz
Reply to: