Re: Manually getting security updates

To: debian-devel@lists.debian.org
Subject: Re: Manually getting security updates
From: Matt Zimmerman <mdz@debian.org>
Date: Thu, 8 May 2003 14:36:54 -0400
Message-id: <[🔎] 20030508183654.GZ6566@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030508041841.GA8763@daedalus.andrew.net.au>
References: <[🔎] 20030508041841.GA8763@daedalus.andrew.net.au>

On Thu, May 08, 2003 at 02:18:42PM +1000, Andrew Pollock wrote:

> I work in a secure environment where outbound HTTP access isn't permitted 
> from the servers in our infrastructure that are running Debian. We still 
> want to keep them up to date with security updates, and I'm currently 
> writing a procedure to this.
> 
> Within our NOC segment we have an apt-proxy, and partial local mirror.
> 
> The procedure I've come with is basically:
> 
> run an "apt-get update" against the apt-proxy on a server in the NOC 
> copy /var/lib/apt/lists/* to the servers in the infrastructure 
> run "apt-get -s dist-upgrade", observe the security updates that would be 
> applied
> acquire the packages manually back in the NOC [1]
> transfer the .debs to the server that it has been determined requires them
> manually install them with dpkg

If the problem is with HTTP access out from this particular network segment,
why not put a proxy/mirror inside that network segment?  Then you only need
to manually transfer the package lists to that one server, and the others
can point to that.

> [1] it's the manual acquisition back in the NOC that has me a bit stumped 
> as how to achieve. I want to use our apt-proxy and I would have thought 
> that apt-get would be the way to go, however if you try to do an "apt-get 
> -d package" on a package that's already up to date locally (and you don't 
> already have the .deb in /var/cache/apt/archives) there's no way to get 
> apt-get to just download it.

It sounds like you want --print-uris instead of -s, no?  That prints out
URLs for downloading the needed packages.

> debget seems to not be what I want, it doesn't appear to consult a local 
> Packages file, it wants to pop off and check out an FTP site, which isn't 
> feasible from our NOC. I really want something APT aware.

There is a debget in debian-goodies which uses apt to do its work, but I
don't think either debget is what you want.  debget is for fetching
individual packages, and you want to get all of the packages necessary to
upgrade a server.

> I've sent an email to apt@packages.debian.org already, but I haven't heard
> anything back yet.

That's not a support address (neither is debian-devel, for that matter).

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Manually getting security updates
  - From: Andrew Pollock <debian-lists@andrew.net.au>

References:
- Manually getting security updates
  - From: Andrew Pollock <debian-lists@andrew.net.au>

Prev by Date: Re: Generally accepted cut-off limit for -doc packages
Next by Date: Re: libgphoto2 needs to be rebuild on alpha (or not)
Previous by thread: Re: Manually getting security updates
Next by thread: Re: Manually getting security updates
Index(es):
- Date
- Thread