:: Re: [DNG] OT: Patching De*an based …
Top Pagina
Delete this message
Reply to this message
Auteur: Adam Borowski
Datum:  
Aan: dev
CC: dng
Onderwerp: Re: [DNG] OT: Patching De*an based systems at scale
On Fri, Oct 27, 2017 at 10:50:36AM -0500, dev wrote:
> On 10/26/2017 04:53 PM, Adam Borowski wrote:
> > You may additionally install apt-listchanges and configure it to show
> > changelogs, that will fetch relevant (and only those!) changelog entries of
> > packages you're about to install.
>
> Thank you for that information. Is the email and apt-listchanges the
> only way? apt-listchanges sends notifications from every system. That's
> 60 duplicate emails in my case, for many packages such as OpenSSH.


"dpkg-reconfigure apt-listchanges", it has quite a few options to alter how
notifications are presented. I for one consider mail to be uncomfortable
here, as knowing what was installed only after the fact is pretty pointless
(there's dpkg.log too), thus on systems where I have apt-listchanges
installed it's configured to use pager, letting me ^C if I want to abort
the upgrade.

> The DSA mail cuts down the noise but I'm assuming I may be getting
> mailed about packages that do not pertain to any systems I'm running,
> correct?


Yeah but the mail volume is so low I don't consider this a problem. And you
get them once no matter how many systems you admin.

> I'm trying to avoid what I always end up doing; a perl screen scraper
> which I cross-reference with apt-get upgrade --dry-run and then parse
> the pertinent package info into a CSV file that can everyone wants
> emailed to them, for each server... maybe this is the only way ?


I'd parse "apt-cache policy" instead, it's much easier to read. Or even
"dpkg --get-selections" so you have the set of packages only, which can then
be used to filter notifications centrally.

But then, the quality of Debian security updates has been so high (at least
for server packages) that I'm not paid well enough to pore through every
changed line. I somewhat dislike completely unattended upgrades, thus I run
a script that does, for every machine, serialized: apt-get update && apt-get
-y upgrade && apt-get dist-upgrade && apt-get clean. Doing it serially
rather than in parallel means I can see that upgrading the first machine ran
into trouble; extra time it takes doesn't matter as I do other work on the
other monitor/terminal in the meantime.


Meow!
--
⢀⣴⠾⠻⢶⣦⠀ Laws we want back: Poland, Dz.U. 1921 nr.30 poz.177 (also Dz.U.
⣾⠁⢰⠒⠀⣿⡁ 1920 nr.11 poz.61): Art.2: An official, guilty of accepting a gift
⢿⡄⠘⠷⠚⠋⠀ or another material benefit, or a promise thereof, [in matters
⠈⠳⣄⠀⠀⠀⠀ relevant to duties], shall be punished by death by shooting.