Weblog entry #1 for adamshand
See all weblog entries made by adamshand.
#1
debian-updates: finding which packages to upgrade
Posted by adamshand on Tue 24 Oct 2006 at 02:46
I've been using debian-updates for years to get timely notification of when there are updates to fix known security problems. It's been great and I love it.
However the security alerts tell you the name of the *source* package which needs to be upgraded. Normally this isn't too much of a problem, I go to the DSA web page, find the names of the effected binary packages and "apt-get install ...".
With the recent XFree86 security update there were so many packages to check that it was frustrating to cut and paste the individual names of the packages.
So my question is ...
- From the command line, how do you find all the currently installed packages which have the "Source: xfree86" header?
This has to be possible but I haven't managed to find anything that works.
Thanks!
Adam.
Comments on this Entry
Posted by Anonymous (59.178.xx.xx) on Tue 24 Oct 2006 at 07:15
How about this one-liner (a one-liner given a sufficiently wide screen ;-) ):
apt-get update ; apt-get upgrade --dry-run | grep ecurity | grep Inst | cut -f2 -d " " | perl -pi -e 's/\n/ /g'
What it does: updates the apt packages, does a dry-run to see what security stuff is there, grabs the Inst name, cuts the crap, followed by a perl search-and-replace of the newline to make it all one neat line to cut and paste in to your apt-get. If you really want to be anal, you can stick a "; echo" on the end so that your prompt reappears on a new line.
It's dirty, but I reckon it'll do the job right.
PJ
apt-get update ; apt-get upgrade --dry-run | grep ecurity | grep Inst | cut -f2 -d " " | perl -pi -e 's/\n/ /g'
What it does: updates the apt packages, does a dry-run to see what security stuff is there, grabs the Inst name, cuts the crap, followed by a perl search-and-replace of the newline to make it all one neat line to cut and paste in to your apt-get. If you really want to be anal, you can stick a "; echo" on the end so that your prompt reappears on a new line.
It's dirty, but I reckon it'll do the job right.
PJ
[ Parent | Reply to this comment ]
Posted by Anonymous (59.178.xx.xx) on Tue 24 Oct 2006 at 07:25
Whoops. Didn't read the question right. Ah well, let's see if someone else pipes in - I don't think I understand the question.
PJ
PJ
[ Parent | Reply to this comment ]
If you look at xfree86-common you see:
# apt-cache show xfree86-common | grep ^Source:
Source: xfree86
So what I want is the command line which will give me a list of every installed package which has the "Source: xfree86" header in the package description.
I'm assuming you should be able to do it with apt-cache or apt-file but haven't been able to figure out how to search anything other then the description or name.
Adam.
# apt-cache show xfree86-common | grep ^Source:
Source: xfree86
So what I want is the command line which will give me a list of every installed package which has the "Source: xfree86" header in the package description.
I'm assuming you should be able to do it with apt-cache or apt-file but haven't been able to figure out how to search anything other then the description or name.
Adam.
[ Parent | Reply to this comment ]
Posted by Anonymous (59.178.xx.xx) on Tue 24 Oct 2006 at 10:21
I am still unsure why you want to do it that way - I probably still don't understand.
I'd probably do what you seem to want in a two stage sort of thing. In bash, something like:
templist=`dpkg --get-selections | cut -f1`
(that gets you a list of files to examine with dpkg -s). Then:
for i in $templist ; do dpkg -s "$i" | grep "Source: xfree86" && echo $i ; done
That'll get you started. You'll want to tweak according to taste to get the final output list. And you'll probably need to grab a cup of tea or something while the bash loop is running - it's not exactly a speed maniac ;-)
PJ
I'd probably do what you seem to want in a two stage sort of thing. In bash, something like:
templist=`dpkg --get-selections | cut -f1`
(that gets you a list of files to examine with dpkg -s). Then:
for i in $templist ; do dpkg -s "$i" | grep "Source: xfree86" && echo $i ; done
That'll get you started. You'll want to tweak according to taste to get the final output list. And you'll probably need to grab a cup of tea or something while the bash loop is running - it's not exactly a speed maniac ;-)
PJ
[ Parent | Reply to this comment ]
Yeah, I guess that'll work, it just seemed like there should be a simpler way. Here's it consolidated into a one liner:
# for i in $(dpkg --get-selections | cut -f1); do dpkg -s "$i" | grep "Source: xfree86" > /dev/null && echo $i ; done
Now I'm confused as well though ... what doesn't make sense? When all you know is that the source package xfree86 has been updated due to security problems and that new packages are available ... how would you find out which packages to update?
Do you mean that you'd just do an "apt-get upgrade" and do the entire system?
Adam.
# for i in $(dpkg --get-selections | cut -f1); do dpkg -s "$i" | grep "Source: xfree86" > /dev/null && echo $i ; done
Now I'm confused as well though ... what doesn't make sense? When all you know is that the source package xfree86 has been updated due to security problems and that new packages are available ... how would you find out which packages to update?
Do you mean that you'd just do an "apt-get upgrade" and do the entire system?
Adam.
[ Parent | Reply to this comment ]
Posted by Anonymous (59.176.xx.xx) on Tue 24 Oct 2006 at 18:19
"Now I'm confused as well though ... what doesn't make sense?"
Well, I do security upgrades in a much simpler way. Maybe that's why we're confusing each other?
"Do you mean that you'd just do an "apt-get upgrade" and do the entire system?"
Nah. Just the security bit gets the upgrade. The bash-with-dpkg thing was just for handling the xf86 parts the way you were asking.
The way I usually do my security updates is:
1. I find what packages need a security upgrade with
apt-get update ; apt-get upgrade | grep ecurity
2. Then I apt-get install those packages
(This assumes you have something like this line:
deb http://security.debian.org stable/updates main contrib non-free
in /etc/apt/sources.list)
PJ
Well, I do security upgrades in a much simpler way. Maybe that's why we're confusing each other?
"Do you mean that you'd just do an "apt-get upgrade" and do the entire system?"
Nah. Just the security bit gets the upgrade. The bash-with-dpkg thing was just for handling the xf86 parts the way you were asking.
The way I usually do my security updates is:
1. I find what packages need a security upgrade with
apt-get update ; apt-get upgrade | grep ecurity
2. Then I apt-get install those packages
(This assumes you have something like this line:
deb http://security.debian.org stable/updates main contrib non-free
in /etc/apt/sources.list)
PJ
[ Parent | Reply to this comment ]
Posted by Anonymous (59.178.xx.xx) on Thu 26 Oct 2006 at 09:14
[replying to myself]
Ooops. The
apt-get upgrade | grep ecurity
line I use is actually meant to be:
apt-get upgrade --dry-run | grep ecurity
This would give me a chance to at least cursorily glance at what I'll be installing, rather than upgrading.
PJ
Ooops. The
apt-get upgrade | grep ecurity
line I use is actually meant to be:
apt-get upgrade --dry-run | grep ecurity
This would give me a chance to at least cursorily glance at what I'll be installing, rather than upgrading.
PJ
[ Parent | Reply to this comment ]
"Do you mean that you'd just do an "apt-get upgrade" and do the entire system?"
If you have the appropriate security entry in sources.list, "apt-get update" then "apt-get upgrade" will get all the security updates in binary packages installed.
It will also get any new packages, but for stable releases (i.e. Sarge) there should only be security updates.
I assumed from your question you were perhaps building your own Debian variant?
See also earlier discussion of tools like "cron-apt". I have all my server updates automatically, except operational servers, which download all the updates and email me to say they are ready for a manual "apt-get update".
If you have the appropriate security entry in sources.list, "apt-get update" then "apt-get upgrade" will get all the security updates in binary packages installed.
It will also get any new packages, but for stable releases (i.e. Sarge) there should only be security updates.
I assumed from your question you were perhaps building your own Debian variant?
See also earlier discussion of tools like "cron-apt". I have all my server updates automatically, except operational servers, which download all the updates and email me to say they are ready for a manual "apt-get update".
[ Parent | Reply to this comment ]
Ah right, that makes sense. I almost always run mixed stable/testing environments so I haven't (yet) been willing to trust automatic updates.
[ Parent | Reply to this comment ]
Posted by Anonymous (59.178.xx.xx) on Thu 26 Oct 2006 at 09:25
So in your case, just set cron to apt-get update at 3 am or whatever time you are snoozing away. Then in the morning just do an "apt-get upgrade --dry-run | grep ecurity" to dry-run and see what you might want to upgrade from the security packages. Then apt-get install the packages you want.
I thought the comment you made about the cut and paste being tedious meant cut-and-paste from the apt-get upgrade --dry-run | grep ecurity output.
Then I thought, maybe you were talking about cutting and pasting from the web page (http://www.debian.org/security/2006/dsa-1193) - is that what you meant? If so, you'll find "apt-get upgrade --dry-run | grep ecurity" truly an epiphany.
Dunno about cron-apt - sounds like the One, True, Debian Way to do this all this - but haven't really felt the need for it.
PJ
I thought the comment you made about the cut and paste being tedious meant cut-and-paste from the apt-get upgrade --dry-run | grep ecurity output.
Then I thought, maybe you were talking about cutting and pasting from the web page (http://www.debian.org/security/2006/dsa-1193) - is that what you meant? If so, you'll find "apt-get upgrade --dry-run | grep ecurity" truly an epiphany.
Dunno about cron-apt - sounds like the One, True, Debian Way to do this all this - but haven't really felt the need for it.
PJ
[ Parent | Reply to this comment ]
That's great. I think that almost completely replaces my need for debian-updates.
Cheers for that! I'm going to need to look into it, but interestingly this flagged a bunch of packages which needed upgrading which debian-updates hadn't flagged at all.
If anyone is interested here's a slightly refined command line, which makes it easy to cut'n'paste the output into an "apt-get install" line.
# apt-get upgrade --dry-run | awk '/^Inst.*Debian-Security/ {printf "%s ", $2}'
Adam.
Cheers for that! I'm going to need to look into it, but interestingly this flagged a bunch of packages which needed upgrading which debian-updates hadn't flagged at all.
If anyone is interested here's a slightly refined command line, which makes it easy to cut'n'paste the output into an "apt-get install" line.
# apt-get upgrade --dry-run | awk '/^Inst.*Debian-Security/ {printf "%s ", $2}'
Adam.
[ Parent | Reply to this comment ]
Posted by Anonymous (59.178.xx.xx) on Thu 26 Oct 2006 at 10:01
Non-security upgrades flagged: That's 'cos you've got a testing mixed in with stable. Testing continually has new packages dropping in from unstable. If you had a pure stable system you'd only really have security upgrades (like Simon says).
Testing also has a security repository just for itself these days. So you may want to move to pure testing anyway. Mixing branches (eg: testing/stable/unstable) is possible. But such unholy miscegnations do lead to more tears generally when upgrading bits, and are very unsupported, and it is probably (not sure) regarded as inappropriate to file a bug for such mixed systems (can anyone confirm this?).
You are encouraged to file bugs for pure testing of course.
PJ
Testing also has a security repository just for itself these days. So you may want to move to pure testing anyway. Mixing branches (eg: testing/stable/unstable) is possible. But such unholy miscegnations do lead to more tears generally when upgrading bits, and are very unsupported, and it is probably (not sure) regarded as inappropriate to file a bug for such mixed systems (can anyone confirm this?).
You are encouraged to file bugs for pure testing of course.
PJ
[ Parent | Reply to this comment ]
That's what I assumed as well, but actually all of the updates appeared to be from stable (the --dry-run output indicated "Debian-Security:3.1/stable", or something similar to that).
I've already upgraded them all so I can't double check but I was expecting them to all be from testing as well and they didn't seem to be.
I'll verify next time I have a package flagged.
Anyway thanks for the tip!
Adam.
I've already upgraded them all so I can't double check but I was expecting them to all be from testing as well and they didn't seem to be.
I'll verify next time I have a package flagged.
Anyway thanks for the tip!
Adam.
[ Parent | Reply to this comment ]