Last week, we looked at the importance of Patch Management
and keeping up to date with the most recent happenings in software bugs/fixes. I
suggested a variety of sources from which the most recent alerts can be found
and a variety of ways in which to receive this information (Web sites likeSecurityFocus, Mailing lists and RSS feeds).
Its unpractical and unrealistic to expect that
administrators should patch source code, recompile, and reinstall each time a
patch is released; this would take most of the administrators time and prove a
never-ending battle (the number of Linux admins sectioned to prevent self harm
would go through the roof!). Considering this, what options are provided for
solving this problem? Lets take a look at the Debian-based distributions (from
now on, by Debian, I refer to anyDebian-based distribution) and see how they handle this.
The name of Debians package/update manager says it all, apt. The dictionary description
is close: 1. Exactly suitable; appropriate: an apt reply. 2. Quick
to learn or understand: an apt student. However Wikipedia gets it spot on. APT
stands for Advanced Packaging Tool. The main tools used are apt-get and apt-cache; the former allows
installation, cache updates, upgrades, and removal of packages. All
dependencies are calculated, and the user is prompted to approve any additional
packages required to solve these dependencies. The latter tool, apt-cache can be used to search the
cache (generated with apt-get update) of available packages and showinformation about specified packages. Lets see them in action:
Great! Installing/removing packages just got a whole lot
easierdependency hell is no more. How about updating a package which has been
upgraded, or installing a security patch? APT has a file called sources.list. Funnily enough, this file
contains a list of sources—one of which is http://security.ubuntu.com
breezy-security. Here, any critical updates and/or patches released by the
security team are uploaded; when you run apt-get
update, details of these patches are downloaded, then apt-get upgrade will show you which patches are due to be installed
on your system, and ask for approval to go ahead and apply them, as you seehere:
Its that easyI really like the APT set of update tools, they couldnt be much simpler or more effective.
One thing we need to keep in mind is that Debian isnt a
commercially-supported distribution; as such, this means there is no SLA relating to the frequency of updates or reaction
speed to potential vulnerabilities once they become public knowledge. The Debian security team claim that most
problems are corrected within 48 hours of being brought to their attention.
Security advisories are posted to the debian-security-announce
mailing list—patches are added to the security APT source once available. Patches will continue to be
released for one year once a distribution's stable successor has been released.Packages are also signed to allow their authenticity to be scrutinised.
Next week, I will take you through a commercial
distribution of Linux and see how they deal with patching and updating