[8999] in bugtraq
"solaris 7" name change consequences
daemon@ATHENA.MIT.EDU (rick pim)
Fri Jan 8 18:31:16 1999
Date: Fri, 8 Jan 1999 10:33:55 -0500
Reply-To: rick pim <rick@POST.QUEENSU.CA>
From: rick pim <rick@POST.QUEENSU.CA>
To: BUGTRAQ@NETSPACE.ORG
the combination of a few postings to bugtraq in the last two or three
days triggered my sense of irony. i think there's a small lesson in
there somewhere as well.
earlier this week, as part of the "sun almost has a clue" thread, the
following caught my eye -- casper dik replied to a posting with the
comment:
Since tehre's no such thing as Solaris 2.7, I'm surprised it works
tehre. Did you perhaps try it on the beta?
strictly speaking, of course, he's right -- some marketroids at sun
chose not to call this release of solaris by its obvious name. there
are, however, consequences to this. in particular, the operating
system is still called SunOS 5.7 (at least, it is according to
uname -a) even though the whole package isn't called "solaris 2.7".
shortly after casper's post, bruce barnett started a small thread
when he posted his "CheckPatches" utility -- a couple of scripts that
examine the local system, ftp to sun, fetch the relevant patch report,
and then produce a listing of existing security patches that are not
installed on the local system. it seemed like a nice idea, so i
decided to test it. my test machine is my desktop box, which is
running (in deference to sun purists) 5.7.
of course, it doesn't work. the sun patch reports are in files with
filename
SolarisXX.PatchReport
where XX is the version of solaris. not surprisingly, bruce's script
calculates XX by subtracting 3 from the output of uname -r. this
works for all versions of solaris but _not_ solaris "2.7", since the
patch reports are in
Solaris7.PatchReport
and so the script fails.
this morning, my morning mail had a bugtraq posting from ronan
waide containing a utility _he_ wrote which purports to do about
the same thing. his version uses the XX_Recommended.README
files and contains the following code:
# Gah. SunOS $osver is 5.x instead of Solaris' 2.x. I guess subtract 3...
$osver = $osver - 3 if ( $os eq 'SunOS' );
so it's entirely possible (i don't see a solaris 7 Recommended.README
file so i can't be sure) that this will break as well.
john riddoch mentioned sun's "patchdiag". i took a fast look at that
and found that
- it's not available in source
- it's over a megabyte in size (even after throwing away the redundant
copy of its own tar file that sun kindly includes in the kit)
- it can produce misleading results: on my just-installed 5.7 system, it
tells me:
Patch Ins Lat Age Require Incomp Synopsis
ID Rev Rev ID ID
------ --- --- --- --------- --------- ----------------------------------
All security patches installed!
when there are at least two that are outstanding. i don't know that
this is at all related to the "version number" issue, but it's
not a particularly good sign.
that's a lot of words for not much, but i think it's a small sort of
cautionary tale: in less than two days, two security tools have been
posted which require rewrites because of a marketing decision to
change the relationship between the operating system version numbers
and the label on the packaging. how many other things will break?
wait and see, i guess.
rick pim rick@post.queensu.ca
information technology services (613) 533-2242
queen's university, kingston