Patch Check Advanced

Analyze, download and install patches for Oracle Solaris
Written by
Martin Paul

News via













A new stable release of PCA has been published: 20220902-01. See list of changes.


A new stable release of PCA has been published: 20220111-01. See list of changes.


A new stable release of PCA has been published: 20190715-02. See list of changes.


Solaris 10 has gone into extended support on February 1st 2018. Unless you transition to Oracle Solaris 10 Extended Support, you will not be able to download patches and patch revisions which are released after this date.

Find more detail in this blog post.


A new stable release of PCA has been published: 20150327-01. See list of changes.


Once again Oracle has changed its patch download infrastructure causing PCA to fail when trying to download patches. If you see download errors please try to use PCA with --wgetopt="--no-check-certificate".

Unfortunately I can not take a closer look at that right now for personal reasons, so do not expect an updated version of PCA in the next days.


Solaris 9 is exiting Extended Support and entering Sustaining Support, as reported in this blog post by Gerry Haskins.

According to this source, all patches created for Solaris 9 while it was in Extended Support will now be available with a regular MOS account.


A new stable release of PCA has been published: 20140115-01. See list of changes.


PCA is 10!

Scrolling down on the PCA-News web page, at the very bottom, one finds this message: "2003/09/09: First version. Introducing PCA 1.0". So it's really 10 years now since I decided to make this script public, after I've been using it for some time internally. It had 208 lines at that time.

Only one day later I received the first e-mail with the subject "pca" from Andrew Brooks, which was a lot like the many messages I received in the next ten years:

First, he thanked for the useful script. Such comments from PCA users turned out to be my main motivation to maintain and refine PCA in the following years. So thanks to all of you who ever sent positive comments!

Second, he provided an idea (and included code) for some new function (a new option -H to output HTML) which I immediately decided *not* to include in the official version of PCA :-) In my answer I stated that I wanted to keep PCA as simple as possible, not depending on some URLs staying consistent on Sun's web page. I always liked Unix for its tradition of simple commands which can be used in pipes to achieve great things.

Soon other PCA users provided more and more input and I started to add new functions and options over the time, always weighing simplicity against usefulness. The option to download patches from Sun directly was probably one of the most useful, and the one which caused me most work in the last years. Sun (and later Oracle) turned the simple process of downloading a patch file via FTP into a complicated procedure with authentication, server redirects, dependencies on certain HTTP features etc. which I always had to follow closely to keep the download functions in PCA working. There were moments when I seriously thought about giving up on it.

While I knew that Sun engineers were using PCA themselves, and Sun never succeeded in providing a own, working patch administration tool (I would have been the first to switch, believe me!) they never officially acknowledged PCA, although it was recommended on some Sun websites and PDFs.

As I got a lot of e-mails in the meantime from admins asking about the usage of PCA and me answering the same questions over and over again, I created the PCA mailing lists (for those interested in numbers, I have 4827 messages in my folder with private PCA communication, and 3139 messages on the PCA mailing list - I definitely wrote more text than code). This helped a lot, as power users now answered the queries from beginners. I also had a lot more contact to the users of PCA and was fascinated in how many different ways and procedures it was being used. I also got in contact with Gerry Haskins and Don O'Malley from Sun, which made it a lot easier to sort out problems and to get information about the internals of Sun's patch creation and publication. Thanks to both of them for their help and patience!

With the appearance of Solaris 11 and its IPS system, traffic on the mailing list was reduced a lot. As PCA is not needed anymore on Solaris 11, it is now being used mostly by experienced admins running Solaris 10 who already know what they do. Personally, I also think that PCA is feature complete for quite some time now, and as (now) Oracle doesn't change their patch infrastructure anymore, new versions of PCA have been reduced to a minimum.

As far as I'm concerned, that's very welcome. While I still work with some Solaris systems, we're moving away from Solaris here slowly, due to the high prices of Oracle hardware and support. Of course I'll keep PCA working as long as somebody is still using it.

Finally, let me state that I'm pretty proud of what PCA turned out over the years - it has saved numerous sysadmins around the world uncountable hours of work and frustration. This compensates for all the time I invested, even if it was frustrating now and then when performing complicated tests to ensure PCA's analysis being correct or hunting for obscure bugs. Would I publish PCA 1.0 once again if I could go back to 2003? I think so :-) If only for the amount of positive feedback I got over all the years.

Let me end with a quotation which is the basis of my work on PCA (and also in general):

"Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away." (Antoine de Saint-Exupery)


A new stable release of PCA has been published: 20130502-01. See list of changes.


A new stable release of PCA has been published: 20120829-01. See list of changes.


A new stable release of PCA has been published: 20120326-01. See list of changes.


A new stable release of PCA has been published: 20120119-01. See list of changes.


A new stable release of PCA has been published: 20111018-01. See list of changes.


A new stable release of PCA has been published: 20110812-01. See list of changes.


Due to some recent backend changes in the Oracle patch download service there might be issues with failing patch downloads with PCA in certain situations:

If you are using a firewall which restricts outgoing access, it might be necessary to add a few extra rules for the new additional content distribution networks used by Oracle. Look at the bottom of PCA Installation for a list.

If you must use a local web proxy to access outside systems and use PCA's wgetproxy option to set that, it might be possible that PCA does not set the correct options for wget and patch downloads fail. Please use the current development version of PCA, which contains a fix. A new stable version including the fix will appear soon.


A new stable release of PCA has been published: 20110805-02. See list of changes.


A new stable release of PCA has been published: 20110329-01. See list of changes.


A new stable release of PCA has been published: 20101221-01. See list of changes.


A new stable release of PCA has been published: 20101213-01. See list of changes.


On Dec 10th SunSolve will be shut down and its services will be provided by My Oracle Support (MOS) instead. A new version of PCA will be published at the same time which uses MOS instead of SunSolve.

To use MOS, it's required to register for an account there, which will then be used instead of the old Sun Online Account (SOA) with PCA. Don O'Malley from Oracle describes the procedure and shows some examples on how to access the new service which is already available in a restricted testing version in this posting:


There is also a development release of PCA available which can be used to test the new service, described in this posting:


With this version of PCA and your new MOS account, you should be able to access these test files from MOS:

  ./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --getxref
  ./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --readme 119318-01
  ./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --download 119318-01
If you try the test downloads and something doesn't work, please let me know (or even better, subscribe to the PCA mailing list and post it there).


Oracle announced the retirement of SunSolve and its transition into My Oracle Support later this year. The patchdiag.xref file and the automatic download of patches, which are required by PCA, will continue to be supported. There will be changes regarding URLs and the authentication scheme, though, which will make modifications to PCA necessary.

Watch this space for updates.


A new stable release of pca has been published: 20100910-01. See list of changes.


A new stable release of pca has been published: 20100727-01. See list of changes.


A new stable release of pca has been published: 20100607-01. See list of changes.


A new stable release of pca has been published: 20100514-01. See list of changes.


A new stable release of pca has been published: 20100309-02. See list of changes.


Attention: The patch policy has silently been changed by Oracle quite severely. The new strategy, which is also documented in Software Update Entitlement Policy for Solaris, enforces the requirement of a support contract to download any patch.

Unlike before, even security patches are not available for free anymore.


Attention: Due to Oracle taking over Sun it is necessary that you log into SunSolve and accept the new Software License Agreement (Step 5 on the Update Account page).

Otherwise, patch downloads with pca will not work anymore!


A new stable release of pca has been published: 20091216-02. See list of changes.


A new stable release of pca has been published: 20091210-01. See list of changes.


A new stable release of pca has been published: 20091030-01. See list of changes.


There are ongoing problems with SunSolve, which cause failing patch downloads. Sun is working on it.


A new stable release of pca has been published: 20090827-01. See list of changes.


Recent changes to the SunSolve server infrastructure caused two problems with pca:

Patch downloads via HTTP are not possible anymore, HTTPS is required. You need a version of wget which has been compiled with SSL support. A simple check is to run ldd /path/to/wget | grep ssl to see whether it's linked against OpenSSL. I will modify pca to do the check and show an appropriate message in the future.

The --readme option can not be used to download patch README from SunSolve right now. The URLs used by pca are not working anymore, and there is no known replacement. Hopefully this will change soon.

If you have questions, feel free to join the discussion on the pca mailing list.


A new stable release of pca has been published: 20090723-01. See list of changes.


A new stable release of pca has been published: 20090408-01. See list of changes.


A new stable release of pca has been published: 20090224-01. See list of changes.


Changes in enforcement of the current patch access policy are about to be rolled out by Sun starting this week:


So what does that mean for pca users?

If you use pca to generate patch reports only, but not to download and install patches, nothing changes.

If you have a support contract connected to the Sun Online Account used with pca to download patches, nothing changes.

If you do not have a support contract - you are using a free Sun Online Account - you already experienced that you could only download a subset of patches with pca. This subset has now been reduced to a much smaller number of patches, still containing at least all security patches.

At present, you can download any revision of a patch as long it contains at least one security fix. In a second phase of policy enforcement (to be done at a later time) only the revisions which actually contain security fixes will be available for free. Example: Patch 123456-01 contains a security fix. Later, 123456-02 is published, containing a non-security fix. You will be able to download 123456-01, but not 123456-02.

The patchdiag.xref file currently only contains information about the most current revision of each patch. For pca to determine the set of missing security patch revisions, it would be necessary to have information about the last security revision of each patch as well. There are no plans for Sun to add this information to the patchdiag.xref file. You will have to check all Sun Alerts or patch READMEs to come up with a list of all free security patch revisions.

Of course Sun has limited resources and is concentrating them on customers with support contracts. I currently have no idea whether the majority of the pca users do have support contracts or not. So if you are affected by the planned changes, this is your chance to make yourself heard. Feel free to comment either via the Comments link in the above blog entry or on the pca mailing list.


A new stable release of pca has been published: 20081218-01. See list of changes.


A new stable release of pca has been published: 20081024-01. See list of changes.

Attention: pca-proxy.cgi will read only configuration files which are named pca-proxy.conf from now on. Before that change, it was reading pca.conf files, too, which could create confusion when a machine was both a proxy and a client.


A new stable release of pca has been published: 20080911-01. See list of changes.


A new stable release of pca has been published: 20080909-01. See list of changes.

Today pca turns 5 years; version 1.0 was published first on 2003/09/09. Thanks to all of you for the large amount of positive feedback I've received during the last years!


A new stable release of pca has been published: 20080729-01. See list of changes.


A new official release of pca has been published: 20080626-01. See list of changes.

I will be on vacation and not read my e-mail regularly from June 28th to July 20th. In case of problems and for support queries please use the pca mailing list and its archive.


A new official release of pca has been published: 20080519-01. See list of changes.


A new official release of pca has been published: 20080507-01. See list of changes.


As of today, SunSolve is handing out a broken patchdiag.xref file, containing HTML tags. Therefore, pca can't parse the file correctly and returns an error message. I have put a fix into the development release of pca to make it handle this situation.


A new official release of pca has been published: 20080311-01. See list of changes.


There are now two mailing lists available: pca-news for announcements only and pca for discussion and support. All addresses from the old, manually maintained pca news mailing list are automatically subscribed to the new pca-news list; you are invited to switch over to the discussion list pca instead. For details on subscription etc. see Lists.


I've now added a hack to pca to make it work with wget v1.11. I still don't understand completely what's going on, but there seem to be two problems:

  • SunSolve checks for the User-Agent header in HTTP requests, and behaves differently for wget v1.11 and older versions. Seem as if it considers Wget/1.11 unknown. Using --user-header=Wget/1.10.2 works around this part of the problem.
  • In wget v1.11, authentication data is only sent if it's explicitely being asked for. SunSolve doesn't ask for authentication, but if you provide Basic Authentication data anyway, everything works. The workaround for this problem is to compute basic authentication data in pca and force it upon SunSolve with wget's --header option.
I don't like the workaround hacks, but it was the only method in my experiments to make wget v1.11 work with SunSolve the same way as previous versions. The root cause of course is the overly complicated interface at SunSolve to download patches and READMEs.

Sun should really get their act together and give us a stable, reliable and standards conforming interface for hands-off downloads.

Thanks to everybody who provided support and feedback with this issue.


Attention: With wget v1.11 (which has been published recently), downloads from SunSolve do not work anymore. This seem to be due to a change in wget (Only send authentication credentials after we've received a challenge from that host). Using wget v1.11 with pca will therefore not work. This is a real pity. If anyone finds a workaround, please let me know.


Once again, there have been announced changes to SunSolve. It seems as if a (free) Sun Online Account is required to download patchdiag.xref right now. The file hasn't been updated since 2008/01/29 either.


A new official release of pca has been published: 20080131-01. See list of changes.


A new article in the Sun Patch blog features an overview of Patch Automation Tools. It also mentions pca. Post a comment and let them know which tool you like most :)


Gerry Haskins, the Senior Engineering Manager in charge of Software Release Engineering and Patch System Test at Sun, has started a patch blog at http://blogs.sun.com/patch.


A new official release of pca has been published: 20080109-01. See list of changes.


The News-Feed is now available via RSS: http://www.par.univie.ac.at/solaris/pca/news.rdf


When using a local caching proxy (pca-proxy.cgi) you might have experienced interrupted downloads with large patches. This can be caused by the web server (apache) which kills the CGI script if it runs too long without any output. Luckily, apache has a Timeout option to be set in the httpd.conf file. It's set to 300 seconds by default. For large patches, you might want to raise this to 1800 seconds or higher and restart apache.

Thanks a lot to Dominique Frise for pointing me at this.


A new official release of pca has been published: 20071214-01. See list of changes.


In his blog entry "A big mess" about the current state of the Solaris package system, Dan Price refers to PCA as "a nice open source tool I use". Thanks for the plug!


A new official release of pca has been published: 20071115-01. See list of changes.


Dave Collodel has built a package around pca to automate patch installation, including the installation of deferred patches during reboot. See PCApatch.


During the last days, I had no problems getting the daily updated patchdiag.xref file. Seems as if the issue has been fixed. Another interesting change is that the patchdiag.xref file is once again available without specifying a Sun Online Account (SOA). I have already modified the development release of pca to try accessing the xref file both with and without SOA data.


Today SunSolve delivered the correct patchdiag.xref file, and the notice about known problems on the SunSolve web page is gone, too. Let's hope this means that Sun has finally fixed the problems.


After more than two weeks, the problem with SunSolve handing out random old versions of patchdiag.xref still hasn't been fixed. I (and others) came up with a temporary workaround. It seems as if a current version of the xref file can be downloaded (without Sun Online Account) from http://sunsolve.sun.com/search/document.do?assetkey=1-34-patchdiag.xref-1. Unfortunately this file contains HTML markup, and can't be used directly by pca without some post-processing. I have created a script (getxref) which downloads the file and removes the HTML markup, saving the result in a patchdiag.xref file, which can then be used by pca.

I thought about putting the most current version of the patchdiag.xref file (obtained by the above mentioned script) onto pca's webpage, so it could be easily accessed by pointing pca at this copy with the xrefurl option, but decided against it. According to the SLA on SunSolve, it's illegal to redistribute any information from SunSolve.


A new official release of pca has been published: 20071023-01. See list of changes.


Good news: The current patchdiag.xref (dated Oct/16/07) is now available on SunSolve. Update: Later this day once again old revisions of the file were handed out. It's still broken.

Bad news: There's a new kind of problem with SunSolve when downloading patches and patch READMEs. Sometimes SunSolve returns a small HTML file (1203 bytes) instead of the requested file. It says that the requested URL could not be retrieved, because an FTP authentication failure has occured. It seems as if sunsolve connects to an internal FTP server through a squid proxy, and the authentication has been messed up. To clarify - both this FTP server and the squid proxy are components of the SunSolve service - this is not a problem with your local infrastructure.

As always, the problem has been reported to SunSolve staff and awaits salvation.


The problems with SunSolve handing out random old versions of patchdiag.xref still persist. The SunSolve staff knows about it, and promised to look into it.


A new official release of pca has been published: 20071011-02. See list of changes.


Again problems with patchdiag.xref - while it has worked yesterday and today in the morning, I now receive either an "Internal Server Error" or an outdated version of patchdiag.xref (Oct/09/07) again.


Instead of handing out patchdiag.xref from Oct/09/07 (as it should), sunsolve.sun.com has an old version from Oct/05/07. I reported it to Sun. Update: The correct patchdiag.xref from Oct/09/07 is now online.

Besides that, I want to make it clear again that problems with downloading any file (patchdiag.xref, patches) from SunSolve with pca are still caused by the instability and slowness of the SunSolve server. Until Sun gets their act together, I recommend re-trying failed downloads either by re-running pca or using the dltries option to make pca try downloads multiple times.


Something seems to have changed on SunSolve once again. It's not possible to download the patchdiag.xref file with wget without specifying Sun Online Account data. Strangely enough, it still works through a web browser. Sun must have implemented a procedure which disallows unattended download of the file to ensure their legal information is being read and accepted.

For now, please specify a Sun Online Account by using the user and passwd options either on the command line or in a configuration file. I will probably modify pca to enforce this in the future. If you haven't done so yet, go and get a free Sun Online Account. See Installation for details.

Update: The development release does not try to download the patch cross-reference file from sunsolve.sun.com anymore if no SOA is provided. The askauth option has been modified to ask for SOA data whenever it is needed.


A new official release of pca has been published: 20071005-03. See list of changes.


A new official release of pca has been published: 20071002-01. See list of changes.

There is a new version scheme, consisting of the date in ISO format plus a serial number. The same scheme is used for official and development releases. A new option has been added (update=TYPE) which allows pca to check for and install new versions of itself. See UPDATE PCA in the documentation. The documentation is now included in POD format in pca. Use /usr/perl5/bin/perldoc pca to view it.

There are some enhancements to pca in proxy mode. You can setup a cascade of local proxies by pointing one proxy at another. The xrefdir and patchdir are honored now in proxy mode, so you can keep the cache directory out of the document root of your web server and use an existing cgi-bin directory. Debugging a proxy is simplified; when the debug option is set, debug output will be written to a file.


Some people had problems when trying to install patch 120011-14 (SunOS 5.10: kernel patch). It requires patch 125547 to be installed, which requires patch 122660-10 (via its prepatch script) again. Patch 122660-10 has been obsoleted by 120011-14, though. So at the end 125547 requires 120011, which requires 125547 itself.

The problem has been reported to Sun. Until they fix it with a new revision of either 125547 or 120011, you can try to workaround the issue by installing the obsolete patch 122660-10 manually. 125547 and 120011 should then succeed to be installed. Update: Sun describes the problem in bug report #6607483. They recommend to install 122660-10 as well. The same issue exists on the x86 platform, with patches 120012-14, 122661-08 and 125548.

A second problem that has shown up today is that patch 120272-12 has been marked as bad patch and 120272-08 has been reinstated. As 120011-14 (SunOS 5.10: kernel patch) requires 120272-12, this again makes installation of the current kernel patch on Solaris 10/SPARC impossible. There's a similar issue for the x86 patches 120012-14 and 120273-13. Update: The problem has been fixed with the release of 120272-13 and 120273-15.


Attention: The current version of pca has a bug in its --safe option. If a patch installs more than a few hundreds of files and some of them contain a comma in their name (esp. kernel patches are affected), pca will falsely ignore errors from pkgchk and install the patch even if it replaces locally modified files. If you use --safe, please get the development version of pca, which fixes this bug. Sorry if this has caused problems.

Background: The pkgchk command used by pca for the --safe option is horrible. When feeding path names with -p, the path names must not contain commas. When feeding path names with -i <file>, the path names must not contain the string ELF. In both cases, a maximum of 1024 path names can be fed at once.


In the most recent official version of pca I changed the mechanism to specify the SOA authentication data with wget from using http-user/http-passwd to encoding the user and password into the URL. I have received reports that this doesn't work with some proxy servers. According to RFC 3986 this URI syntax has been deprecated and applications may choose to ignore it.

I have now reverted back to the old mechanism in the development version of pca. Please use that if you experience problems with the recent official version.

Thanks to all who reported this, especially Sean Walmsley who provided in-depth information.


The long awaited new update release of Solaris 10 (8/07) is available for download now. A quick first check of the SPARC version shows that most current patches are pre-installed. Even more, there are pre-installed patches which have not been released through the official patch channel yet. The most notable of these is 120011-14. This seems to be the next kernel patch, and it obsoletes a lot of patches currently available, 123324-03(SunOS 5.10: sshd patch) and 125011-01(SunOS 5.10: sendmail patch) being just two of them.

Most system administrators (including me) think it's not a good idea to include application patches into the kernel patch. Obviously Sun begs to differ.


New release - PCA 5.7:

  • Show BAD flag in patch list for uninstalled patches
  • Encode special character in SOA authentication data for wget
  • Hide SOA authentication data in process list
  • Add option to force local caching proxy to download from sunsolve (--force)
  • Check valid format of patchdiag.xref
  • Use dltries option when downloading patchdiag.xref, too
  • If set, use SOA data when downloading patchdiag.xref
  • Fix download URL for patchdiag.xref, patches and patch READMEs
  • Enhance algorithm to choose correct command for installed patches
  • Add option to specify output format (--format)
  • Show alternative root directory in header when set
  • Better handle broken zero-size patchdiag.xref file
  • Use existing, already extracted patch directories
  • Fix patchadd hang when user input is requested
  • Update workaround for patches missing in patchdiag.xref
  • Update whitelist for safe patch install mode
  • Update patch-specific function to avoid showing uninstallable patches
The most important changes in this version are the adaptions to Sun's changes on SunSolve at the end of July, breaking at least some of pca's download functions. pca will also handle broken xref files (empty, wrong syntax) more gracefully.

New functionality is available with two new options: The --format option can be used to specify pca's output format. Quite handy when post-processing output from pca; see Usage for more detail. The --force option, when used on a pca client in combination with a local caching proxy (pca-proxy.cgi) will force the proxy to download any file from Sun, even if it already exists in the cache.


Sun's download server for the patchdiag.xref file, patches and READMES (sunsolve.sun.com) still doesn't work fine. The problem is known to Sun; there's now a note showing on SunSolve telling that they are working on it.

In the meantime, make sure you are checking pca's news page from time to time. If further changes are necessary, they always show up first in the development version of pca.

The current version also contains a fix for the long-standing problem of the Sun Online Account username and password showing up in the process list when downloading files from SunSolve. A pca user (thanks, again) pointed me at a workaround using wget's -i option and a temporary file.


After some deeper investigation, I found two ways to download the patchdiag.xref file within pca. If Sun Online Account (SOA) data is provided, pca uses that to get the file. Without SOA data, pca fakes a cookie (via wget's --header option) which makes sunsolve.sun.com believe that the Service Level Agreement has been accepted, so it delivers the file immediately.

During testing, I noticed that sunsolve.sun.com still is in a bad shape. It returns HTTP internal server errors from time to time. I modified pca to try any failed download (including patchdiag.xref) multiple times if the --dltries=NUM option is set (to anything higher than 1). The default is still 1.

The current state of all fixes is available in the development version of pca.


I'm back from vacation. And Sun did it again - there have been some modifications to sunsolve.sun.com which make pca fail when trying to download the patchdiag.xref file. A first attempt to fix the issue is available in the development version of pca. If the fix doesn't work for you, please report back to me.

Unfortunately, Sun's download server seems to be a little flakey, too. Patch downloads seem to fail from time to time. You might be able to workaround this issue by setting pca's --dltries option to something higher than 1.

Thanks to all of you who reported the problems, and provided fixes or workarounds. In the next days, I will try to get out a new release of pca which should fix the mentioned issues and I'll reply to the messages which I received while I was gone.


I will be on vacation from Jul 23rd to Aug 12th. Messages will be answered when I'm back.


In the Q&A section of the June issue of SysAdmin magazine, Amy Rich describes pca as an easier alternative to Sun's own patch tools. The article is a great introduction for new pca users as well.

I'd be happy to get my hands on a printed copy of that magazine for my wall of fame. If you have it, and are willing to send it to me, contact me by e-mail to martin@par.univie.ac.at. UPDATE: More than one of you offered to send the magazine to me, and I have received a copy in the meantime. Thanks to all!


I've been too optimistic. In today's patchdiag.xref, all patches for SAM-FS and QFS 4.6 have disappeared (126506 to 126512). I have added a workaround in the development version of pca.


There has always been a handful of patches which were missing from the patchdiag.xref file. I had implemented a workaround in pca so these were shown nevertheless, and sent countless queries to Sun in the last 18 months.

In today's patchdiag.xref, all of these patches suddenly show up correctly. Thanks a lot to the unknown Sun engineer(s) who fixed this!


New release - PCA 5.6:

  • Add option to specify local URL for patches and READMEs (--patchurl=URL)
  • Add option to specify local URL for patchdiag.xref (--xrefurl=URL)
  • Handle patches which require an immediate reboot after installation
  • Make pca use the wgetproxy option in proxy mode, too
  • Add option to specify the path to the logger command (--logger=FILE)
  • Ignore SIGINT (Ctrl-C) while patchadd is running
  • Use public link for READMEs in HTML output if SOA is not set
  • Provide more detailed information on failed downloads
  • Show version info in debug output
  • Show list of configuration files in debug output
  • Update workaround for patches missing in patchdiag.xref
  • Update whitelist for safe patch install mode
  • Update patch-specific function to avoid showing uninstallable patches
The localurl option has been deprecated and replaced by two new options: patchurl and xrefurl. Both take a URL as argument. By separating localurl into two options, it's now possible to specify different local sources for the patchdiag.xref file and the patches. One example is to point patchurl at pca-proxy.cgi, while xrefurl points to another URL with a baseline patchdiag.xref file. For downward compatibility, localurl is still recognized, and its argument will be used as the value for patchurl and xrefurl if those are not set.


Sun has updated InfoDoc #83061 (Sun Software Update (Patch) Access Policy). Well worth reading to get up-to-date on Sun's patch access policy.


I will be on vacation from Apr 27th to May 3rd, hoping that Sun won't break anything during that time. Messages will be answered when I'm back.


New release - PCA 5.5:

  • Change URL for download of patchdiag.xref file
  • Stop trying to download patch or README from patches.sun.com
  • Do not add links to patches.sun.com in HTML output
  • Check for new xref file and download it once every three hours
  • Get reboot/reconfig properties from patchinfo if it exists
  • Enhance check for reboot/reconfig properties in README files
  • Check for "immediate" reboot/reconfig properties
  • Add option to specify default proxy for wget (--wgetproxy=URL)
  • Better handle broken zero-size patchdiag.xref file
  • Show SOA username in password prompt when username is in config file
  • Check for root in safe mode only when install/pretend are used
  • Fix a bug where the operands option was ignored in configuration files
  • Set the default locale to C for forked processes like wget
  • Show uname/pkginfo/showrev command in error messages
  • Update workaround for patches missing in patchdiag.xref (add 7 new patches)
  • Update whitelist for safe patch install mode
  • Update patch-specific function to avoid showing uninstallable patches
This version of pca includes all the changes that were necessary after Sun modified download links for patches, READMEs and the xref file. A new and simpler algorithm for automatic download of the xref file is used; if the file is older than three hours, pca will download it again. Be aware that any download of a patch or a patch README from Sun's server now requires a Sun Online Account.

The check for patches which require a reboot has been enhanced. The patch README is only used to collect this information if no patchinfo file exists for a given patch. After patch installation, pca will tell whether a reboot or reconfiguration reboot is required or recommended.


No new patchdiag.xref file has been published since last Friday. In combination with the change in the URL for downloading the xref file, this creates a nasty problem: pca now downloads the xref file on every run. To stop it from doing that, you can use the nocheckxref option, either in a configuration file or on the command line.

Background: pca tries to be clever; it knows that every week from Monday to Friday at a certain time a new xref file is published, and from the timestamp on the local xref file it can guesstimate when a new one is available. When the new file should be there, pca tries to download it on every run.

Until recently, it wasn't a big problem when Sun skipped a day (which happens rarely anyway). pca used wget's -N option, which only downloads a file if it is newer than the local copy (it uses the HTTP Last-Modified header and the timestamp of the local file). This worked fine, until Sun killed the former URL:

and replaced it with:
Now I must use the -O option with wget, otherwise the downloaded xref file is named incorrectly. Add to all this a bug/whatever in wget, which breaks -N if it is used in combination with -O. So "wget -N URL -O patchdiag.xref" always downloads the file, even if it is not newer than the local copy.

Update: I decided to implement a much simpler algorithm for the automatic download of the xref file. If there is no local copy of the xref file or if it's older than one hour, pca will download the file from sunsolve (or localurl). If the local copy has been updated in the last hour, pca will use the file as is. This change does away with all the sophisticated guessing and checking if a new version might be available. The change is available in the development version of pca.


Sun has removed the link that pca uses to download the patchdiag.xref file. I have put a fix with the new link into the development version of pca. Please download and use this to make automatic downloads of the cross reference file work again. Thanks not to Sun for not announcing this properly in advance.

The policy and URLs to download patches for Solaris 8 and 9 have changed as well. From now on, you will always need a Sun Online Account to access any patch or patch README. Feed account data to pca via its user and passwd options, or by using --askauth. If you do not have a (free!) Sun Online Account yet, create a SOA here.

I will test the implications of the changes next week, and come up with an official version of pca including the fixes as soon as possible.

Thanks to all the pca users who reported the problem!


PCA 5.4 does not correctly read the operands option when it is specified in a configuration file or in the PCA_OPERANDS environment variable. I have fixed the bug in the development version of pca. Thanks to Martin Wismer for reporting this!

In the most recent patchdiag.xref file, the patches for QFS and SAM-FS (122803-122809) have disappeared. This can only be another problem caused by Sun, because in fact a new revision for all those patches has been published on 2007/03/09. I have added a workaround to the development version of pca.


New release - PCA 5.4:

  • Enhance checking of valid operands
  • Allow file operands to include other files and check for include loops
  • Implementation of ignore as a standard option (--ignore)
  • Implementation of +rec and +sec as standard options (--rec and --sec)
  • Use ignore list for installed/all/total/bad patch groups
  • Add option to specify how often downloads are tried if they fail (--dltries)
  • Reduce number of authenticated download attempts from SunSolve from 5 to 1
  • Add option to specify backout directory for patchadd (--backdir=DIR)
  • Allow relative path names with patchdir option
  • Avoid using buggy showrev on both Solaris 10 x86 and SPARC
  • Raise timeout for downloads from local patch server for huge patches
  • Continue getting patches from a local patch server even if wget is missing
  • Ignore HUP signal
  • Wait for patchadd to complete when SIGINT (Ctrl-C) is caught
  • Enhance handling of installed patches with unknown patch ID formats
  • New implementation of options code
  • Thread-safe implementation of download, locking and cleanup code
  • Show patchadd command with all options in debug output
  • Ignore nocheckxref and safe options in proxy mode
  • Add a fix for unusual patchdiag.xref entry for patch 122608
  • Update workaround for patches missing in patchdiag.xref (add 6 new patches)
  • Update whitelist for safe patch install mode
  • Update patch-specific function to avoid showing uninstallable patches
Valid short names for patch groups have been restricted to first letter plus optional r/s/rs. For example, m can be used for missing, mrs for missingrs, but missrs is not allowed. This applies to all patch groups (missing, installed, all, total, unbundled, bad). Patch groups override patch files: pca -l missingrs will always list missing R/S patches, even if a file missingrs exists. The operand specified when running pca will be shown in the header output of pca.

The ignore, +rec and +sec options which could be used to ignore certain patches or mark them as Recommmended/Security have been replaced by the ignore, rec and sec options. Unlike the old options, these can be used in configuration files, environment variables and on the command line. Example: pca --ignore 125319 --ignore 125427. The old options are still used, but deprecated. Patches set to be ignored will now be ignored with all patch groups.


Once again, the SunSolve server is in a bad state. Download of any restricted patch fails or returns size 0 files, and interactive access via the Patch Finder is either delayed infinitely or returns proxy errors, HTTP code 500 or size 0 files.


In the past few days it happened frequently that some of the new patches are not available for download from Sun although they are listed in the patchdiag.xref. When trying to download the affected patches from SunSolve, a size-zero file is returned. This is Sun's fault, and I reported it to them repeatedly. It's extremely annoying, but there's no way for pca to fix this.


Chris Reece has implemented thread support into pca for parallel patch downloads. See the contrib page for detail.

Thanks a lot to Chris for the contribution!


Today's patchdiag.xref is valid again, so the problem described below has been fixed.


The current patchdiag.xref on SunSolve is broken. It's only about a quarter of the size it should have. The result is that pca output is broken, too. I reported the problem to Sun, who hopefully will fix this soon, at least in the next release of patchdiag.xref, which is due Tuesday, about 7:30 a.m. (MET).

For your convenience, here's a temporary copy of the last valid patchdiag.xref file (Update 2007/03/05: Link has been removed). You can use pca -X <dir> to make pca use this copy. Use touch -t 02110800 patchdiag.xref to set the timestamp in a way that pca accepts the file as current and updates the file when Sun will issue a new version of the file.

Thanks to all pca users who reported this to me, too!


The problem with showrev -p crashing (as mentioned in the news entry from 2007/01/11) can be fixed by installing the patches 124630-03 (SPARC) and 124631-03 (x86). The patches are pre-installed on Solaris 10 11/06.

There have been reports about the broken showrev behaviour on systems with the new kernel patches (118833-36 for SPARC and 118855-36 for x86), too. If you install these patches, make sure to install 124630-03 and 124631-03, too.


When installing the most recent kernel patches for Solaris 10 (118833-36 for SPARC, 118855-36 for x86), an immediate reconfiguration reboot is required. No other patches can be installed before the system has been rebooted.


Another important change in Sun's patch access policy has been announced in InfoDoc #83061. The most important change is that access to Solaris 8 and 9 patches will be restricted in the same way as access to Solaris 10 patches already is.

As soon as the policy change is enforced (I've heard about March 31st, 2007), a free Sun Online Account will be necessary to access Solaris 8 and 9 security patches, and a Sun Service Plan (non-free) will be needed to access any non-security Solaris 8 and 9 patch.

As far as pca is concerned, it should continue to work as-is. For any patch download you will have to provide Sun Online Account data via pca's command line options (--askauth, --user/--passwd), configuration options (user=USER, passwd=PASSWD) or environment variables (PCA_USER/PCA_PASSWD).


New release - PCA 5.3:

  • Add option to list patches with a minimum age (--minage=DAYS)
  • Fix installation of Studio 11 patches on Solaris 10 (enforce -G)
  • Small modifications to make pca-proxy.cgi run under Linux
  • Generate links to local caching proxy in HTML output
  • Avoid using buggy showrev on Solaris 10 x86
  • Adapt time of day in check for new patchdiag.xref
  • Fix handling of empty lines in patch list files
  • Update whitelist for safe patch install mode
  • Update workaround for patches missing in patchdiag.xref

On some systems running the most recent update release of Solaris 10 (11/06) the showrev -p command produces a segmentation fault. As this command is used by pca to get the list of installed patches, pca's output is incorrect, too. The reason for the showrev crash seems to be a very long line in the /var/sadm/pkg/SUNWcsr/pkginfo file. The problem has only been seen on x86 systems which were upgraded to 11/06 - fresh installs seem to be fine.

I have implemented a workaround to avoid the showrev command on Solaris 10 x86 and to use patchadd -p instead. You can get the fix by downloading the current development version of pca. A new official release of pca will follow in the next days.


In this blog entry from Jonathan Schwartz I saw PCA mentioned in one of the comments. Unfortunately, no new comments can be posted anymore, but here's what I would have liked to post:

You correctly noticed that "most administrators still choose to manage their updates through legacy, non-connected tools". In fact it's more like that administrators again use other tools, after getting upset with Sun Update Connection, especially its bugs, slowness, incorrectness and inability to run on older Sun gear and stripped-down machines.

I'm the author of PCA, an alternative and free tool for patch management. A huge number of Solaris administrators have switched from SUC to PCA, and this includes especially experienced staff managing large networks of Sun hardware. I received a lot of feedback, much of it concluding in "This is the tool that Sun should include for patch management". Feel free to take a look at it, and maybe experience the same.

I'm a long-time fan of Sun and Solaris and have read and heard a lot about administrators' experiences with patch management. Sun should be aware that this is one huge topic driving people away from Solaris, and not attracting them.

P.S.: As for Santa handling all his patch management via your update center, I have here this e-mail from a guy called Rudolph Reindeer, who says he's working as the administrator for Santa. While he tells his boss that the SUC is used for patch management to not get him upset, he in fact switched to PCA a year ago, and is now happy again .. :)


I will be on vacation from Dec 2nd to Dec 10th, hoping that Sun won't break anything during that time. Messages will be answered when I'm back.


New release - PCA 5.2:

  • Replace /pattern/ operand with a new, more flexible option (--pattern)
  • Add new patch group (total) to show all patches listed in xref file
  • Use a single pager process for multiple READMEs and be more verbose
  • Remove patches which were downloaded for installation only
  • Enhance recognition of patches which require a reboot
  • Use more portable code to find perl
  • Update whitelist for safe patch install mode
The /pattern/ operand was only useful for a limited set of tasks, like listing all patches whose synopsis matches the search pattern, no matter whether those patches actually apply to the system or not. It has been replaced now with the new option -p/--pattern=REGEX, to be used in combination with any valid patch group (like missing, all, etc.) and to restrict the patches to be listed, downloaded or installed to those whose synopsis matches the search pattern REGEX. Also, there is a new patch group total, which will list all patches from the xref file, no matter whether they apply to the current system or not.

This makes pca much more flexible. Examples: To list all Sun Studio patches which are missing on a system, use pca -p Studio. To list all CDE patches installed on the current system, use pca -p CDE -l installed. To install the current sendmail patch, use pca -p sendmail -i. To see all sendmail patches for all Solaris releases and architectures, use pca -p sendmail -l total.

Other new features requested by pca users are that a single pager process is called for multiple READMEs (allowing to switch back and forth between files), and that downloaded patches will be removed after installation to save space; if you want to keep the downloaded patches, use pca --download --install instead of pca --install.


After reading this blog entry from Chris Quenelle, it occurred to me that the current implementation of search patterns in pca is suboptimal. When running pca -l '/Studio 11/', all patches which have Studio 11 in their synopsis will be listed, no matter whether those patches apply to the system or not. As it is now, the search pattern is only useful when trying to find certain patches for all Solaris versions and architectures.

I have already implemented a much more flexible solution for search patterns, available in pca 5.2.


There are currently 4 different problems with patches on SunSolve:

#1: For the last 2 or 3 weeks, no new patches showed up in patchdiag.xref. This seems to have been fixed, as the last three releases of the xref file again had a whole lot of new patches. See this blog entry for more detail.

#2: There are patches like 120845-03, 120200-07 and 124326-01 which are listed in the xref file and on Patchfinder, but they are shown as size 0 on Patchfinder, and the download links indeed return a size 0 file. We discussed this in a thread on the Solaris x86 mailing list. Bruce Riddle has been trying to get this fixed via Sun Support, but to no avail.

#3: Since a few weeks, new patches (or new revisions of existing patches) listed in patchdiag.xref are not available for download immediately after they show up in the xref file. It takes another day until they actually make it onto Sun's patch server. As an example, today's xref file shows 119685-09, 119686-09, 120460-10 and 120461-10 which can't be downloaded. For pca users this means that these patches will fail to download today, but most probably they will download fine tomorrow. My recurring proposal to SunSolve support staff to make sure that patches are available for download before they are published in patchdiag.xref, has been acknowledged, but not implemented.

#4: HTTP access to sunsolve.sun.com and the Patchfinder is so slow that it's practically unusable at times.


A whole lot of patches has appeared today. Unfortunately the old problem I've mentioned multiple times before is showing up again, too: Many of the new patches for Solaris 10 are unavailable on Sun's patch server, so pca will fail to download them. Once again, I immediately reported this to Sun's patch team.


Good news. There are about 40 new patches in the most recent patch cross reference file, and all of them downloaded and installed successfully. This gives hope that both the problem with no new patches appearing in the last 2 or 3 weeks and the problem with failing patch downloads have been fixed.


I've been told that Sun has a problem with the new patch release mechanism, and that they are working on fixing it. This probably explains why there have been no new patches for the last 10 days.


New release - PCA 5.1:

  • Allow xref file to be downloaded from local patch server
  • Add support for HTTPS with local patch server
  • Better guesstimate when a new xref file is available
  • Fix asking for Sun Online Account data with --install
  • Fix reading configuration files when HOME is not set
  • Show Reboot/Reconfigure message only when really necessary
  • Fix race conditions with concurrent downloads of patches and xref file
  • Fix failing installations of patches in tar format
  • Make file recognition for zip/tar/tar.Z patches more robust
  • Fix signal handler and cleanup on exit
  • Fix bugs where a zero size patch file was created
  • Fix error output in local caching proxy mode
  • Set umask for extracted patches to make sure patchadd won't fail
  • Fix bugs in lockfile handling
  • Use HTTP redirection with Location header in local caching proxy mode
  • Update whitelist for safe patch install mode
  • Update patch-specific function to avoid showing uninstallable patches
If the localurl option is set, pca will now look for the patchdiag.xref file on the local patch server, too. The HTTPS protocol can now be used with the local patch server; if you use it, make sure that your wget binary supports HTTPS.

This version of pca contains a lot of fixes for small bugs, mostly for patch installation and the local caching proxy mode of pca.


The problem with failed downloads of the most recent patches for Solaris 10 still exists. I'm in contact with Sun's Patch Team, who have acknowledged this as a timing issue. They confirmed that they are working on a fix.


An old and well-known problem is showing up again on Sun's patch server. Many of the patches which are listed as new or updated in today's patchdiag.xref are unavailable on Sun's patch download server. For Solaris 10, I get failed downloads for 119252-13, 119253-14, 119280-07, 119281-07, 122761-01, 122762-01, 123003-02, 123004-02. Most probably the patches will be available tomorrow, but it's a real nuisance that Sun can't coordinate patchdiag.xref with the availability of patches.


Laurent Blume has updated his presentation about pca. It's now available via the Contrib page both in English and en franšais. Thanks!


New release - PCA 5.0:

  • Long command line options to enhance memorability
  • Read configuration files (optional)
  • All options via config files, environment variables or command line
  • Caching proxy mode for local patch server
  • Show patch information during download/install
  • Install every patch right after download
  • Retry failed patch and README downloads from sunsolve
  • Allow patches to be marked as Recommended/Security
  • Support for file:/ URLs for local patch server
  • Add option to tell proxy not to cache xref file (--nocache)
  • Switch back to trying download from public patch server first
  • Adapt to Sun's new interface to access restricted patch READMEs
  • Cleanup temporary files on fatal errors
  • Ask for Sun Online Account data only when necessary
  • Enhance handling of installed patches with unknown patch ID formats
  • Moved pca.ignore functionality into configuration file
  • Modified workaround for patches missing in patchdiag.xref (115168-13)
  • Code cleanup and performance enhancements
While there are long command line options now, the short names can still be used and are the same as in previous versions. The new configuration files are completely optional, too. To keep things simple, every option can now be either set in a configuration file (user=USER), as an environment variable with a PCA_ prefix (PCA_USER=USER) or on the command line (--user=USER). The functionality of the pca.ignore file has been moved into the new configuration files, too. See CONFIGURATION in the pca documention for details.

The new caching proxy mode of pca replaces the pca-proxy script I had offered on the Contrib page before. Read about LOCAL PATCH SERVER in the pca documentation for details.

The readme option (-r, --readme) now accepts any operand, just like the list, download and install options. Use "pca -r 123456-78" to read single patch README, or "pca -r missingrs" to read the READMEs of all missing R/S patches at once.


Sun has broken the method to access READMEs for restricted patches with wget. This affects pca's -r option, too. Through some experiments, I found a new method, but this doesn't work for all patch READMEs either. I will try to fix it in the next release of pca, but as long as Sun breaks existing interfaces and won't replace it with stable procedures, it's impossible to promise anything.


Sun's patch server is a little flaky recently. Patch downloads fail intermittently, causing failed patch downloads with pca. Therefore, I modified pca to re-try failed patch downloads. The fix will be in the next official version of pca. If you need it immediately, grab the development version of pca which already includes the fix.


New release - PCA 4.2:

  • Add option for safe patch installation (-s)
  • Add support for a local server for patches and READMEs
  • Allow multiple patch IDs with -r option
  • Fix handling of whitespace in search patterns
  • Recursive analysis of patch obsoletions when listing bad patches
  • Add message for -G allowed with Solaris 10 or newer only
  • Use logger command instead of perl syslog module
  • Fix bug that rendered terminal unusable after Ctrl-C at password prompt
  • Modified workaround for patches missing in patchdiag.xref (112908-27)
Sun's patch procedure has a big problem. Sometimes a patch re-delivers and silently overwrites files which have been modified locally. pca tries to overcome this issue with its new safe patch installation mode. Before installing a patch, pca checks all files listed in the patch README for local modifications using pkgchk. If any file is in danger of being overwritten, pca issues a warning and does not install the affected patch.

Safe mode is off by default, and can be turned on by using -s in combination with -i (install patches) or -I (pretend to install patches). You must be root to use -s, as root permissions are required for pkgchk with certain files.

Sometimes the file checksums used by pkgchk are wrong, because patches modify files without updating the checksum. Only Sun can fix this. For now, pca uses a whitelist which I built during testing the new feature with a huge set of patches. I'm very interested in real-world experience with the new feature. Running pca -s -I is a safe way of identifying problematic patches without actually installing them.

Another important new feature is support for a local server for patches and READMEs. Enable it by setting the environment variable PCA_LOCALURL to the URL (e.g. http://www.my.org/patches/) of a directory that contains local copies of patch files (e.g. 123456-78.zip) and patch READMEs (e.g. README.123456-78). The local URL will be checked before Sun's patch server, so you can easily build a local cache by copying patches and READMEs to a directory on your local web server. It will speed things up dramatically and ease bandwidth usage on your connection to Sun's patch server.

This new feature can be taken a step further by pointing PCA_LOCALURL at a simple CGI script, which works as a local caching proxy. If a patch or README exists in the local cache directory, it will be delivered immediately. If it doesn't, it uses pca to download the file from Sun's patch server, puts it into the cache and delivers it. The best thing is that I provide a sample implementation for such a pca proxy CGI script on the Contrib page.


I have received a report that pca 4.1 does not run with the default version of perl in Solaris 8, caused by a fault in the Sys::Syslog module. If you get a message about syslog.ph missing when running pca, get and run the development version of pca, which has a preliminary fix.


New release - PCA 4.1:

  • Prevent two instances of pca to install patches at the same time
  • New environment variable PCA_SYSLOG to log patch installations
  • Fix handling of Citrix patches
  • Show current kernel patch level in header
  • Fix two bugs which caused pca to leave stale files on failed patch install
  • Fix syntax of function definitions and calls
  • Update patch-specific function to avoid showing uninstallable patches
Up to Solaris 9 it's not safe to run two instances of patchadd at the same time. pca now uses a lock file to work around this issue.

If the new environment variable PCA_SYSLOG is set to a syslog facility (e.g. user or local0), pca will log the patch id and synopsis of all successfully installed patches for future reference.


The changes in Sun's patch access policy as documented in InfoDoc #83061 have now been established. Here's a short summary as far as patch downloads with pca are concerned:

  • Patches for all Solaris versions up to Solaris 9 can be downloaded without any Sun Online Account or Sun Service Plan.
  • All patches for Solaris 10 can be downloaded with a Sun Online Account which is free. Unlike documented in the above mentioned InfoDoc, a limited subset of Solaris 10 patches can still be downloaded without a Sun Online Account. The InfoDoc states that some patches might be restricted to users who purchase a Sun Service Plan, but I have not yet hit one of those during testing.

I recommend to create a Sun Online Account, if you don't have one yet, and to feed the Sun Online Account data to pca either via the PCA_USER and PCA_PASSWD environment variables, or by using the -a option to pca.


The complete developer and support team of pca (me :) will be gone on vacation from July 15th to July 30th. Messages arriving during that time will be answered when I'm back.


New release - PCA 4.0:

  • Change default to show all missing patches
  • Use a single patchdiag.xref for all users again by default
  • New environment variable PCA_XREFOWN for user-specific xref file
  • New environment variable PCA_OPTIONS to set default options
  • Add option to ask for SunSolve authentication interactively (-a)
  • Show patch count when downloading and installing patches
  • Show summary of successful/failed patch downloads and installs
  • Do not try to install patches which failed to download
  • Use patch obsoletion information from showrev to enhance analysis
  • Try download from restricted patch server first if authentication is set
  • Correctly identify tar/tar.Z/zip downloads from restricted patch server
  • Make pca use patchadd if showrev is not available
  • Update patch-specific function to avoid showing uninstallable patches
Like Sun's own patch tools, pca will now show all missing patches by default, and not just those that are marked Recommended/Security. To get the old behaviour, run pca -l missingrs.

The default handling of patchdiag.xref has been changed back to like it was before version 3.7. The file is called /var/tmp/patchdiag.xref and writable by all users. If you want a patchdiag.xref which is writable by the current user only, set the PCA_XREFOWN environment variable, or set PCA_XREFDIR to a directory containing /home/. A lot of users didn't like the change, and it broke the timestamping feature of wget, resulting in superfluous downloads of the cross reference file.

Instead of setting PCA_USER and PCA_PASSWD, you can now use the -a option to pca. It will make pca ask for SunSolve authentication data interactively.


New release - PCA 3.7:

  • Ignore bad patches obsoleted by installed patches
  • Keep one patchdiag.xref for each user, writable by that user only
  • Read uname/showrev/pkginfo information from Sun Explorer output
  • Fix handling of DCE and HP Data Protector patches
  • Update patch-specific function to avoid showing uninstallable patches
The default file name for patchdiag.xref is now patchdiag.xref.UID, with UID being the UserID of the user running pca. Like this, the cross reference file does not have to be world-writable anymore.


Sun has announced further changes to patch access. In late August 2006 access to patches via anonymous ftp will cease (InfoDoc #82023). Additionally, any access to patches will require a Sun Online Account and the acceptance of the Software License Agreement from mid July 2006 (InfoDoc #83061).


New release - PCA 3.6:

  • Add new patch group (bad) to show installed patches marked as bad
  • Show BAD flag in patch list
  • Make pca honor TMPDIR environment variable for patch extraction
  • Show patchadd output for failed patches instead of verbose error messages
  • Deal with empty input files
  • Modify pca output to ease post-processing
To help in dealing with patches marked as Bad, pca now shows the Bad flag in a column besides the Recommended/Security state. Additionally, 'pca -l bad' can be used to show a list of all installed patches that are marked Bad. It's up to the administrator to decide on how to handle bad patches - check the patch README, and patchrm if needed.

The output of pca has slightly changed. A '-' character is shown in the RSB column if the according flag is unset. This eases post-processing pca output. Example: 'pca -H | sort +5' will sort the patch list by age of the patch.


Sean Berry is managing various Fujitsu Solaris servers. Fujitsu provides its own version of the patch cross reference file, using an extended format compared to Sun's patchdiag.xref. He asked me whether any user of pca has already implemented modifications to make pca work with Fujitsu's xref file yet. As I don't know of anybody who's done that, I'm forwarding this query here.


New release - PCA 3.5:

  • Add option to not check for updated patch cross-reference file (-y)
  • Enhance handling of failed patch downloads
  • Show output of wget when running in debug mode
  • Fix handling of KDE patches
  • Make pca accept output of pca -H as input
  • Fix verbose error messages for patchadd in Solaris 10 with -G
  • Update patch-specific function to avoid showing uninstallable patches

Attention: It's currently impossible to access any patch or patchdiag.xref via SunSolve. The patchfinder returns "Sorry, the patch you requested could not be found." and http://patches.sun.com/ shows an empty directory.

Therefore, pca will fail when trying to download the current patchdiag.xref or any patch.

Update: The problem has been fixed at about midnight MET. It had been caused by a filesystem corruption on the patch download server.


New release - PCA 3.4:

  • Add verbose error messages instead of exit codes for patchadd failures
  • Allow setting of patchadd command (new environment variable PCA_PATCHADD)
  • Change all environment variables to contain a PCA_ prefix
  • Use perl functions for file and directory removal
  • Updated patch-specific function to avoid showing uninstallable patches
The environment variables XREF, SUNSOLVE_USER and SUNSOLVE_PASSWD have been renamed to PCA_XREFDIR, PCA_USER and PCA_PASSWD for consistency. The old variables still work, so there is no need for immediate changes. A new section documenting all environment variables used by pca has been added to the Usage notes and the man page.


New release - PCA 3.3:

  • Allow setting of path to wget (new environment variable PCA_WGET)
  • Allow setting of download directory (new option -P and PCA_PATCHDIR variable)
  • Add more flexible handling of operands combined with r, s and rs
  • Add workaround for patches missing in patchdiag.xref (112908-24 and 115168-10)
  • Show output of patchadd when running in debug mode
  • Use module Cwd instead of pwd command to make pca run on Windows
  • Bug fix in handling /pattern/ operand
  • Minor internal code re-organization
By adding r, s or rs to any operand (missing, installed, all, unbundled) it's now possible to e.g. list all missing patches marked Security (missings).


New release - PCA 3.2:

  • Fix handling of patches which require itself
An inconsistency in today's patchdiag.xref lead to a Solaris 9/SPARC patch requiring itself, which made pca crash. The fix for this bug is the only change in this release.


New release - PCA 3.1:

  • Fix handling of -R option to make pca work on older Solaris releases again
Due to a bug introduced in PCA 3.0 it didn't run on Solaris 8 or older anymore. The fix for this bug is the only change in this release.


New release - PCA 3.0:

  • Rename many command line options for usability and consistency
  • Massive code cleanup
  • Download patchdiag.xref and keep it up-to-date automatically
  • Allow searching complete list of patches with search pattern
  • Add option to modify packages in the current zone only (-G)
  • Updated Usage notes and added an Examples section
Be sure to check out the Usage notes. pca now has three main options (-l for listing, -d for downloading, -i for installing patches), and supports a list of operands to specify affected patches. Other options have been renamed for consistency reasons.

It is not necessary to specify -x to download patchdiag.xref anymore. pca will download the file automatically to /var/tmp if it doesn't exist, or if it's older than 24 hours. The -x option still exists; it will download patchdiag.xref and quit.


New release - PCA 2.5:

  • Add path/prefix argument for option -F (read showrev etc. from files)
  • Modify download option (-D) to enhance downloading of multiple patches
  • Allow automatic patch installation (-p) after patch download (-D)
  • Updated patch-specific function to avoid showing uninstallable patches
The download option (-D) now supports downloading of multiple patches at once. The argument can be a list like "123456;234567-89". Combining -D with -p allows to install multiple selected patches.

The -F option, which makes pca read its input from files (showrev.out etc.), requires a directory/prefix argument now. This can be ., /path/, or a prefix like hostname_.


New release - PCA 2.4:

  • Enhance debug output
  • Fix handling of Checkpoint patches
  • Add option to set alternative root directory (-A)
  • Fix quoting of sunsolve password string
  • Fix handling of failed patch download (remove possible size 0 files)
  • Allow setting of SunSolve login data via environment variables
  • Modify download option (-D) to allow downloading of multiple patches
Attention: The method to provide pca with the SunSolve login data has changed. You do not need to edit pca itself anymore. Instead, set the two environment variables SUNSOLVE_USER and SUNSOLVE_PASSWD to contain the SunSolve user name and password.

The download option (-D) now accepts either a patch id or a file name as its argument. If a file name is given, all patches listed in this file (one patch id per line) will be downloaded.

There is a new option (-A dir) to set an alternative root directory. This has not been tested intensively.

See Usage for more detail.


New release - PCA 2.3:

  • Add alternative method to access patch READMEs, using SunSolve login data
  • Add support for patch downloads using SunSolve login data in HTML output
  • Fix handling of EMC patches
  • Enhance debug output
  • Show location and date of patchdiag.xref
  • Do not show message about retrieving patchdiag.xref when -H is used
  • Fix typo in message text
  • Updated patch-specific function to avoid showing uninstallable patches
As announced previously by Sun in InfoDoc 83061, non-security patches for Solaris 10 are not available for download without a Sun Service Plan anymore as of today. Access to patches for older Solaris releases is unchanged.

If you do have a Sun Service Plan, you can tell pca about it by editing the script and putting your SunSolve login data into the two variables called sunsolve_user and sunsolve_passwd. Even without a Sun Service Plan you can continue to use pca. The only thing that won't work is the download of non-security Solaris 10 patches and their READMEs.


New release - PCA 2.2:

  • Handle possible empty fields in patchdiag.xref
  • Show exit code of patchadd if it fails
  • Remove unnecessary sort for showrev output
  • Add option to show debug output (-V)
  • Updated patch-specific function to avoid showing uninstallable patches

If a patch fails to install when running pca, it will now show patchadd's exit code. This code can be looked up in /usr/sbin/patchadd, which might help in analyzing problems.


There was an error in the patchdiag.xref from 2005/10/10. One of the patches for Solaris 10/x86 had an empty release date field. pca couldn't handle this correctly, and threw some "uninitialized value" errors. The problem has been fixed by Sun in patchdiag.xref on 2005/10/11.

I've built a fix into pca, too, so it copes better with such inconsistencies. It will be in the next version of pca to be released.


If you want to be notified of new pca releases by e-mail, send a short message to martin@par.univie.ac.at. I will add your e-mail address to my pca announcements mailing list. Volume will be low. Of course e-mail addresses will be kept strictly private - I hate spam as much as you do. All messages will be tagged with [pca-news] in the Subject: header field.


New release - PCA 2.1:

  • Add option to pretend patch installation (-P)
  • Look at machine class to avoid showing uninstallable patches
  • New patch-specific function to avoid showing uninstallable patches
  • Show OS version and architecture information in report header

There is a handful of patches which don't have their prerequisites defined properly in patchdiag.xref, either because Sun made errors, or they can not be expressed in patchdiag.xref's limited options. This results in pca showing a patch as required and uninstalled, but the patch will fail to install later. Often these extra prerequisites are defined in the prepatch script of a patch. Until now I had listed such patches on the Notes page. I decided that I could just as well add a check for those patches to pca itself, wherever this is possible. The result is that this most recent version of pca should show less uninstallable patches.

Attention: When creating patch reports for remote machines, the commands to be used to generate the input files have changed with this version ("uname -a" has to be used). See Usage information.

I have added a list of people who contributed to pca with patches, debug information or other feedback to the Usage information and the man page. If you are missing your name on the list, please don't hesitate to tell me.


New release - PCA 2.0:

  • Add handling of required patches which are obsoleted by other patches
  • Extract and display README from patch zip file if available (with -R <id>)
  • Pipe README (with -R <id>) into more or $PAGER
  • Add a signal handler to remove stale files after interrupted downloads
  • Extract patches into /tmp/pca.time() by default
  • Remove extracted files after patch installation
  • Fix small bug with flushing output to stdout for older perl versions
  • Set default patch download dir to absolute path instead of "."

This version of pca has undergone a massive testing cycle. I have installed Solaris 2.5.1, 2.6, 7, 8, 9, and 10 (SPARC, unpatched FCS) on two machines and ran pca -xup on all of them. This analyzes, downloads and installs all available patches. Altogether, 1953 patches were installed successfully. All problematic patches have been added to the Notes section. The patch dependency analysis (the heart of pca) is now as good as it can get.

Starting with this version, patches are now extracted into a temporary location under /tmp, which is removed after installation. As /tmp is a RAM based filesystem, this speeds up patch installation a lot. The danger of filling a file system is reduced, too. pca now also deals better with interruptions while it's running (like pressing Ctrl-C).


New release - PCA 1.5.1:

  • Display age of patch in a new column
  • Fix small bug in handling showrev -p output

The age of a patch (in days) is now displayed in all lists generated by pca. This can be helpful to quickly determine whether a patch has been released or updated recently.


New release - PCA 1.5.0:

  • Add experimental support for downloading contract-only patches
  • Fix handling of IDR patches
  • Add support for installpatch (Solaris <= 2.5.1)

To use the experimental support for patch downloads from an alternate URL in Sunsolve's restricted area, you must edit pca and enter your Sunsolve login data. Search for $sunsolve_user and $sunsolve_passwd. Be aware that the login data will appear in ps output while pca is running and downloading patches.


Sun is currently modifying the patch infrastructure, resulting in some patches not being downloadable. This causes failed patch downloads when running pca. Hopefully they will fix this soon. The restructuring seems to be connected to the previous announcement of restricting access to all non-security Solaris 10 patches to owners of a Sun Service Plan.


New release - PCA 1.4.7:

  • Fix error handling
  • Fix handling of required patches

Up to now, all patches for all Solaris versions are still available without a support contract. According to this announcement access to Solaris 10 non-security patches will be restricted to owners of a Sun Service Plan in Mid-Summer 2005.


New release - PCA 1.4.6:

  • Add option to specify directory location of patchdiag.xref (-X)
  • Add host name to header
  • Fix HTML code generation
  • Add option to run patchadd without backing up files (-k)
  • Fix usage information

Most of the new features were contributed by Stephen P. Potter (Thanks, again!).

Attention: When creating patch reports for remote machines, the commands to be used to generate the input files have changed with this version. See Usage information.


New release - PCA 1.4.5:

  • Fix handling of tar patches
  • Add missing options to usage information
  • Add option to show pca version information (-v)

The Usage information is now available in man page format. Download pca.8 and put it into any directory in your man path (e.g. /usr/local/man/man8).


Sun has announced Changes to SunSolve for Solaris 10 starting on April 5th, 2005. Only security patches will be available for download for free, all other patches will require a Sun Service Plan or Contract. A bad move, in my opinion.

I will see how this affects pca. Most probably it has to be modified to continue to support all patch downloads for users who pay for a Service Plan or Contract. All other users will be restricted to security patches - pca will still show other missing patches, but won't be able to download or install them.


As Solaris 10 is now generally available, and the first patches for it are showing up, I have tested pca with the new release and it works fine.

From now on my testing platforms will be Solaris 9 9/04 (SPARC) and Solaris 10 (SPARC).


New release - PCA 1.4.4:

  • Fix handling of multiple installations of the same package

New release - PCA 1.4.3:

  • Fix bug in patchdiag.xref reading code to handle inconsistencies
  • Fix bug which made pca ignore some unbundled patches

New release - PCA 1.4.2:

  • Add option to only apply patches which do not require a reboot (-n)

New release - PCA 1.4.1:

  • Add option to read uname/showrev/pkginfo from files (-F)

A user has reported success when using perlcc to compile pca into an executable, to be used on stripped-down machines which don't have perl installed. This might be an option for other potential users of PCA, too.


New release - PCA 1.4:

  • Add experimental HTML output option (-b)
  • Add -R <id> option to show the README of a patch
  • Add -D <id> option to download one patch
  • Command line option to not show headers is now called -H
  • New command line option -h to print usage information
  • Internal code redesign

The documentation on the Usage page has been updated with the new command line options.


New release - PCA 1.3.1:

  • Switch from FTP downloads to HTTP downloads for patchdiag.xref/patches
  • Internal code redesign, now runs with "perl -w" and "use strict"

New release - PCA 1.3:

  • Added experimental function to show unbundled patches
  • Ignore comments at the end of lines in pca.ignore
  • Check for circular patch dependencies
  • Fix small bug in handling showrev -p output
  • Internal redesign of command line option handling

The documentation on the Usage page has been extended and clarified.


A bug in PCA will make it stop with an error message when run on a machine which has no patches installed at all. This will be fixed in the next release of PCA. A workaround is to install any random patch. The bug was reported by a PCA user (Thanks, Steve!).


Solaris 9 9/04 is available for download. It has nearly all patches available to date pre-installed. Checked Notes section, there are no new issues with Solaris 9 9/04 compared to 4/04.


Complete re-design of PCA's homepage. Changing the official location of PCA to http://www.par.univie.ac.at/solaris/pca/.


Updated information in the Notes section, now contains all our non-applicable patches for Solaris 9 4/04.


New release - PCA 1.2:

  • Check prerequisites of patches and list them, too (in the correct order)
  • Speedup of factor 2.5 in comparison to PCA 1.1
  • Allow specification of multiple paths to wget
  • Fix small bug in patchdiag.xref download code
  • Fix small bug in handling of tar/tar.Z patches

New release - PCA 1.1:

  • Added pca.ignore file to ignore patches (contributed by Damian Hole)
  • Added patchdiag.xref download function
  • Added patch download function (contributed by Damian Hole)
  • Added patch install function (contributed by Damian Hole)

Updated information in the Notes section, added comment about 115924-08.


Updated information in the Notes section, removed (obsolete) comment about 113574 and 114375.


Updated information in the Notes section, removed (obsolete) comment about 112233-12.


Updated information in the Notes section about Solaris 9 4/04.


Updated information in the Notes section.


Updated information in the Notes section.


Added information about patch 113040. See Notes.


First version. Introducing PCA 1.0.