News
2022/09/02
A new stable release of PCA has been published: 20220902-01.
See list of changes.
2022/01/11
A new stable release of PCA has been published: 20220111-01.
See list of changes.
2019/07/15
A new stable release of PCA has been published: 20190715-02.
See list of changes.
2018/05/18
Solaris 10 has gone into extended support on February 1st 2018. Unless
you transition to Oracle Solaris 10 Extended Support, you will not be
able to download patches and patch revisions which are released after
this date.
Find more detail in this
blog post.
2015/03/27
A new stable release of PCA has been published: 20150327-01.
See list of changes.
2015/03/17
Once again Oracle has changed its patch download infrastructure causing
PCA to fail when trying to download patches. If you see download errors
please try to use PCA with --wgetopt="--no-check-certificate".
Unfortunately I can not take a closer look at that right now for personal
reasons, so do not expect an updated version of PCA in the next days.
2014/11/03
Solaris 9 is exiting Extended Support and entering Sustaining Support,
as reported in
this blog post by Gerry Haskins.
According to this source, all patches created for Solaris 9 while it
was in Extended Support will now be available with a regular MOS account.
2014/01/15
A new stable release of PCA has been published: 20140115-01.
See list of changes.
2013/09/09
PCA is 10!
Scrolling down on the PCA-News web page, at the very bottom, one finds
this message: "2003/09/09: First version. Introducing PCA 1.0". So it's
really 10 years now since I decided to make this script public, after
I've been using it for some time internally. It had 208 lines at that
time.
Only one day later I received the first e-mail with the subject "pca"
from Andrew Brooks, which was a lot like the many messages I received
in the next ten years:
First, he thanked for the useful script. Such
comments from PCA users turned out to be my main motivation to maintain
and refine PCA in the following years. So thanks to all of you who ever
sent positive comments!
Second, he provided an idea (and included code) for some new function
(a new option -H to output HTML) which I immediately decided *not* to
include in the official version of PCA :-) In my answer I stated that
I wanted to keep PCA as simple as possible, not depending on some URLs
staying consistent on Sun's web page. I always liked Unix for its tradition
of simple commands which can be used in pipes to achieve great things.
Soon other PCA users provided more and more input and I started to add
new functions and options over the time, always weighing simplicity
against usefulness. The option to download patches from Sun directly
was probably one of the most useful, and the one which caused me most
work in the last years. Sun (and later Oracle) turned the simple process
of downloading a patch file via FTP into a complicated procedure with
authentication, server redirects, dependencies on certain HTTP features
etc. which I always had to follow closely to keep the download functions
in PCA working. There were moments when I seriously thought about giving
up on it.
While I knew that Sun engineers were using PCA themselves, and Sun never
succeeded in providing a own, working patch administration tool (I would
have been the first to switch, believe me!) they never officially
acknowledged PCA, although it was recommended on some Sun websites and
PDFs.
As I got a lot of e-mails in the meantime from admins asking about the
usage of PCA and me answering the same questions over and over again,
I created the PCA mailing lists (for those interested in numbers, I have
4827 messages in my folder with private PCA communication, and 3139 messages
on the PCA mailing list - I definitely wrote more text than code). This
helped a lot, as power users now answered the queries from beginners.
I also had a lot more contact to the
users of PCA and was fascinated in how many different ways and procedures
it was being used. I also got in contact with Gerry Haskins and Don
O'Malley from Sun, which made it a lot easier to sort out problems and
to get information about the internals of Sun's patch creation and
publication. Thanks to both of them for their help and patience!
With the appearance of Solaris 11 and its IPS system, traffic on the mailing
list was reduced a lot. As PCA is not needed anymore on Solaris 11, it is
now being used mostly by experienced admins running Solaris 10 who already
know what they do. Personally,
I also think that PCA is feature complete for quite some time now, and as
(now) Oracle doesn't change their patch infrastructure anymore, new versions
of PCA have been reduced to a minimum.
As far as I'm concerned, that's very welcome. While I still work with some
Solaris systems, we're moving away from Solaris here slowly, due to the
high prices of Oracle hardware and support. Of course I'll keep PCA working
as long as somebody is still using it.
Finally, let me state that I'm pretty proud of what PCA turned out over
the years - it has saved numerous sysadmins around the world uncountable
hours of work and frustration. This compensates for all the time I invested,
even if it was frustrating now and then when performing complicated tests
to ensure PCA's analysis being correct or
hunting for obscure bugs. Would I publish PCA 1.0 once again if I could
go back to 2003? I think so :-) If only for the amount of positive feedback
I got over all the years.
Let me end with a quotation which is the basis of my work on PCA (and also
in general):
"Perfection is achieved, not when there is nothing more to add,
but when there is nothing left to take away." (Antoine de Saint-Exupery)
2013/05/02
A new stable release of PCA has been published: 20130502-01.
See list of changes.
2012/08/29
A new stable release of PCA has been published: 20120829-01.
See list of changes.
2012/03/26
A new stable release of PCA has been published: 20120326-01.
See list of changes.
2012/01/19
A new stable release of PCA has been published: 20120119-01.
See list of changes.
2011/10/18
A new stable release of PCA has been published: 20111018-01.
See list of changes.
2011/08/12
A new stable release of PCA has been published: 20110812-01.
See list of changes.
2011/08/11
Due to some recent backend changes in the Oracle patch download service
there might be issues with failing patch downloads with PCA in certain
situations:
If you are using a firewall which restricts outgoing access, it might
be necessary to add a few extra rules for the new additional content
distribution networks used by Oracle. Look at the bottom of
PCA Installation for a list.
If you must use a local web proxy to access outside systems and use
PCA's wgetproxy option to set that, it might be possible that
PCA does not set the correct options for wget and patch downloads
fail. Please use the current development version
of PCA, which contains a fix. A new stable version including the fix
will appear soon.
2011/08/05
A new stable release of PCA has been published: 20110805-02.
See list of changes.
2011/03/29
A new stable release of PCA has been published: 20110329-01.
See list of changes.
2010/12/21
A new stable release of PCA has been published: 20101221-01.
See list of changes.
2010/12/13
A new stable release of PCA has been published: 20101213-01.
See list of changes.
2010/11/24
On Dec 10th SunSolve will be shut down and its services will be
provided by My Oracle Support (MOS) instead. A new version of PCA
will be published at the same time which uses MOS instead of SunSolve.
To use MOS, it's required to register for an account there, which
will then be used instead of the old Sun Online Account (SOA) with
PCA. Don O'Malley from Oracle describes the procedure and shows
some examples on how to access the new service which is already
available in a restricted testing version in this posting:
http://www.mail-archive.com/pca@lists.univie.ac.at/msg02124.html
There is also a development release of PCA available which can be used
to test the new service, described in this posting:
http://www.mail-archive.com/pca@lists.univie.ac.at/msg02138.html
With this version of PCA and your new MOS account, you should be able
to access these test files from MOS:
./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --getxref
./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --readme 119318-01
./pca --sshost=getupdates.oracle.com --user="MOSuser" --passwd="MOSpasswd" --download 119318-01
If you try the test downloads and something doesn't work, please let me
know (or even better, subscribe to the PCA mailing list and post it there).
2010/10/14
Oracle announced the retirement of SunSolve and its transition into
My Oracle Support later this year. The patchdiag.xref file and the
automatic download of patches, which are required by PCA, will continue
to be supported. There will be changes regarding URLs and the
authentication scheme, though, which will make modifications to PCA necessary.
Watch this space for updates.
2010/09/10
A new stable release of pca has been published: 20100910-01.
See list of changes.
2010/07/27
A new stable release of pca has been published: 20100727-01.
See list of changes.
2010/06/07
A new stable release of pca has been published: 20100607-01.
See list of changes.
2010/05/14
A new stable release of pca has been published: 20100514-01.
See list of changes.
2010/03/09
A new stable release of pca has been published: 20100309-02.
See list of changes.
2010/02/24
Attention: The patch policy has silently been changed by
Oracle quite severely. The new strategy, which is also documented in
Software Update Entitlement Policy for Solaris, enforces the
requirement of a support contract to download any patch.
Unlike before, even security patches are not available for free anymore.
2010/01/29
Attention: Due to Oracle taking over Sun it is necessary
that you log into SunSolve and accept the new Software License
Agreement (Step 5 on the Update Account page).
Otherwise, patch downloads with pca will not work anymore!
2009/12/16
A new stable release of pca has been published: 20091216-02.
See list of changes.
2009/12/10
A new stable release of pca has been published: 20091210-01.
See list of changes.
2009/10/30
A new stable release of pca has been published: 20091030-01.
See list of changes.
2009/10/23
There are ongoing problems with SunSolve, which cause failing patch
downloads. Sun is working on it.
2009/08/27
A new stable release of pca has been published: 20090827-01.
See list of changes.
2009/08/18
Recent changes to the SunSolve server infrastructure caused two
problems with pca:
Patch downloads via HTTP are not possible anymore, HTTPS is required.
You need a version of wget which has been compiled with SSL support.
A simple check is to run ldd /path/to/wget | grep ssl to see whether
it's linked against OpenSSL. I will modify pca to do the check and
show an appropriate message in the future.
The --readme option can not be used to download patch README from
SunSolve right now. The URLs used by pca are not working anymore,
and there is no known replacement. Hopefully this will change soon.
If you have questions, feel free to join the discussion on the
pca mailing list.
2009/07/23
A new stable release of pca has been published: 20090723-01.
See list of changes.
2009/04/08
A new stable release of pca has been published: 20090408-01.
See list of changes.
2009/02/24
A new stable release of pca has been published: 20090224-01.
See list of changes.
2009/01/08
Changes in enforcement of the current patch access policy are about
to be rolled out by Sun starting this week:
http://blogs.sun.com/patch/date/20090105
So what does that mean for pca users?
If you use pca to generate patch reports only, but not to download
and install patches, nothing changes.
If you have a support contract connected to the Sun Online Account
used with pca to download patches, nothing changes.
If you do not have a support contract - you are using a free Sun Online
Account - you already experienced that you could only download a subset
of patches with pca. This subset has now been reduced to a much smaller
number of patches, still containing at least all security patches.
At present, you can download any revision of a patch as long it contains
at least one security fix. In a second phase of policy enforcement (to
be done at a later time) only the revisions which actually contain security
fixes will be available for free. Example: Patch 123456-01 contains a
security fix. Later, 123456-02 is published, containing a non-security fix.
You will be able to download 123456-01, but not 123456-02.
The patchdiag.xref file currently only contains information about the
most current revision of each patch. For pca to determine the set of
missing security patch revisions, it would be necessary to have information
about the last security revision of each patch as well. There are no plans
for Sun to add this information to the patchdiag.xref file. You will have
to check all Sun Alerts or patch READMEs to come up with a list of all
free security patch revisions.
Of course Sun has limited resources and is concentrating them on customers
with support contracts. I currently have no idea whether the majority of
the pca users do have support contracts or not. So if you are affected by
the planned changes, this is your chance to make yourself heard. Feel
free to comment either via the
Comments link in the above blog entry
or on the pca mailing list.
2008/12/18
A new stable release of pca has been published: 20081218-01.
See list of changes.
2008/10/24
A new stable release of pca has been published: 20081024-01.
See list of changes.
Attention: pca-proxy.cgi will read only configuration files which
are named pca-proxy.conf from now on. Before that change, it was reading
pca.conf files, too, which could create confusion when a machine was both
a proxy and a client.
2008/09/11
A new stable release of pca has been published: 20080911-01.
See list of changes.
2008/09/09
A new stable release of pca has been published: 20080909-01.
See list of changes.
Today pca turns 5 years; version 1.0 was published first on 2003/09/09.
Thanks to all of you for the large amount of positive feedback I've
received during the last years!
2008/07/29
A new stable release of pca has been published: 20080729-01.
See list of changes.
2008/06/26
A new official release of pca has been published: 20080626-01.
See list of
changes.
I will be on vacation and not read my e-mail regularly from June 28th
to July 20th. In case of problems and for support queries please use
the pca mailing list and its archive.
2008/05/19
A new official release of pca has been published: 20080519-01.
See list of
changes.
2008/05/07
A new official release of pca has been published: 20080507-01.
See list of
changes.
2008/05/06
As of today, SunSolve is handing out a broken patchdiag.xref file,
containing HTML tags. Therefore, pca can't parse the file correctly and
returns an error message.
I have put a fix into the development release of pca to make it handle
this situation.
2008/03/11
A new official release of pca has been published: 20080311-01.
See list of
changes.
2008/02/26
There are now two mailing lists available: pca-news for announcements
only and pca for discussion and support. All addresses from the
old, manually maintained pca news mailing list are automatically subscribed
to the new pca-news list; you are invited to switch over to the
discussion list pca instead. For details on subscription etc. see
Lists.
2008/02/08
I've now added a hack to pca to make it work with wget v1.11. I still
don't understand completely what's going on, but there seem to be two
problems:
- SunSolve checks for the User-Agent header in HTTP requests, and
behaves differently for wget v1.11 and older versions. Seem as if
it considers Wget/1.11 unknown. Using --user-header=Wget/1.10.2
works around this part of the problem.
- In wget v1.11, authentication data is only sent if it's explicitely
being asked for. SunSolve doesn't ask for authentication, but if you
provide Basic Authentication data anyway, everything works. The
workaround for this problem is to compute basic authentication data
in pca and force it upon SunSolve with wget's --header option.
I don't like the workaround hacks, but it was the only method in my
experiments to make wget v1.11 work with SunSolve the same way as
previous versions.
The root cause of course is the overly complicated interface at SunSolve
to download patches and READMEs.
Sun should really get their act together
and give us a stable, reliable and standards conforming interface for
hands-off downloads.
Thanks to everybody who provided support and feedback with this issue.
2008/02/06
Attention: With wget v1.11 (which has been published recently),
downloads from SunSolve do not work anymore. This seem to be due to a
change in wget (Only send authentication credentials after we've
received a challenge from that host). Using wget v1.11 with pca
will therefore not work. This is a real pity. If anyone finds a
workaround, please let me know.
2008/02/01
Once again, there have been announced changes to SunSolve. It seems
as if a (free) Sun Online Account is required to download patchdiag.xref
right now. The file hasn't been updated since 2008/01/29 either.
2008/01/31
A new official release of pca has been published: 20080131-01.
See list of
changes.
2008/01/25
A new article in the Sun Patch blog features an overview of
Patch Automation Tools. It also mentions pca. Post a comment and
let them know which tool you like most :)
2008/01/11
Gerry Haskins, the Senior Engineering Manager in charge of
Software Release Engineering and Patch System Test at Sun,
has started a patch blog at
http://blogs.sun.com/patch.
2008/01/09
A new official release of pca has been published: 20080109-01.
See list of
changes.
2007/12/20
The News-Feed is now available via RSS:
http://www.par.univie.ac.at/solaris/pca/news.rdf
2007/12/18
When using a local caching proxy (pca-proxy.cgi) you might have
experienced interrupted downloads with large patches. This can
be caused by the web server (apache) which kills the CGI script
if it runs too long without any output. Luckily, apache has a
Timeout option to be set in the httpd.conf file.
It's set to 300 seconds by default. For large patches, you might
want to raise this to 1800 seconds or higher and restart apache.
Thanks a lot to Dominique Frise for pointing me at this.
2007/12/14
A new official release of pca has been published: 20071214-01.
See list of
changes.
2007/11/16
In his blog entry
"A big mess"
about the current state of the Solaris package system,
Dan Price refers to PCA as "a nice open source tool I use". Thanks
for the plug!
2007/11/15
A new official release of pca has been published: 20071115-01.
See list of
changes.
2007/11/07
Dave Collodel has built a package around pca to automate patch
installation, including the installation of deferred patches
during reboot. See
PCApatch.
2007/11/05
During the last days, I had no problems getting the daily updated
patchdiag.xref file. Seems as if the issue has been fixed. Another
interesting change is that the patchdiag.xref file is once again
available without specifying a Sun Online Account (SOA). I have already
modified the development release of pca to try accessing the xref
file both with and without SOA data.
2007/10/31
Today SunSolve delivered the correct patchdiag.xref file, and the
notice about known problems on the SunSolve web page is gone, too.
Let's hope this means that Sun has finally fixed the problems.
2007/10/29
After more than two weeks, the problem with SunSolve handing out random
old versions of patchdiag.xref still hasn't been fixed. I (and others)
came up with a temporary workaround. It seems as if a current version of the
xref file can be downloaded (without Sun Online Account) from
http://sunsolve.sun.com/search/document.do?assetkey=1-34-patchdiag.xref-1.
Unfortunately this file contains HTML markup, and can't be used directly
by pca without some post-processing. I have created a script
(getxref) which downloads the file and
removes the HTML markup, saving the result in a patchdiag.xref file, which
can then be used by pca.
I thought about putting the most current version of the patchdiag.xref
file (obtained by the above mentioned script) onto pca's webpage, so
it could be easily accessed by pointing pca at this copy with the
xrefurl option, but decided against it. According to the SLA on
SunSolve, it's illegal to redistribute any information from SunSolve.
2007/10/23
A new official release of pca has been published: 20071023-01.
See list of
changes.
2007/10/17
Good news: The current patchdiag.xref (dated Oct/16/07) is now available
on SunSolve. Update: Later this day once again old revisions of the
file were handed out. It's still broken.
Bad news: There's a new kind of problem with SunSolve when downloading
patches and patch READMEs. Sometimes SunSolve returns a small HTML file
(1203 bytes) instead of the requested file. It says that the requested
URL could not be retrieved, because an FTP authentication failure has
occured. It seems as if sunsolve connects to an internal FTP server
through a squid proxy, and the authentication has been messed up.
To clarify - both this FTP server and the squid proxy are components
of the SunSolve service - this is not a problem with your local
infrastructure.
As always, the problem has been reported to SunSolve staff and awaits
salvation.
2007/10/16
The problems with SunSolve handing out random old versions of
patchdiag.xref still persist. The SunSolve staff knows about it,
and promised to look into it.
2007/10/11
A new official release of pca has been published: 20071011-02.
See list of
changes.
2007/10/11
Again problems with patchdiag.xref - while it has worked yesterday
and today in the morning, I now receive either an "Internal Server
Error" or an outdated version of patchdiag.xref (Oct/09/07) again.
2007/10/10
Instead of handing out patchdiag.xref from Oct/09/07 (as it should),
sunsolve.sun.com has an old version from Oct/05/07. I reported it
to Sun. Update: The correct patchdiag.xref from Oct/09/07
is now online.
Besides that, I want to make it clear again that problems with
downloading any file (patchdiag.xref, patches) from SunSolve with pca
are still caused by the instability and slowness of the SunSolve server.
Until Sun gets their act together, I recommend re-trying failed
downloads either by re-running pca or using the dltries
option to make pca try downloads multiple times.
2007/10/09
Something seems to have changed on SunSolve once again. It's not possible
to download the patchdiag.xref file with wget without specifying Sun
Online Account data. Strangely enough, it still works through a web
browser. Sun must have implemented a procedure which disallows
unattended download of the file to ensure their legal information is
being read and accepted.
For now, please specify a Sun Online Account by using the user
and passwd options either on the command line or in a configuration
file. I will probably modify pca to enforce this in the future. If you
haven't done so yet, go and get a free Sun Online Account. See
Installation for details.
Update: The development release does not try to download the
patch cross-reference file from sunsolve.sun.com anymore if no SOA is
provided. The askauth option has been modified to ask for SOA data
whenever it is needed.
2007/10/05
A new official release of pca has been published: 20071005-03.
See list of
changes.
2007/10/02
A new official release of pca has been published: 20071002-01.
See list of
changes.
There is a new version scheme, consisting of the date in ISO format
plus a serial number. The same scheme is used for official and development
releases. A new option has been added (update=TYPE) which allows
pca to check for and install new versions of itself. See
UPDATE PCA in the documentation.
The documentation is now included in POD format in pca. Use
/usr/perl5/bin/perldoc pca to view it.
There are some enhancements to pca in proxy mode. You can setup a cascade
of local proxies by pointing one proxy at another. The xrefdir
and patchdir are honored now in proxy mode, so you can keep the
cache directory out of the document root of your web server and use an
existing cgi-bin directory. Debugging
a proxy is simplified; when the debug option is set, debug output will
be written to a file.
2007/09/20
Some people had problems when trying to install patch 120011-14
(SunOS 5.10: kernel patch). It requires patch 125547 to
be installed, which requires patch 122660-10 (via its prepatch script)
again. Patch 122660-10 has been obsoleted by 120011-14, though. So
at the end 125547 requires 120011, which requires 125547 itself.
The problem has been reported to Sun. Until they fix it with a new
revision of either 125547 or 120011, you can try to workaround
the issue by installing the obsolete patch 122660-10 manually.
125547 and 120011 should then succeed to be installed. Update:
Sun describes the problem in bug report
#6607483. They recommend to install 122660-10 as well. The same
issue exists on the x86 platform, with patches 120012-14, 122661-08 and
125548.
A second problem that has shown up today is that patch 120272-12
has been marked as bad patch and 120272-08 has been reinstated.
As 120011-14 (SunOS 5.10: kernel patch) requires 120272-12,
this again makes installation of the current kernel patch on
Solaris 10/SPARC impossible. There's a similar issue for the x86
patches 120012-14 and 120273-13. Update: The problem has been
fixed with the release of 120272-13 and 120273-15.
2007/09/13
Attention: The current version of pca has a bug in its --safe
option. If a patch installs more than a few hundreds of files and some
of them contain a comma in their name (esp. kernel patches are affected),
pca will falsely ignore errors
from pkgchk and install the patch even if it replaces locally modified
files. If you use --safe, please get the
development version of pca, which fixes this
bug. Sorry if this has caused problems.
Background: The pkgchk command used by pca for the --safe option is
horrible. When feeding path names with -p, the path names must not
contain commas. When feeding path names with -i <file>, the path
names must not contain the string ELF. In both cases, a maximum of
1024 path names can be fed at once.
2007/09/10
In the most recent official version of pca I changed the mechanism to specify
the SOA authentication data with wget from using http-user/http-passwd
to encoding the user and password into the URL. I have received reports
that this doesn't work with some proxy servers. According to
RFC 3986
this URI syntax has been deprecated and applications may choose to ignore it.
I have now reverted back to the old mechanism in the
development version of pca. Please use that
if you experience problems with the recent official version.
Thanks to all who reported this, especially Sean Walmsley who provided
in-depth information.
2007/09/05
The long awaited new update release of Solaris 10 (8/07) is available
for download now. A quick first check of the SPARC version shows that
most current patches are pre-installed. Even more, there are pre-installed
patches which have not been released through the official patch channel
yet. The most notable of these is 120011-14. This seems to be the
next kernel patch, and it obsoletes a lot of patches currently available,
123324-03(SunOS 5.10: sshd patch) and
125011-01(SunOS 5.10: sendmail patch) being just two of
them.
Most system administrators (including me) think it's not a good idea
to include application patches into the kernel patch.
Obviously Sun begs to differ.
2007/08/30
New release - PCA 5.7:
- Show BAD flag in patch list for uninstalled patches
- Encode special character in SOA authentication data for wget
- Hide SOA authentication data in process list
- Add option to force local caching proxy to download from sunsolve (--force)
- Check valid format of patchdiag.xref
- Use dltries option when downloading patchdiag.xref, too
- If set, use SOA data when downloading patchdiag.xref
- Fix download URL for patchdiag.xref, patches and patch READMEs
- Enhance algorithm to choose correct command for installed patches
- Add option to specify output format (--format)
- Show alternative root directory in header when set
- Better handle broken zero-size patchdiag.xref file
- Use existing, already extracted patch directories
- Fix patchadd hang when user input is requested
- Update workaround for patches missing in patchdiag.xref
- Update whitelist for safe patch install mode
- Update patch-specific function to avoid showing uninstallable patches
The most important changes in this version are the adaptions to
Sun's changes on SunSolve at the end of July, breaking at least some
of pca's download functions. pca will also handle broken xref files
(empty, wrong syntax) more gracefully.
New functionality is available with two new options: The --format
option can be used to specify pca's output format. Quite handy when
post-processing output from pca;
see Usage for more detail.
The --force option, when used
on a pca client in combination with a local caching proxy (pca-proxy.cgi)
will force the proxy to download any file from Sun, even if it already
exists in the cache.
2007/08/24
Sun's download server for the patchdiag.xref file, patches and READMES
(sunsolve.sun.com) still doesn't work fine. The problem is known to Sun;
there's now a note showing on SunSolve telling that they are working on it.
In the meantime, make sure you are checking pca's news page from time to
time. If further changes are necessary, they always show up first in the
development version of pca.
The current version
also contains a fix for the long-standing problem of the Sun Online Account
username and password showing up in the process list when downloading files
from SunSolve. A pca user (thanks, again) pointed me at a workaround
using wget's -i option and a temporary file.
2007/08/14
After some deeper investigation, I found two ways to download the
patchdiag.xref file within pca. If Sun Online Account (SOA) data is provided,
pca uses that to get the file. Without SOA data, pca fakes a cookie (via
wget's --header option) which makes sunsolve.sun.com believe that the
Service Level Agreement has been accepted, so it delivers the file
immediately.
During testing, I noticed that sunsolve.sun.com still is in a bad
shape. It returns HTTP internal server errors from time to time.
I modified pca to try any failed download (including patchdiag.xref) multiple
times if the --dltries=NUM option is set (to anything higher than 1).
The default is still 1.
The current state of all fixes is available in the
development version of pca.
2007/08/13
I'm back from vacation. And Sun did it again - there have been some
modifications to sunsolve.sun.com which make pca fail when trying to
download the patchdiag.xref file. A first attempt to fix the issue
is available in the
development version of pca. If the fix
doesn't work for you, please report back to me.
Unfortunately, Sun's download server seems to be a little flakey, too.
Patch downloads seem to fail from time to time. You might be able to
workaround this issue by setting pca's --dltries option to something
higher than 1.
Thanks to all of you who reported the problems, and provided fixes
or workarounds. In the next days, I will try to get out a new release
of pca which should fix the mentioned issues and I'll reply to the messages
which I received while I was gone.
2007/07/20
I will be on vacation from Jul 23rd to Aug 12th. Messages will be
answered when I'm back.
2007/07/12
In the Q&A section of the June issue of
SysAdmin magazine, Amy Rich
describes
pca as an easier alternative to Sun's own patch tools. The article
is a great introduction for new pca users as well.
I'd be happy to get my hands on a printed copy of that magazine for
my wall of fame. If you have it, and are willing to send it to me,
contact me by e-mail to
martin@par.univie.ac.at.
UPDATE: More than one of you offered to send the magazine to me,
and I have received a copy in the meantime. Thanks to all!
2007/06/29
I've been too optimistic. In today's patchdiag.xref, all patches for
SAM-FS and QFS 4.6 have disappeared (126506 to 126512). I have added
a workaround in the
development version of pca.
2007/06/20
There has always been a handful of patches which were missing from the
patchdiag.xref file. I had implemented a workaround in pca so these were
shown nevertheless, and sent countless queries to Sun in the last 18 months.
In today's patchdiag.xref, all of these patches suddenly show up correctly.
Thanks a lot to the unknown Sun engineer(s) who fixed this!
2007/05/22
New release - PCA 5.6:
- Add option to specify local URL for patches and READMEs (--patchurl=URL)
- Add option to specify local URL for patchdiag.xref (--xrefurl=URL)
- Handle patches which require an immediate reboot after installation
- Make pca use the wgetproxy option in proxy mode, too
- Add option to specify the path to the logger command (--logger=FILE)
- Ignore SIGINT (Ctrl-C) while patchadd is running
- Use public link for READMEs in HTML output if SOA is not set
- Provide more detailed information on failed downloads
- Show version info in debug output
- Show list of configuration files in debug output
- Update workaround for patches missing in patchdiag.xref
- Update whitelist for safe patch install mode
- Update patch-specific function to avoid showing uninstallable patches
The localurl option has been
deprecated and replaced by two new options: patchurl and xrefurl.
Both take a URL as argument. By separating localurl into two options,
it's now possible to specify different local sources for the patchdiag.xref
file and the patches. One example is to point patchurl at
pca-proxy.cgi, while xrefurl points to another URL with a baseline
patchdiag.xref file. For downward compatibility, localurl is still
recognized, and its argument will be used as the value for patchurl
and xrefurl if those are not set.
2007/05/03
Sun has updated InfoDoc
#83061 (Sun Software Update (Patch) Access Policy). Well worth reading
to get up-to-date on Sun's patch access policy.
2007/04/26
I will be on vacation from Apr 27th to May 3rd, hoping that Sun won't
break anything during that time. Messages will be answered when I'm back.
2007/04/03
New release - PCA 5.5:
- Change URL for download of patchdiag.xref file
- Stop trying to download patch or README from patches.sun.com
- Do not add links to patches.sun.com in HTML output
- Check for new xref file and download it once every three hours
- Get reboot/reconfig properties from patchinfo if it exists
- Enhance check for reboot/reconfig properties in README files
- Check for "immediate" reboot/reconfig properties
- Add option to specify default proxy for wget (--wgetproxy=URL)
- Better handle broken zero-size patchdiag.xref file
- Show SOA username in password prompt when username is in config file
- Check for root in safe mode only when install/pretend are used
- Fix a bug where the operands option was ignored in configuration files
- Set the default locale to C for forked processes like wget
- Show uname/pkginfo/showrev command in error messages
- Update workaround for patches missing in patchdiag.xref (add 7 new patches)
- Update whitelist for safe patch install mode
- Update patch-specific function to avoid showing uninstallable patches
This version of pca includes all the changes that were necessary after
Sun modified download links for patches, READMEs and the xref file. A
new and simpler algorithm for automatic download of the xref file is
used; if the file is older than three hours, pca will download it again.
Be aware that any download of a patch or a patch README from Sun's
server now requires a Sun Online Account.
The check for patches which require a reboot has been enhanced. The
patch README is only used to collect this information if no patchinfo
file exists for a given patch. After patch installation, pca will
tell whether a reboot or reconfiguration reboot is required or
recommended.
2007/03/28
No new patchdiag.xref file has been published since last Friday. In
combination with the change in the URL for downloading the xref file,
this creates a nasty problem: pca now downloads the xref file on every
run. To stop it from doing that, you can use the nocheckxref
option, either in a configuration file or on the command line.
Background:
pca tries to be clever; it knows that every week from Monday to
Friday at a certain time a new xref file is published, and from
the timestamp on the local xref file it can guesstimate when
a new one is available. When the new file should be there, pca
tries to download it on every run.
Until recently, it wasn't a big problem when Sun skipped a day
(which happens rarely anyway). pca used wget's -N option, which
only downloads a file if it is newer than the local copy (it uses
the HTTP Last-Modified header and the timestamp of the local file).
This worked fine, until Sun killed the former URL:
http://patches.sun.com/reports/patchdiag.xref
and replaced it with:
http://sunsolve.sun.com/pub-cgi/pdownload.pl?target=patchdiag.xref
Now I must use the -O option with wget, otherwise the downloaded
xref file is named incorrectly. Add to all this a bug/whatever in
wget, which breaks -N if it is used in combination with -O. So
"wget -N URL -O patchdiag.xref" always downloads the file, even
if it is not newer than the local copy.
Update: I decided to implement a much simpler algorithm for
the automatic download of the xref file. If there is no local copy
of the xref file or if it's older than one hour, pca will download
the file from sunsolve (or localurl). If the local copy has been
updated in the last hour, pca will use the file as is. This change
does away with all the sophisticated guessing and checking if a
new version might be available. The change is available in the
development version of pca.
2007/03/23
Sun has removed the link that pca uses to download the patchdiag.xref
file. I have put a fix with the new link into the
development version of pca. Please download
and use this to make automatic downloads of the cross reference file
work again. Thanks not to Sun for not announcing this
properly in advance.
The policy and URLs to download patches for Solaris 8 and 9 have
changed as well. From now on, you will always need a Sun Online Account
to access any patch or patch README. Feed account data to pca via its
user and passwd options, or by using --askauth.
If you do not have a (free!) Sun Online Account yet,
create a SOA here.
I will test the implications of the changes next week, and come up
with an official version of pca including the fixes as soon as possible.
Thanks to all the pca users who reported the problem!
2007/03/12
PCA 5.4 does not correctly read the operands option when it
is specified in a configuration file or in the PCA_OPERANDS environment
variable. I have fixed the bug in the
development version of pca. Thanks to
Martin Wismer for reporting this!
In the most recent patchdiag.xref file, the patches for QFS and
SAM-FS (122803-122809) have disappeared. This can only be another
problem caused by Sun, because in fact a new revision for all those patches
has been published on 2007/03/09. I have added a workaround to the
development version of pca.
2007/03/07
New release - PCA 5.4:
- Enhance checking of valid operands
- Allow file operands to include other files and check for include loops
- Implementation of ignore as a standard option (--ignore)
- Implementation of +rec and +sec as standard options (--rec and --sec)
- Use ignore list for installed/all/total/bad patch groups
- Add option to specify how often downloads are tried if they fail (--dltries)
- Reduce number of authenticated download attempts from SunSolve from 5 to 1
- Add option to specify backout directory for patchadd (--backdir=DIR)
- Allow relative path names with patchdir option
- Avoid using buggy showrev on both Solaris 10 x86 and SPARC
- Raise timeout for downloads from local patch server for huge patches
- Continue getting patches from a local patch server even if wget is missing
- Ignore HUP signal
- Wait for patchadd to complete when SIGINT (Ctrl-C) is caught
- Enhance handling of installed patches with unknown patch ID formats
- New implementation of options code
- Thread-safe implementation of download, locking and cleanup code
- Show patchadd command with all options in debug output
- Ignore nocheckxref and safe options in proxy mode
- Add a fix for unusual patchdiag.xref entry for patch 122608
- Update workaround for patches missing in patchdiag.xref (add 6 new patches)
- Update whitelist for safe patch install mode
- Update patch-specific function to avoid showing uninstallable patches
Valid short names for patch groups have been restricted to first letter
plus optional r/s/rs. For example, m can be used for missing, mrs for
missingrs, but missrs is not allowed. This applies to all patch groups
(missing, installed, all, total, unbundled, bad). Patch groups override patch
files: pca -l missingrs will always list missing R/S patches, even if
a file missingrs exists. The operand specified when running pca will
be shown in the header output of pca.
The ignore, +rec and +sec options which could be used to ignore
certain patches or mark them as Recommmended/Security have been replaced
by the ignore, rec and sec options. Unlike the old options, these
can be used in configuration files, environment variables and on the
command line. Example: pca --ignore 125319 --ignore 125427. The old
options are still used, but deprecated. Patches set to be ignored will
now be ignored with all patch groups.
2007/03/07
Once again, the SunSolve server is in a bad state. Download of any
restricted patch fails or returns size 0 files, and interactive access
via the Patch Finder is either delayed infinitely or returns proxy errors,
HTTP code 500 or size 0 files.
2007/02/26
In the past few days it happened frequently that some of the new
patches are not available for download from Sun although they
are listed in the patchdiag.xref. When trying to download the
affected patches from SunSolve, a size-zero file is returned.
This is Sun's fault, and I reported it to them repeatedly.
It's extremely annoying, but there's no way for pca to fix this.
2007/02/21
Chris Reece has implemented thread support into pca for parallel
patch downloads. See the contrib page for detail.
Thanks a lot to Chris for the contribution!
2007/02/13
Today's patchdiag.xref is valid again, so the problem described below
has been fixed.
2007/02/12
The current patchdiag.xref on SunSolve is broken. It's only about a
quarter of the size it should have. The result is that pca output
is broken, too. I reported the problem to Sun, who hopefully will
fix this soon, at least in the next release of patchdiag.xref, which
is due Tuesday, about 7:30 a.m. (MET).
For your convenience, here's a temporary copy of the
last valid patchdiag.xref file
(Update 2007/03/05: Link has been removed).
You can use pca -X <dir> to make pca use this copy.
Use touch -t 02110800 patchdiag.xref to set the timestamp
in a way that pca accepts the file as current and updates the
file when Sun will issue a new version of the file.
Thanks to all pca users who reported this to me, too!
2007/02/02
The problem with showrev -p crashing (as mentioned in the news
entry from 2007/01/11) can be fixed by installing the patches
124630-03 (SPARC) and 124631-03 (x86). The patches are pre-installed
on Solaris 10 11/06.
There have been reports about the broken showrev behaviour on systems
with the new kernel patches (118833-36 for SPARC and 118855-36 for x86),
too. If you install these patches, make sure to install 124630-03 and
124631-03, too.
2007/01/31
When installing the most recent kernel patches for Solaris 10
(118833-36 for SPARC, 118855-36 for x86), an immediate reconfiguration
reboot is required. No other patches can be installed before the
system has been rebooted.
2007/01/25
Another important change in Sun's patch access policy has been
announced in
InfoDoc #83061. The most important change is that access to
Solaris 8 and 9 patches will be restricted in the same way as access to
Solaris 10 patches already is.
As soon as the policy change is enforced (I've heard about March 31st, 2007),
a free Sun Online Account will be necessary to access Solaris 8 and 9
security patches, and a Sun Service Plan (non-free) will be needed to
access any non-security Solaris 8 and 9 patch.
As far as pca is concerned, it should continue to work as-is.
For any patch download you will have to provide Sun Online Account
data via pca's command line options (--askauth, --user/--passwd),
configuration options (user=USER, passwd=PASSWD) or environment
variables (PCA_USER/PCA_PASSWD).
2007/01/18
New release - PCA 5.3:
- Add option to list patches with a minimum age (--minage=DAYS)
- Fix installation of Studio 11 patches on Solaris 10 (enforce -G)
- Small modifications to make pca-proxy.cgi run under Linux
- Generate links to local caching proxy in HTML output
- Avoid using buggy showrev on Solaris 10 x86
- Adapt time of day in check for new patchdiag.xref
- Fix handling of empty lines in patch list files
- Update whitelist for safe patch install mode
- Update workaround for patches missing in patchdiag.xref
2007/01/11
On some systems running the most recent update release of
Solaris 10 (11/06) the showrev -p command produces a segmentation fault.
As this command is used by pca to get the list of installed patches, pca's
output is incorrect, too. The reason for the showrev crash seems to be
a very long line in the /var/sadm/pkg/SUNWcsr/pkginfo file. The problem
has only been seen on x86 systems which were upgraded to 11/06 - fresh
installs seem to be fine.
I have implemented a workaround to avoid the showrev command on Solaris 10 x86
and to use patchadd -p instead. You can get the fix by downloading
the current development version of pca.
A new official release of pca will follow in the next days.
2007/01/02
In this
blog entry from Jonathan Schwartz I saw PCA mentioned in one of the
comments. Unfortunately, no new comments can be posted anymore, but here's
what I would have liked to post:
You correctly noticed that "most administrators still choose to manage their
updates through legacy, non-connected tools". In fact it's more like that
administrators again use other tools, after getting upset with Sun Update
Connection, especially its bugs, slowness, incorrectness and inability to run
on older Sun gear and stripped-down machines.
I'm the author of PCA,
an alternative and free tool for patch management. A huge number of Solaris
administrators have switched from SUC to PCA, and this includes especially
experienced staff managing large networks of Sun hardware. I received a lot
of feedback, much of it concluding in "This is the tool that Sun should include
for patch management". Feel free to take a look at it, and maybe experience
the same.
I'm a long-time fan of Sun and Solaris and have read and heard a lot about
administrators' experiences with patch management. Sun should be aware
that this is one huge topic driving people away from Solaris, and not
attracting them.
P.S.: As for Santa handling all his patch management via your update center,
I have here this e-mail from a guy called Rudolph Reindeer, who says he's
working as the administrator for Santa. While he tells his boss that the
SUC is used for patch management to not get him upset, he in fact switched
to PCA a year ago, and is now happy again .. :)
2006/12/01
I will be on vacation from Dec 2nd to Dec 10th, hoping that Sun won't
break anything during that time. Messages will be answered when I'm
back.
2006/11/28
New release - PCA 5.2:
- Replace /pattern/ operand with a new, more flexible option (--pattern)
- Add new patch group (total) to show all patches listed in xref file
- Use a single pager process for multiple READMEs and be more verbose
- Remove patches which were downloaded for installation only
- Enhance recognition of patches which require a reboot
- Use more portable code to find perl
- Update whitelist for safe patch install mode
The /pattern/ operand was only useful for a limited set of tasks, like
listing all patches whose synopsis matches the search pattern, no matter
whether those patches actually apply to the system or not. It has been
replaced now with the new option -p/--pattern=REGEX, to be used in
combination with any valid patch group (like missing, all, etc.) and to
restrict the patches to be listed, downloaded or installed to those whose
synopsis matches the search pattern REGEX. Also, there is a new patch group
total, which will list all patches from the xref file, no matter
whether they apply to the current system or not.
This makes pca much more flexible. Examples: To list all Sun Studio
patches which are missing on a system, use pca -p Studio. To
list all CDE patches installed on the current system, use
pca -p CDE -l installed. To install the current sendmail patch,
use pca -p sendmail -i. To see all sendmail patches for all
Solaris releases and architectures, use pca -p sendmail -l total.
Other new features requested by pca users are that a single pager
process is called for multiple READMEs (allowing to switch back and
forth between files), and that downloaded patches will be removed
after installation to save space; if you want to keep the downloaded
patches, use pca --download --install instead of pca --install.
2006/11/23
After reading this
blog entry from Chris Quenelle, it occurred to me that the current
implementation of search patterns in pca is suboptimal. When running
pca -l '/Studio 11/', all patches which have Studio 11 in their
synopsis will be listed, no matter whether those patches apply to the
system or not. As it is now, the search pattern is only useful when
trying to find certain patches for all Solaris versions and architectures.
I have already implemented a much more flexible solution for search
patterns, available in pca 5.2.
2006/11/08
There are currently 4 different problems with patches on
SunSolve:
#1:
For the last 2 or 3 weeks, no new patches showed up in
patchdiag.xref. This seems to have been fixed, as the
last three releases of the xref file again had a whole lot
of new patches. See this
blog entry for more detail.
#2:
There are patches like 120845-03, 120200-07 and 124326-01
which are listed in the xref file and on Patchfinder, but
they are shown as size 0 on Patchfinder, and the download
links indeed return a size 0 file. We discussed this in a
thread on the Solaris x86 mailing list. Bruce Riddle
has been trying to get this fixed via Sun Support, but to
no avail.
#3:
Since a few weeks, new patches (or new revisions of existing
patches) listed in patchdiag.xref are not available for
download immediately after they show up in the xref file.
It takes another day until they actually make it onto Sun's
patch server. As an example, today's xref file shows 119685-09, 119686-09,
120460-10 and 120461-10 which can't be downloaded. For
pca users this means that these patches will fail to download
today, but most probably they will download fine tomorrow.
My recurring proposal to SunSolve support staff
to make sure that patches are available for download
before they are published in patchdiag.xref, has been
acknowledged, but not implemented.
#4:
HTTP access to sunsolve.sun.com and the Patchfinder is so
slow that it's practically unusable at times.
2006/11/07
A whole lot of patches has appeared today. Unfortunately the old problem
I've mentioned multiple times before is showing up again, too: Many of
the new patches for Solaris 10 are unavailable on Sun's patch server,
so pca will fail to download them. Once again, I immediately reported
this to Sun's patch team.
2006/11/06
Good news. There are about 40 new patches in the most recent
patch cross reference file, and all of them downloaded and
installed successfully. This gives hope that both the problem
with no new patches appearing in the last 2 or 3 weeks and
the problem with failing patch downloads have been fixed.
2006/10/31
I've been told that Sun has a problem with the new patch release
mechanism, and that they are working on fixing it. This probably
explains why there have been no new patches for the last 10 days.
2006/10/11
New release - PCA 5.1:
- Allow xref file to be downloaded from local patch server
- Add support for HTTPS with local patch server
- Better guesstimate when a new xref file is available
- Fix asking for Sun Online Account data with --install
- Fix reading configuration files when HOME is not set
- Show Reboot/Reconfigure message only when really necessary
- Fix race conditions with concurrent downloads of patches and xref file
- Fix failing installations of patches in tar format
- Make file recognition for zip/tar/tar.Z patches more robust
- Fix signal handler and cleanup on exit
- Fix bugs where a zero size patch file was created
- Fix error output in local caching proxy mode
- Set umask for extracted patches to make sure patchadd won't fail
- Fix bugs in lockfile handling
- Use HTTP redirection with Location header in local caching proxy mode
- Update whitelist for safe patch install mode
- Update patch-specific function to avoid showing uninstallable patches
If the localurl option is set, pca will now look for the patchdiag.xref
file on the local patch server, too. The HTTPS protocol can now be used
with the local patch server; if you use it, make sure that your wget
binary supports HTTPS.
This version of pca contains a lot of fixes for small bugs, mostly
for patch installation and the local caching proxy mode of pca.
2006/10/10
The problem with failed downloads of the most recent patches for
Solaris 10 still exists. I'm in contact with Sun's Patch Team,
who have acknowledged this as a timing issue. They confirmed that
they are working on a fix.
2006/09/27
An old and well-known problem is showing up again on Sun's patch server.
Many of the patches which are listed as new or updated in today's
patchdiag.xref are unavailable on Sun's patch download server. For
Solaris 10, I get failed downloads for 119252-13, 119253-14, 119280-07,
119281-07, 122761-01, 122762-01, 123003-02, 123004-02. Most probably
the patches will be available tomorrow, but it's a real nuisance that
Sun can't coordinate patchdiag.xref with the availability of patches.
2006/09/25
Laurent Blume has updated his presentation about pca. It's now available
via the Contrib page both in English and
en français. Thanks!
2006/09/13
New release - PCA 5.0:
- Long command line options to enhance memorability
- Read configuration files (optional)
- All options via config files, environment variables or command line
- Caching proxy mode for local patch server
- Show patch information during download/install
- Install every patch right after download
- Retry failed patch and README downloads from sunsolve
- Allow patches to be marked as Recommended/Security
- Support for file:/ URLs for local patch server
- Add option to tell proxy not to cache xref file (--nocache)
- Switch back to trying download from public patch server first
- Adapt to Sun's new interface to access restricted patch READMEs
- Cleanup temporary files on fatal errors
- Ask for Sun Online Account data only when necessary
- Enhance handling of installed patches with unknown patch ID formats
- Moved pca.ignore functionality into configuration file
- Modified workaround for patches missing in patchdiag.xref (115168-13)
- Code cleanup and performance enhancements
While there are long command line options now, the short names can still
be used and are the same as in previous versions. The new configuration
files are completely optional, too. To keep things simple, every option
can now be either set in a configuration file (user=USER), as an
environment variable with a PCA_ prefix (PCA_USER=USER) or on the
command line (--user=USER).
The functionality of the pca.ignore file has been moved into the new
configuration files, too.
See CONFIGURATION in the pca documention for details.
The new caching proxy mode of pca replaces the pca-proxy script I
had offered on the Contrib page before. Read about LOCAL PATCH SERVER
in the pca documentation for details.
The readme option (-r, --readme) now accepts any operand, just like the list,
download and install options. Use "pca -r 123456-78" to read single
patch README, or "pca -r missingrs" to read the READMEs of all missing
R/S patches at once.
2006/09/13
Sun has broken the method to access READMEs for restricted patches
with wget. This affects pca's -r option, too. Through some
experiments, I found a new method, but this doesn't work for all
patch READMEs either. I will try to fix it in the next release of
pca, but as long as Sun breaks existing interfaces and won't replace
it with stable procedures, it's impossible to promise anything.
2006/09/01
Sun's patch server is a little flaky recently. Patch downloads fail
intermittently, causing failed patch downloads with pca. Therefore, I
modified pca to re-try failed patch downloads. The fix will be in
the next official version of pca. If you need it immediately, grab
the development version of pca which already
includes the fix.
2006/08/29
New release - PCA 4.2:
- Add option for safe patch installation (-s)
- Add support for a local server for patches and READMEs
- Allow multiple patch IDs with -r option
- Fix handling of whitespace in search patterns
- Recursive analysis of patch obsoletions when listing bad patches
- Add message for -G allowed with Solaris 10 or newer only
- Use logger command instead of perl syslog module
- Fix bug that rendered terminal unusable after Ctrl-C at password prompt
- Modified workaround for patches missing in patchdiag.xref (112908-27)
Sun's patch procedure has a big problem. Sometimes a patch re-delivers
and silently overwrites files which have been modified locally. pca
tries to overcome this issue with its new safe patch installation mode.
Before installing a patch, pca checks all files listed in the patch
README for local modifications using pkgchk. If any file is in danger
of being overwritten, pca issues a warning and does not install the
affected patch.
Safe mode is off by default, and can be turned on by using -s in
combination with -i (install patches) or -I (pretend to install
patches). You must be root to use -s, as root permissions are
required for pkgchk with certain files.
Sometimes the file checksums used by pkgchk are wrong, because patches
modify files without updating the checksum. Only Sun can fix this. For
now, pca uses a whitelist which I built during testing the new feature
with a huge set of patches. I'm very interested in real-world experience
with the new feature. Running pca -s -I is a safe way of identifying
problematic patches without actually installing them.
Another important new feature is support for a local server for patches
and READMEs. Enable it by setting the environment variable PCA_LOCALURL
to the URL (e.g. http://www.my.org/patches/) of a directory that contains
local copies of patch files (e.g. 123456-78.zip) and patch READMEs
(e.g. README.123456-78). The local URL will be checked before Sun's
patch server, so you can easily build a local cache by copying
patches and READMEs to a directory on your local web server. It will
speed things up dramatically and ease bandwidth usage on your connection
to Sun's patch server.
This new feature can be taken a step further by pointing PCA_LOCALURL
at a simple CGI script, which works as a local caching proxy. If a
patch or README exists in the local cache directory, it will be
delivered immediately. If it doesn't, it uses pca to download the
file from Sun's patch server, puts it into the cache and delivers it.
The best thing is that I provide a sample implementation for such a
pca proxy CGI script on the Contrib page.
2006/08/18
I have received a report that pca 4.1 does not run with the default
version of perl in Solaris 8, caused by a fault in the Sys::Syslog
module. If you get a message about syslog.ph missing when running
pca, get and run the development version of pca,
which has a preliminary fix.
2006/08/11
New release - PCA 4.1:
- Prevent two instances of pca to install patches at the same time
- New environment variable PCA_SYSLOG to log patch installations
- Fix handling of Citrix patches
- Show current kernel patch level in header
- Fix two bugs which caused pca to leave stale files on failed patch install
- Fix syntax of function definitions and calls
- Update patch-specific function to avoid showing uninstallable patches
Up to Solaris 9 it's not safe to run two instances of patchadd at
the same time. pca now uses a lock file to work around this issue.
If the new environment variable PCA_SYSLOG is set to a syslog facility
(e.g. user or local0), pca will log the patch id and synopsis of all
successfully installed patches for future reference.
2006/08/04
The changes in Sun's patch access policy as documented in InfoDoc
#83061
have now been established. Here's a short summary as far as patch downloads
with pca are concerned:
-
Patches for all Solaris versions up to Solaris 9 can be downloaded
without any Sun Online Account or Sun Service Plan.
-
All patches for Solaris 10 can be downloaded with a
Sun Online Account which is free. Unlike documented in the above
mentioned InfoDoc, a limited subset of Solaris 10 patches can still be
downloaded without a Sun Online Account. The InfoDoc states that some
patches might be restricted to users who purchase a Sun Service Plan,
but I have not yet hit one of those during testing.
I recommend to
create a Sun Online Account, if you don't have one yet, and
to feed the Sun Online Account data to pca either via the PCA_USER and
PCA_PASSWD environment variables, or by using the -a option to pca.
2006/07/13
The complete developer and support team of pca (me :) will be gone
on vacation from July 15th to July 30th. Messages arriving during
that time will be answered when I'm back.
2006/07/03
New release - PCA 4.0:
- Change default to show all missing patches
- Use a single patchdiag.xref for all users again by default
- New environment variable PCA_XREFOWN for user-specific xref file
- New environment variable PCA_OPTIONS to set default options
- Add option to ask for SunSolve authentication interactively (-a)
- Show patch count when downloading and installing patches
- Show summary of successful/failed patch downloads and installs
- Do not try to install patches which failed to download
- Use patch obsoletion information from showrev to enhance analysis
- Try download from restricted patch server first if authentication is set
- Correctly identify tar/tar.Z/zip downloads from restricted patch server
- Make pca use patchadd if showrev is not available
- Update patch-specific function to avoid showing uninstallable patches
Like Sun's own patch tools, pca will now show all missing patches by
default, and not just those that are marked Recommended/Security. To
get the old behaviour, run pca -l missingrs.
The default handling of patchdiag.xref has been changed back to like
it was before version 3.7. The file is called /var/tmp/patchdiag.xref
and writable by all users. If you want a patchdiag.xref which is writable
by the current user only, set the PCA_XREFOWN environment variable, or
set PCA_XREFDIR to a directory containing /home/. A lot of users didn't
like the change, and it broke the timestamping feature of wget, resulting
in superfluous downloads of the cross reference file.
Instead of setting PCA_USER and PCA_PASSWD, you can now use the -a option
to pca. It will make pca ask for SunSolve authentication data interactively.
2006/06/09
New release - PCA 3.7:
- Ignore bad patches obsoleted by installed patches
- Keep one patchdiag.xref for each user, writable by that user only
- Read uname/showrev/pkginfo information from Sun Explorer output
- Fix handling of DCE and HP Data Protector patches
- Update patch-specific function to avoid showing uninstallable patches
The default file name for patchdiag.xref is now patchdiag.xref.UID,
with UID being the UserID of the user running pca. Like this, the
cross reference file does not have to be world-writable anymore.
2006/06/01
Sun has announced further changes to patch access. In late August 2006
access to patches via anonymous ftp will cease
(InfoDoc #82023).
Additionally, any access to patches will require a Sun Online Account
and the acceptance of the Software License Agreement from mid July 2006
(InfoDoc #83061).
2006/05/12
New release - PCA 3.6:
- Add new patch group (bad) to show installed patches marked as bad
- Show BAD flag in patch list
- Make pca honor TMPDIR environment variable for patch extraction
- Show patchadd output for failed patches instead of verbose error messages
- Deal with empty input files
- Modify pca output to ease post-processing
To help in dealing with patches marked as Bad, pca now shows the Bad
flag in a column besides the Recommended/Security state. Additionally,
'pca -l bad' can be used to show a list of all installed patches
that are marked Bad. It's up to the administrator to decide on how to handle
bad patches - check the patch README, and patchrm if needed.
The output of pca has slightly changed. A '-' character is shown
in the RSB column if the according flag is unset. This eases post-processing
pca output. Example: 'pca -H | sort +5' will sort the patch list
by age of the patch.
2006/04/26
Sean Berry is managing various Fujitsu Solaris servers. Fujitsu provides
its own version of the patch cross reference file, using an extended
format compared to Sun's patchdiag.xref. He asked me whether any user
of pca has already implemented modifications to make pca work with
Fujitsu's xref file yet. As I don't know of anybody who's done that,
I'm forwarding this query here.
2006/04/24
New release - PCA 3.5:
- Add option to not check for updated patch cross-reference file (-y)
- Enhance handling of failed patch downloads
- Show output of wget when running in debug mode
- Fix handling of KDE patches
- Make pca accept output of pca -H as input
- Fix verbose error messages for patchadd in Solaris 10 with -G
- Update patch-specific function to avoid showing uninstallable patches
2006/04/21
Attention: It's currently impossible to access any patch or
patchdiag.xref via SunSolve. The patchfinder returns "Sorry, the patch
you requested could not be found." and
http://patches.sun.com/
shows an empty directory.
Therefore, pca will fail when trying to download the current patchdiag.xref
or any patch.
Update: The problem has been fixed at about midnight MET. It had
been caused by a filesystem corruption on the patch download server.
2006/04/06
New release - PCA 3.4:
- Add verbose error messages instead of exit codes for patchadd failures
- Allow setting of patchadd command (new environment variable PCA_PATCHADD)
- Change all environment variables to contain a PCA_ prefix
- Use perl functions for file and directory removal
- Updated patch-specific function to avoid showing uninstallable patches
The environment variables XREF, SUNSOLVE_USER and SUNSOLVE_PASSWD have
been renamed to PCA_XREFDIR, PCA_USER and PCA_PASSWD for consistency.
The old variables still work, so there is no need for immediate changes.
A new section documenting all environment variables used by pca has
been added to the Usage notes and the man page.
2006/03/28
New release - PCA 3.3:
- Allow setting of path to wget (new environment variable PCA_WGET)
- Allow setting of download directory (new option -P and PCA_PATCHDIR variable)
- Add more flexible handling of operands combined with r, s and rs
- Add workaround for patches missing in patchdiag.xref (112908-24 and 115168-10)
- Show output of patchadd when running in debug mode
- Use module Cwd instead of pwd command to make pca run on Windows
- Bug fix in handling /pattern/ operand
- Minor internal code re-organization
By adding r, s or rs to any operand (missing, installed, all, unbundled)
it's now possible to e.g. list all missing patches marked Security (missings).
2006/03/21
New release - PCA 3.2:
- Fix handling of patches which require itself
An inconsistency in today's patchdiag.xref lead to a Solaris 9/SPARC patch
requiring itself, which made pca crash. The fix for this bug is the only
change in this release.
2006/03/14
New release - PCA 3.1:
- Fix handling of -R option to make pca work on older Solaris releases again
Due to a bug introduced in PCA 3.0 it didn't run on Solaris 8 or older
anymore. The fix for this bug is the only change in this release.
2006/03/09
New release - PCA 3.0:
- Rename many command line options for usability and consistency
- Massive code cleanup
- Download patchdiag.xref and keep it up-to-date automatically
- Allow searching complete list of patches with search pattern
- Add option to modify packages in the current zone only (-G)
- Updated Usage notes and added an Examples section
Be sure to check out the Usage notes. pca now
has three main options (-l for listing, -d for downloading, -i for
installing patches), and supports a list of operands to specify affected
patches. Other options have been renamed for consistency reasons.
It is not necessary to specify -x to download patchdiag.xref anymore.
pca will download the file automatically to /var/tmp if it doesn't
exist, or if it's older than 24 hours. The -x option still exists;
it will download patchdiag.xref and quit.
2006/02/13:
New release - PCA 2.5:
- Add path/prefix argument for option -F (read showrev etc. from files)
- Modify download option (-D) to enhance downloading of multiple patches
- Allow automatic patch installation (-p) after patch download (-D)
- Updated patch-specific function to avoid showing uninstallable patches
The download option (-D) now supports downloading of multiple patches
at once. The argument can be a list like "123456;234567-89".
Combining -D with -p allows to install multiple selected patches.
The -F option, which makes pca read its input from files (showrev.out etc.),
requires a directory/prefix argument now. This can be .,
/path/, or a prefix like hostname_.
2006/01/04:
New release - PCA 2.4:
- Enhance debug output
- Fix handling of Checkpoint patches
- Add option to set alternative root directory (-A)
- Fix quoting of sunsolve password string
- Fix handling of failed patch download (remove possible size 0 files)
- Allow setting of SunSolve login data via environment variables
- Modify download option (-D) to allow downloading of multiple patches
Attention: The method to provide pca with the SunSolve login data
has changed. You do not need to edit pca itself anymore. Instead, set
the two environment variables SUNSOLVE_USER and SUNSOLVE_PASSWD to
contain the SunSolve user name and password.
The download option (-D) now accepts either a patch id or a
file name as its argument. If a file name is given, all patches listed
in this file (one patch id per line) will be downloaded.
There is a new option (-A dir) to set an alternative root directory.
This has not been tested intensively.
See Usage for more detail.
2005/11/29:
New release - PCA 2.3:
- Add alternative method to access patch READMEs, using SunSolve login data
- Add support for patch downloads using SunSolve login data in HTML output
- Fix handling of EMC patches
- Enhance debug output
- Show location and date of patchdiag.xref
- Do not show message about retrieving patchdiag.xref when -H is used
- Fix typo in message text
- Updated patch-specific function to avoid showing uninstallable patches
As announced previously by Sun in
InfoDoc 83061, non-security patches for Solaris 10 are not available
for download without a Sun Service Plan anymore as of today. Access to
patches for older Solaris releases is unchanged.
If you do have a Sun Service Plan, you can tell pca about it by editing
the script and putting your SunSolve login data into the two variables
called sunsolve_user and sunsolve_passwd. Even without
a Sun Service Plan you can continue to use pca. The only thing that
won't work is the download of non-security Solaris 10 patches and their
READMEs.
2005/11/03:
New release - PCA 2.2:
- Handle possible empty fields in patchdiag.xref
- Show exit code of patchadd if it fails
- Remove unnecessary sort for showrev output
- Add option to show debug output (-V)
- Updated patch-specific function to avoid showing uninstallable patches
If a patch fails to install when running pca, it will now show
patchadd's exit code. This code can be looked up in
/usr/sbin/patchadd, which might help in analyzing problems.
2005/10/13:
There was an error in the patchdiag.xref from 2005/10/10. One of the
patches for Solaris 10/x86 had an empty release date field. pca couldn't
handle this correctly, and threw some "uninitialized value" errors.
The problem has been fixed by Sun in patchdiag.xref on 2005/10/11.
I've built a fix into pca, too, so it copes better with such
inconsistencies. It will be in the next version of pca to be released.
2005/10/07:
If you want to be notified of new pca releases by e-mail,
send a short message to
martin@par.univie.ac.at.
I will add your e-mail address to my pca announcements mailing
list. Volume will be low. Of course e-mail addresses will be
kept strictly private - I hate spam as much as you do. All messages
will be tagged with [pca-news] in the Subject: header field.
2005/10/04:
New release - PCA 2.1:
- Add option to pretend patch installation (-P)
- Look at machine class to avoid showing uninstallable patches
- New patch-specific function to avoid showing uninstallable patches
- Show OS version and architecture information in report header
There is a handful of patches which don't have their prerequisites
defined properly in patchdiag.xref, either because Sun made errors,
or they can not be expressed in patchdiag.xref's limited options.
This results in pca showing a patch as required and uninstalled, but
the patch will fail to install later. Often these extra prerequisites
are defined in the prepatch script of a patch. Until now I had listed
such patches on the Notes page. I decided that I
could just as well add a check for those patches to pca itself,
wherever this is possible. The result is that this most recent
version of pca should show less uninstallable patches.
Attention: When creating patch reports for remote machines,
the commands to be used to generate the input files have changed
with this version ("uname -a" has to be used).
See Usage information.
I have added a list of people who contributed to pca with patches,
debug information or other feedback to the Usage
information and the man page. If you are missing your name on the list,
please don't hesitate to tell me.
2005/09/08:
New release - PCA 2.0:
- Add handling of required patches which are obsoleted by other patches
- Extract and display README from patch zip file if available (with -R <id>)
- Pipe README (with -R <id>) into more or $PAGER
- Add a signal handler to remove stale files after interrupted downloads
- Extract patches into /tmp/pca.time() by default
- Remove extracted files after patch installation
- Fix small bug with flushing output to stdout for older perl versions
- Set default patch download dir to absolute path instead of "."
This version of pca has undergone a massive testing cycle. I have installed
Solaris 2.5.1, 2.6, 7, 8, 9, and 10 (SPARC, unpatched FCS) on two
machines and ran pca -xup on all of them. This analyzes,
downloads and installs all available patches. Altogether, 1953 patches
were installed successfully. All problematic patches have been added
to the Notes section. The patch dependency
analysis (the heart of pca) is now as good as it can get.
Starting with this version, patches are now extracted into a temporary location
under /tmp, which is removed after installation. As /tmp
is a RAM based filesystem, this speeds up patch installation a lot. The danger
of filling a file system is reduced, too. pca now also deals
better with interruptions while it's running (like pressing Ctrl-C).
2005/08/26:
New release - PCA 1.5.1:
- Display age of patch in a new column
- Fix small bug in handling showrev -p output
The age of a patch (in days) is now displayed in all lists generated
by pca. This can be helpful to quickly determine whether a patch
has been released or updated recently.
2005/08/08:
New release - PCA 1.5.0:
- Add experimental support for downloading contract-only patches
- Fix handling of IDR patches
- Add support for installpatch (Solaris <= 2.5.1)
To use the experimental support for patch downloads from an alternate
URL in Sunsolve's restricted area, you must edit pca and enter your
Sunsolve login data. Search for $sunsolve_user and
$sunsolve_passwd. Be aware that the login data will
appear in ps output while pca is running and downloading patches.
2005/07/28:
Sun is currently modifying the patch infrastructure, resulting in
some patches not being downloadable. This causes failed patch
downloads when running pca. Hopefully they will fix this soon.
The restructuring seems to be connected to the previous announcement
of restricting access to all non-security Solaris 10 patches
to owners of a Sun Service Plan.
2005/07/08:
New release - PCA 1.4.7:
- Fix error handling
- Fix handling of required patches
2005/06/02:
Up to now, all patches for all Solaris versions are still available without
a support contract. According to this
announcement access to Solaris 10 non-security patches will be
restricted to owners of a Sun Service Plan in Mid-Summer 2005.
2005/06/02:
New release - PCA 1.4.6:
- Add option to specify directory location of patchdiag.xref (-X)
- Add host name to header
- Fix HTML code generation
- Add option to run patchadd without backing up files (-k)
- Fix usage information
Most of the new features were contributed by Stephen P. Potter
(Thanks, again!).
Attention: When creating patch reports for remote machines,
the commands to be used to generate the input files have changed
with this version. See Usage information.
2005/05/25:
New release - PCA 1.4.5:
- Fix handling of tar patches
- Add missing options to usage information
- Add option to show pca version information (-v)
2005/05/18:
The Usage information is now available in
man page format. Download pca.8 and put it
into any directory in your man path (e.g. /usr/local/man/man8).
2005/03/22:
Sun has announced
Changes to SunSolve for Solaris 10 starting on April 5th, 2005.
Only security patches will be available for download for free, all
other patches will require a Sun Service Plan or Contract. A bad move,
in my opinion.
I will see how this affects pca. Most probably it has to be modified
to continue to support all patch downloads for users who pay for a
Service Plan or Contract. All other users will be restricted to security
patches - pca will still show other missing patches, but won't be able to
download or install them.
2005/03/02:
As Solaris 10 is now generally available, and the first patches
for it are showing up, I have tested pca with the new release and it
works fine.
From now on my testing platforms will be Solaris 9 9/04 (SPARC)
and Solaris 10 (SPARC).
2005/02/07:
New release - PCA 1.4.4:
- Fix handling of multiple installations of the same package
2005/02/01:
New release - PCA 1.4.3:
- Fix bug in patchdiag.xref reading code to handle inconsistencies
- Fix bug which made pca ignore some unbundled patches
2004/12/22:
New release - PCA 1.4.2:
- Add option to only apply patches which do not require a reboot (-n)
2004/10/27:
New release - PCA 1.4.1:
- Add option to read uname/showrev/pkginfo from files (-F)
2004/10/04:
A user has reported success when using perlcc to compile pca into
an executable, to be used on stripped-down machines which don't
have perl installed. This might be an option for other potential users
of PCA, too.
2004/09/24:
New release - PCA 1.4:
- Add experimental HTML output option (-b)
- Add -R <id> option to show the README of a patch
- Add -D <id> option to download one patch
- Command line option to not show headers is now called -H
- New command line option -h to print usage information
- Internal code redesign
The documentation on the Usage page
has been updated with the new command line options.
2004/09/01:
New release - PCA 1.3.1:
- Switch from FTP downloads to HTTP downloads for patchdiag.xref/patches
- Internal code redesign, now runs with "perl -w" and "use strict"
2004/08/20:
New release - PCA 1.3:
- Added experimental function to show unbundled patches
- Ignore comments at the end of lines in pca.ignore
- Check for circular patch dependencies
- Fix small bug in handling showrev -p output
- Internal redesign of command line option handling
The documentation on the Usage page
has been extended and clarified.
2004/08/19:
A bug in PCA will make it stop with an error message when run on
a machine which has no patches installed at all. This will be fixed
in the next release of PCA. A workaround is to install any random
patch. The bug was reported by a PCA user (Thanks, Steve!).
2004/07/30:
Solaris 9 9/04 is available for download. It has nearly all patches
available to date pre-installed. Checked Notes
section, there are no new issues with Solaris 9 9/04 compared to 4/04.
2004/07/06:
Complete re-design of PCA's homepage. Changing the official location
of PCA to
http://www.par.univie.ac.at/solaris/pca/.
2004/07/05:
Updated information in the Notes section,
now contains all our non-applicable patches for Solaris 9 4/04.
2004/07/05:
New release - PCA 1.2:
- Check prerequisites of patches and list them, too (in the correct order)
- Speedup of factor 2.5 in comparison to PCA 1.1
- Allow specification of multiple paths to wget
- Fix small bug in patchdiag.xref download code
- Fix small bug in handling of tar/tar.Z patches
2004/06/16:
New release - PCA 1.1:
- Added pca.ignore file to ignore patches
(contributed by Damian Hole)
- Added patchdiag.xref download function
- Added patch download function
(contributed by Damian Hole)
- Added patch install function
(contributed by Damian Hole)
2004/06/03:
Updated information in the Notes section,
added comment about 115924-08.
2004/05/24:
Updated information in the Notes section,
removed (obsolete) comment about 113574 and 114375.
2004/04/23:
Updated information in the Notes section,
removed (obsolete) comment about 112233-12.
2004/04/06:
Updated information in the Notes section
about Solaris 9 4/04.
2004/03/01:
Updated information in the Notes section.
2003/11/28:
Updated information in the Notes section.
2003/09/26:
Added information about patch 113040. See Notes.
2003/09/09:
First version. Introducing PCA 1.0.
|