HPE Community
Operating System - HP-UX
1826214 Members
2716 Online
109691 Solutions
New Discussion

Re: Quarterly Patch dilemma...Again!

 
Christopher E Chaves
Advisor

‎07-11-2002 11:53 AM

‎07-11-2002 11:53 AM

Quarterly Patch dilemma...Again!

I have this problem every trhee months and I usually go around with Hp about but what the heck, here goes again. I keep seeing how wonderful the patch database is, and how I can get the quarterly patch bundle in the mail (which we do...two months late!!) or download. But that isn't good enough. We are expected to patch with any critical patches through three weeks prior to the schedulled patching. This mean that I have to scour the patch database for DAYS checking to see what critical patches have come out after the creation of the patch bundle through our deadline. After making the recommendation to be able to submit post date ranges in the patch database many MANY times, I see that the "new and improved" patch database is still missing this vital item. So I ask you, What is the most efficient way to find all critical patches that have posted after the last qurterly patch bundle through today? I also ask that if anyone reading this thread has any input on the design of the patch database, please, PLEASE include post date ranges. I can't believe that I am the only with this dilemma.
0 Kudos
Reply
11 REPLIES 11
harry d brown jr
Honored Contributor

‎07-11-2002 11:55 AM

‎07-11-2002 11:55 AM

Re: Quarterly Patch dilemma...Again!


Attack the problem by using the custom patch manager.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

‎07-11-2002 12:06 PM

‎07-11-2002 12:06 PM

Re: Quarterly Patch dilemma...Again!

This doesn't resolve your issue on critical patches, but security patches have a tool that can be used. It is security patch check (B6834AA) and can be downloaded here:

http://www.software.hp.com/ISS_products_list.html

You may be able to modify this some way, emphasis on may because I haven't looked into it.
0 Kudos
Reply
Christopher E Chaves
Advisor

‎07-11-2002 12:14 PM

‎07-11-2002 12:14 PM

Re: Quarterly Patch dilemma...Again!

Sorry Harry, I should have mentioned that our government contract prohibits us from using running applications on our systems that would involve sending configuration and software information to ANYONE, including HP. Couple that the number of variations we have between all of our systems across all of our platforms and we simply don't have the coverage in our support contracts to use them anyway.
0 Kudos
Reply
Martin Johnson
Honored Contributor

‎07-11-2002 12:31 PM

‎07-11-2002 12:31 PM

Re: Quarterly Patch dilemma...Again!

Are you on the patch notification list? Each week HP emails a list of recently released patches. It takes only a few minutes to review the list.

HTH
Marty
0 Kudos
Reply
Anonymous
Not applicable

‎07-11-2002 11:09 PM

‎07-11-2002 11:09 PM

Re: Quarterly Patch dilemma...Again!

The SPC Daimian pointed to is a perl script that apparently does the check based on a data file to get via ftp.

I'm just wondering if there can be a data file that contains more than "just" security patches- probably you may ask HP to offer this service as this seems to meet your needs (However, I'd not expect to get this for free;-)
0 Kudos
Reply
uri_1
Advisor

‎07-12-2002 03:17 AM

‎07-12-2002 03:17 AM

Re: Quarterly Patch dilemma...Again!

Apart from security issues, why would you want to install patches the second they come out?

I have encountered bad patches more than once... I usualy install them when I need them.
0 Kudos
Reply
Christopher E Chaves
Advisor

‎07-12-2002 06:09 AM

‎07-12-2002 06:09 AM

Re: Quarterly Patch dilemma...Again!

Uri,
It's not that I want to apply patches the moment they come out, but we do have it documented with our customer that we will apply any appropriate critical patches that have been released earlier than three weeks prior to the date of our first systems patching. I am on the patch notification list and have some 30 or so patch notifications, but this means entering each patch into the patch database individually and downloading them one at a time. This is how we are currently doing it, as well as displaying the ENTIRE pacth list and going through each patch on at a time and determining if we need it. This is enormously slow. While playing around yesterday, however, I did discover that I could create a boolean string for a list of individual post dates and Critical: Yes which works well, once you get all of the dates enetered, separated by OR operators.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-12-2002 06:16 AM

‎07-12-2002 06:16 AM

Re: Quarterly Patch dilemma...Again!

Hi,

Always use match-what-target-has. This would mean that only patches applicable to your OS and software residing on your system will be patched.

Security patches are usually the most critical ones and should be prioritized over other bug fixes.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
John Payne_2
Honored Contributor

‎07-12-2002 07:54 AM

‎07-12-2002 07:54 AM

Re: Quarterly Patch dilemma...Again!

The wording is confusing me. (Maybe because you are dealing with the government...) When you say: 'We are expected to patch with any critical patches through three weeks prior to the schedulled patching.' Does that mean that you have to install them to a development/staging box before it goes to production?

If so, can you do what I do? When I get the disk, I install it in development. Then I let it sit there until the next disk comes to my desk. At that time, I install the new patch bundle in development and migrate the patch bundle that is 3 months old into production. This way, there has never been a problem with a bad patch or anything. I monitor the security patch bulletin, and we react if necessary to our environment, but generally, things stay pretty quiet here in regards to patching...

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
Ray Carlson
Frequent Advisor

‎07-12-2002 07:56 AM

‎07-12-2002 07:56 AM

Re: Quarterly Patch dilemma...Again!

This is the way that we coped with adding critical patches to HP patch bundle CDs. Each week I check the weekly notification from HP. I then pick the ones that are critical or which I think apply to my machines. I download the patches and any pre-reqs that are not in my "Total Patch Depot". I put these patches into a "Staging Depot". When I get a new patch bundle from HP, I delete my "Total Patch Depot" and create a new one as follows:
swcopy the QPK1100 from the CD to the new "Total Patch Depot".
swcopy the HWE1100 from the CD to the new "Total Patch Depot"
swcopy the "Staging Depot" to the new "Total Patch Depot".
run cleanup against the "Total Patch Depot".
This gives me one depot with most of it's patches from the CD bundle and only the latest patches from my "Staging Depot". I just keep adding to my "Staging Depot" and only remove superceeded patches with cleanup. Once the patch appears on the CD bundle, it is no longer copied by swcopy from the "Staging Depot". Hope this helps give you some ideas.
0 Kudos
Reply
Misa
Frequent Advisor

‎07-15-2002 11:24 AM

‎07-15-2002 11:24 AM

Re: Quarterly Patch dilemma...Again!

If you have CSS/BCS, maybe you can get your response center guy to do it for you (without disclosing system configs). They're usually eager to help.

But Ray's post resembles what I do. So my suggestion is:

1. Run cpm_collect.sh to see what it does. Mock up a file with a bogus system name, model, etc and no patches installed. This gets around the "transmitting your configuration" -- it's not yours or anyone's.

2. Copy that up to HP and run custom patch manager against it. Select all applicable patches according to your criteria (don't worry about dates). I'm sure it will pick a lot, but oh well.

3. Download the .sh file and run get_patches to download needed patches. Always do it on the same system and in the same directory; don't clean it out. This avoids unnecessary downloads. (Of course, there are lots of ways you could do this differently with the same effect of making it more efficient; this is just easy.)

4. Do whatever you like to do in order to patch and just pick all the downloaded patches; only the ones not yet installed will be installed. Me, I like to swcopy the PATCHES.depot into a blank depot, bundle it (make_bundles) with today's date and the system name (I use CPM for each individual system), copy to one of my "permanent" depots, and install.

Keep using the "blank" system configuration and keep letting it give you all the patches.

Alternatively, you could develop a tool to crawl their site and pick only what you need by looking at date, etc. :)

Just my $.02. Haven't done it quite this way. HTH.

--M????a
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.