Binary packages and Blastwave (was re: list ipfilter)

Hi Dennis et al,

Perhaps the incompatible changes to Sun internal interfaces
which required an IP Filter change could be cross-referenced
to the Sun BugIDs and/or change request IDs?
(the patch READMEs will refer to the Bug IDs and Change Requests).

These in turn can be checked at install time against PatchIDs via
"patchadd -p" and/or the Solaris build/update in the /etc/release
file,
and the correct ipf/pfil build installed or linked to.

Depends on how many variations there would be to build:
if there's lots that could be way more effort than it's worth!
It might also mean there would need to be a boot script to check
whether the environment had changed post-patch/update,
and/or a symlink adjustment to the correct kernel module variant.
Yuck. Reminds me of VxVM private copies of /usr/lib/libXXX in root...

Sounds simpler to wait until the interface settles down,
then state that the Solaris 10 pre-built binary only applies
after update (i.e. patch) such-and-such!


FYI at the moment we build one binary package for Solaris 9/SPARC.
That is distributed to all our Solaris 9/SPARC servers, which covers
most of our production systems (just under 100). So far this works
fine
(maybe we've got lucky, although there's been little/no? fundamental
change in the Solaris 9 IP stack interfaces).

On Solaris 10 we've used the versions as shipped/patched by Sun,
although we may migrate to 4.1.24 shortly. Fortunately we only
run a couple of combinations of Solaris 10 updates/patch levels,
so would probably only have 2 variants to build, and we expect
to resync them again in the next couple of months.

It's nice that Darren's Makefiles build packages with versioning
updated correctly - at least it makes it easy to track pkg versions
across all systems, e.g. with CST or whatever, even if pfil+ipf
may need to be separately built and installed on each.


A few comments in Sun bug reports state the Sun and "public"
versions (for want of a better term) have diverged quite a bit.
Just curious: is there a plan to re-converge them,
or at least cross-apply patches between each?

Rgds, Stuart.


>>> On 07-Jul-07 at 1:38 am, in message
<38056.72.39.216.186.1183736337.squirrel@mail.blas twave.org>, "Dennis
Clarke"
<dclarke@blastwave.org> wrote:

>> Dennis Clarke wrote:
>>> ...
>>> Better late than never.
>>>
>>> I intended to issue a "index ipfilter" command there but messed
up. I
>>> wondered if this mail list server would also provide the source
tarballs
>>> but clearly not. IPFilter version 4.1.24 should be released this
weekend
>>> and I thought that I could fetch it. Ah well.
>>>
>>> I'll wait for the release and then look at building it with
Studio 12 on
>>> Solaris 10 as well as Studio 11 on Solaris 8 and 9. Packages to
be
>>> released via Blastwave.org etc etc.
>>>
>>
>> I'm in two minds about that...
>>
>> Quite often the open source version of ipfilter has needed a
recompile
>> after patching
>> the Solaris kernel because the networking guys changed/added
something.
>> In the
>> end, I only made sure it compiled on the latest update for any
>> particular release
>> of Solaris.
>
> Sounds like the pkgadd command will need to fire off a preinstall
script
> which in turns checks for the existence of a specific kernel patch.
If
> that patch is not present then return a failure.
>
> Sounds like a package maintainance nightmare because every package
for x86
> and Sparc would need a re-package with every kernel patch release
across
> Solaris 8 and 9 and 10.
>
> Dennis