Puppet users - Oct 2011 - update vulnerable packages only if installed

Am I overlooking a native way to update vulnerable packages only if they are
already installed? There''s no option to set a package to
''latest'' only if installed.  OnlyIf and Unless don''t
operate on package resources.
(Yum/CentOS but I imagine the issue is the same for all platforms)

No, running a "yum upgrade all" is not plausible. Maintaining a list
of packages which should be upgraded is plausible and expected.

The obvious thing seems to be creatinga ruby fact that loads all packages into
facts and then doing the logic based around that, but Luke and other have
expressed concerns over doing this in the past.  Is there a better way?

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other
randomness

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

AFAIK there''s no native way.  I would do this with a set of defines
wrapped
around the yum-security package (which allows you to list and operate on
security updates only).

On Mon, Oct 10, 2011 at 12:22 PM, Jo Rhett <jrhett@netconsonance.com>
wrote:
> Am I overlooking a native way to update vulnerable packages only if they
> are already installed? There''s no option to set a package to
''latest'' only
> if installed.  OnlyIf and Unless don''t operate on package
resources.
> (Yum/CentOS but I imagine the issue is the same for all platforms)
>
> No, running a "yum upgrade all" is not plausible. Maintaining a
list of
> packages which should be upgraded is plausible and expected.
>
> The obvious thing seems to be creatinga ruby fact that loads all packages
> into facts and then doing the logic based around that, but Luke and other
> have expressed concerns over doing this in the past.  Is there a better
way?
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
> other randomness
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

yum-security doesn''t work with CentOS.

On Oct 10, 2011, at 1:18 PM, Aaron Grewell wrote:
> AFAIK there''s no native way.  I would do this with a set of
defines wrapped around the yum-security package (which allows you to list and
operate on security updates only).
> 
> On Mon, Oct 10, 2011 at 12:22 PM, Jo Rhett <jrhett@netconsonance.com>
wrote:
> Am I overlooking a native way to update vulnerable packages only if they
are already installed? There''s no option to set a package to
''latest'' only if installed.  OnlyIf and Unless don''t
operate on package resources.
> (Yum/CentOS but I imagine the issue is the same for all platforms)
> 
> No, running a "yum upgrade all" is not plausible. Maintaining a
list of packages which should be upgraded is plausible and expected.
> 
> The obvious thing seems to be creatinga ruby fact that loads all packages
into facts and then doing the logic based around that, but Luke and other have
expressed concerns over doing this in the past.  Is there a better way?
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
other randomness
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other
randomness

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

How annoying.  You could hack it up after installing yum-changelog with
''yum
changelog 1 <package> | grep CVE'' I guess.  Not pretty.

On Mon, Oct 10, 2011 at 2:36 PM, Jo Rhett <jrhett@netconsonance.com>
wrote:
> yum-security doesn''t work with CentOS.
>
> On Oct 10, 2011, at 1:18 PM, Aaron Grewell wrote:
>
> AFAIK there''s no native way.  I would do this with a set of
defines wrapped
> around the yum-security package (which allows you to list and operate on
> security updates only).
>
> On Mon, Oct 10, 2011 at 12:22 PM, Jo Rhett
<jrhett@netconsonance.com>wrote:
>
>> Am I overlooking a native way to update vulnerable packages only if
they
>> are already installed? There''s no option to set a package to
''latest'' only
>> if installed.  OnlyIf and Unless don''t operate on package
resources.
>> (Yum/CentOS but I imagine the issue is the same for all platforms)
>>
>> No, running a "yum upgrade all" is not plausible. Maintaining
a list of
>> packages which should be upgraded is plausible and expected.
>>
>> The obvious thing seems to be creatinga ruby fact that loads all
packages
>> into facts and then doing the logic based around that, but Luke and
other
>> have expressed concerns over doing this in the past.  Is there a better
way?
>>
>>  --
>> Jo Rhett
>> Net Consonance : consonant endings by net philanthropy, open source and
>> other randomness
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
> other randomness
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.