[LON-CAPA-users] RPM update

Martin Siegert lon-capa-users@mail.lon-capa.org
Thu, 30 May 2002 10:07:58 -0700 

Hi Lars,

On Thu, May 30, 2002 at 12:30:24AM -0700, Lars Jensen wrote:
> When I do a CHECKRPMS, I get a message that I need to install at least
> 75 RPM's. Some of these seem to me not to matter that much,

I believe they do matter. Note that check-rpms does not list packages
that should be installed but packages that need to be upgraded.
               ---------                              --------
I.e., all the packages that were listed by check-rpms are already
installed on your system! Check-rpms lists them because there is a
newer version available. At this point you have serveral choices:
1) uninstall the old version of the packages, if you do not need it.
2) upgrade the packages (e.g., check-rpms -v -r --update ...)
3) do nothing. Note, however, that most updates released by RedHat are
   security updates. Thus, by doing nothing you leave a package installed
   on your system that has a security hole. When choosing 3) you must be
   able to decide whether you are vulnereable to that security hole or not.

My advice is: choose 1), if possible, otherwise choose 2). I recommend
to run check-rpms -v at least once a week.

> but I was
> wondering if I should do the kernel upgrade from the present 2.2.14 to
> the recommended 2.2.19 ?

You should. All kernels before that 2.2.19-6.2.16 release are vulnerable to
a (local) root exploit that is trivial to exploit (scripts are published
on mailing lists).

> Should I anticipate any problems with the
> upgrade? Do I need to restart anything after the kernel upgrade? How
> about dependencies? Will they be satisfied if I just upgrade these
> files:
> 
> (1) kernel-2.2.19-6.2.16.i686.rpm
> (2) kernel-headers-2.2.19-6.2.16.i386.rpm
> (3) kernel-pcmcia-cs-2.2.19-6.2.16.i386.rpm
> (4) kernel-smp-2.2.19-6.2.16.i686.rpm
> (5) kernel-utils-2.2.19-6.2.16.i386.rpm
> 
> I'm upgrading out Dell dual processormachine, so I assume that I don't
> need (3) and only one of (1) and (4) (in our case it would be (4)). Is
> this correct?

Correct: you do not need (1) nor (3). Thus, you should unistall (rpm -e ...)
(1) and (3) first.

With respect to dependencies:
run "check-rpms -v -r --update ..." first. check-rpms updates all packages
at once (with the exception of the kernel). By doing so all dependencies
should be resolved. The assumption is that the old packages that are
installed on your system have the same dependencies as the new packages.
This would be true, if updates of packages do not introduce dependencies
that did not exist between the old packages. This is the sane way of doing
things and almost always correct. Unfortunately RedHat has introduced
a few "insane" updates that do introduce dependencies that did not exist
before. Sigh. If there are such packages with new dependencies that cannot be
resolved within the packages that check-rpms lists for upgrading, then
check-rpms will fail (without doing any damage). In those cases you have
to do the upgrades that involve those packages by hand. It would be nice,
if check-rpms could handle those cases as well and I spent quite a bit
of time investigating this problem before I discarded it as beeing not
feasible. It basically cannot be done without downloading the whole
update directory tree to your machine.

Thus: try "check-rpms -v -r --update ..." if it does not fail - fine.
If it does, send me an email with the output of check-rpms and I'll try to
help you to figure out what's wrong. 

Now the kernel upgrade: check-rpms refuses to do kernel upgrades. This
is something you always have to do by hand. A kernel upgrade under RH6.2
includes modifying /etc/lilo.conf and a reboot. If you have not done
a kernel upgrade before: There are an few pointers in the corresponding
message from my linux-security mailing list at

http://www.sfu.ca/~siegert/linux-security/msg00078.html

Otherwise detailed explanations can be found at

http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html

I hope this helps.

Cheers,
Martin

========================================================================
Dr. Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert@sfu.ca
Canada  V5A 1S6
========================================================================