[NBLUG/talk] Automatic software updates made easy and fun

Chris Palmer chris at eff.org
Thu Dec 1 15:09:19 PST 2005 

Eric Eisenhart writes:

> > (That reminds me, I should probably figure out how to make Mac OS X
> > silently apply all and only security updates...)
> 
> Applying all:
> softwareupdate -i -a

Thanks for the tip! Here is my newly-minted update script, which updates
all and only Mac OS X security updates:

===
#!/usr/bin/perl -T

use strict;
use warnings;

# Parse the output of "softwareupdate -l" and install only the security
# updates. Example output from -l:
#
#Software Update Tool
#Copyright 2002-2005 Apple
#
#Software Update found the following new or updated software:
#   * DVDPlayerUpdate-4.6
#        DVD Player (4.6), 10080K [recommended]
#   * J2SE50Release3-3.0
#        J2SE 5.0 Release 3 (3.0), 44020K [recommended]
#   * iTunesX-6.0.1
#        iTunes (6.0.1), 13130K [recommended]
#   * iPod2005-11-17- 
#        iPod Updater 2005-11-17 ( ), 37700K [recommended]
#   * SecUpd2005-009Ti-1.0
#        Security Update 2005-009 (1.0), 6000K [recommended] [restart]

## C O N F I G U R A T I O N

my $UPDATE = '/usr/sbin/softwareupdate';
my $BOURNE_SHELL = '/bin/sh';

## M A I N

$ENV{PATH} = '/sbin:/usr/sbin:/bin:/usr/bin';

for my $update (grep /^\s*\* SecUpd/, `$UPDATE -l`) {
    unless ($update =~ /([\w\-\.]+)/) {
        print "Skipping dubiously-named update '$update'.\n";
        next;
    }
    $update = $1;

    print "Attempting install of update '$update'.\n";
    print `$BOURNE_SHELL -c '$UPDATE -i $update 2>&1'`;
}
===

> I haven't checked all the short names for Security Updates, but
> today's is "SecUpd" and I think previous ones have been, too.

My script assumes that you are correct. We'll see over time how that
pans out.

In order to stay on-topic, here is my Debian update script:

===
#!/bin/sh

export PATH="/bin:/sbin:/usr/bin:/usr/sbin"

mount -oremount,rw /usr
mount -oremount,exec /var

apt-get update
yes "" | apt-get upgrade

mount -oremount,ro /usr
mount -oremount,noexec /var
===

Note my paranoid mount options, which may not be useful/necessary in
your case. This Debian updater will do whatever your
/etc/apt/sources.list tells it to, of course. That may not be a good
idea for you (personally I follow the stable branch only).

Now, automatically doing updates is not necessarily a wise idea at all,
depending on your context. For example, you maybe shouldn't auto-update
production servers in a business environment; you should test them on a
test machine first. In theory, Debian and Apple are careful and only
release safe things into their stable branches. Ha ha. We're also wildly
assuming that the Internet is a safe conduit for software...

Your mileage will definitely vary, and the above scripts are released
into the public domain with no warranty or guarantee of fitness for a
particular purpose.

If anyone has any improvements, please let me know. I like feedback.


-- 
https://www.eff.org/about/staff/#chris_palmer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20051201/166b087b/attachment.pgp

More information about the talk mailing list