• Tracking updates for locally built / installed software

    From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Wed May 27 23:46:19 2026
    From Newsgroup: alt.os.linux.slackware

    This has been a perennial challenge for Unix and Linux system
    administrators at any level of experience and expertise. It finally
    occurred to me to ask Google how others handle this, and that lead
    me to https://release-monitoring.org/ and the anitya API. Anitya is
    an open-source project by the Fedora folk, wherein they maintain an
    online database (queried with an associated python script) of tens
    of thousands of software packages and the versions that have been
    released for each. That's as much as it seemed to me would be needed
    to solve the problem at hand. Given a simple API (which is well
    documented on their website) we can query their database and obtain
    the latest release versions for software packages that we might be
    interested in. That answered my question, at least for some subset
    of "others", but more importantly, it answered the question of how
    I would finally tackle this problem for myself.

    I've created a Perl script, which I have added to my Slackware-Tools
    github repository (https://github.com/syl-robitaille/Slackware-Tools),
    which is intended to be run from cron on a monthly/weekly/whatever-seems-appropriate-for-your-systems basis.
    It reads a configuration file of hostnames on which to track local
    software installations (you would need to have password-less ssh-key authentication to the hosts in question, but no elevated privilege
    is required since the script simply reads from /var/log/packages on
    the hosts in question), and the software package names to track on
    each of these hosts. There doesn't need to be more than one host,
    of course, and if its hostname matches that of the one the software
    is running on, no ssh access is required, since it can simply just
    read from /var/log/packages in that case.

    Note that there are assumptions being made: the hosts of interest
    are Slackware systems and the software being tracked is installed
    from a "SlackBuild" package (not necessarily from slackbuilds.org,
    of course, but a built Slackware package), with the usual Slackware
    software installation tools. The names of the packages need to match
    the names that are in the release-monitoring database, but unless
    you modify the names of software when you create the packages, that
    should already (mostly?) be the case.

    Someone sufficiently crafty with Perl scripting could adjust the
    script to suit their own environment if these assumptions don't
    match how they install locally built software. For example, they
    could list the locally installed versions of each package in the
    configuration file (which the script could then use to compare against
    the available versions as listed on the release-monitoring database),
    rather than check from /var/log/packages on each host. They would
    then need to be sure to update the configuration file with the newly
    installed software versions every time they updated a locally built
    and installed software package. ... And as already noted, this would
    require (perhaps non-trivial) adjustments to my script.

    Comments in the script itself describe its intention and inspiration
    a little bit further, and explain how to setup the (rather simple) configuration file for it.

    My intention with this post is simply to announce the existence
    of this script, on the chance that others might find it useful.
    Perhaps this could help reduce the workload of tracking third-party
    software installations for a few folks. It certainly will do so for me.
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Thu May 28 05:07:56 2026
    From Newsgroup: alt.os.linux.slackware

    On Wed, 27 May 2026 23:46:19 +0000, Sylvain Robitaille wrote:

    https://release-monitoring.org/

    I wasn't aware of that service, I knew about https://freshcode.club/
    which kind of provides similar information.

    However, they both lack information about which versions suffer from some CVEs. I realize that adding such information is a non trivial task, but
    such information would be really useful. In most cases you do not want to update just because there is a newer version, you want to update because
    your current version has a more or less serious problem or because the
    new version has a feature that you want.

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Thu May 28 13:51:28 2026
    From Newsgroup: alt.os.linux.slackware

    On 2026-05-28, Henrik Carlqvist wrote:

    However, they ... lack information about which versions suffer from
    some CVEs. I realize that adding such information is a non trivial
    task, but such information would be really useful. In most cases you
    do not want to update just because there is a newer version, you want
    to update because your current version has a more or less serious
    problem or because the new version has a feature that you want.

    I don't disagree with you in principle, but in my own case I can think
    of pieces of software whose installations I have managed (both on my
    home systems and for work) where by the time we (or at least "I")
    learned of a new version, the locally installed version was (and
    in at least some cases still is) so far out of date that upgrading
    is likely to introduce significant incompatibilities (resulting
    in needing to rewrite local configurations nearly from scratch).
    I would have preferred to have addressed such cases incrementally,
    rather than look at a major update.

    I think it's much easier to investigate a small handful of software
    titles that you know have updates, and review their changelogs to
    determine whether you want to go ahead, than it is to manually try
    to track dozens or even hundreds of software upstream sites looking
    for any that might need attention.

    The majority (*vast* majority) of third-party software that I install
    locally is user-mode ... and user-space ... The days of needing
    to install openssh locally, or a web server, etc. are long gone.
    A CVE about a buffer overflow in a bit of software that reads (... for
    example ...) the exif data out of the raw file from my digital camera
    isn't really something that I'm going to get very concerned about.
    But a new version that changes the way that software interprets some
    of its input, leading to a future version that won't be able to read
    my existing configuration files (ok, so perhaps an exif data reader
    was a very poor example) is probably something that I do want to know
    about and keep up to date.

    In the case of just my home systems (A gateway, a mail/dns/web
    server, a couple of workstations, a couple of laptops) there are 145
    unique locally built and installed software packages. I shudder at
    the thought of trying to tally up the total number we had at work.
    I'm not counting those that were locally written. These are only the "thrid-party" packages (read "not shipped with Slackware"), but they
    do include things like Perl modules, libraries, and other packages
    that were installed as prerequisites for some application software.
    Even if I tried to track only the "main" software applications out
    of that, it would simply be unsustainable.

    I've now given myself a chance to narrow that list down to 58 packages
    that I need to look further into. Some of these I'm likely to find that
    I no longer need to maintain a locally built installation (because, for
    example Slackware has added them, or because I no longer need them).
    Others I'll certainly go ahead and update simply to stay up to date.
    There may be a small handful (probably libraries) that I'll want to
    be very selective about whether to update, for concerns over breaking
    what is currently working.

    So, ok. I'm curious enough to ask you my original question: what
    do you do to track version updates of locally built and installed
    software on your systems (either at work or at home; ideally, though
    not necessarily, staying within the context of Slackware Linux)?
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Thu May 28 17:40:56 2026
    From Newsgroup: alt.os.linux.slackware

    On Thu, 28 May 2026 13:51:28 +0000, Sylvain Robitaille wrote:
    the locally installed version was (and in at least some cases still is)
    so far out of date that upgrading is likely to introduce significant incompatibilities (resulting in needing to rewrite local configurations nearly from scratch). I would have preferred to have addressed such
    cases incrementally, rather than look at a major update.

    I totally recognize that. In my case, I bite that bullet whenever I
    upgrade to a new version of Slackware. New versions of Slackware usually
    means that not only third party software no longer are backwards
    compatible with their configuration files, even some stock Slackware
    packages might require changes to configurations. However, as long as you
    stay on a stable version of Slackware, official Slackware package updates usually do not break things.

    Whenever I jump on to a new version of Slackware I spend about 100 hours
    to configure it as I want and add third party software. For that reason, during the years, I have not jumped on to every new version of Slackware. However, about once every third year it might be a good idea to update
    and lately there have been many years between the stable versions.

    I think it's much easier to investigate a small handful of software
    titles that you know have updates, and review their changelogs to
    determine whether you want to go ahead, than it is to manually try to
    track dozens or even hundreds of software upstream sites looking for any
    that might need attention.

    Maybe you also prefer to run Slackware current rather than a stable
    version of Slackware? It makes sense for a bleeding edge distribution
    like Fedora to maintain such a database keeping track of the latest
    version of every software. Their main goal is not to provide the most
    stable versions which works best together but to allways provide the
    latest versions. If something breaks, there will soon be a new version
    that fixes it.

    The majority (*vast* majority) of third-party software that I install
    locally is user-mode ... and user-space ... The days of needing to
    install openssh locally, or a web server, etc. are long gone.

    Yes, the big exception is probably the drivers from nVidia. But most
    third party software that I install are also user mode programs and
    libraries for their dependencies.

    A CVE about a buffer overflow in a bit of software that reads (... for example ...) the exif data out of the raw file from my digital camera
    isn't really something that I'm going to get very concerned about.

    No maybe not, but I really like the convenience of the stock Slackware packages getting official security updates. The third party multilib and compat32 packages do also get updates on some kind of "best effort
    basis", but it is not allways as quick with security updates as official
    stock Slackware packages. Packages from slackbuilds.org differ very much
    in freshness depending on their maintainers.

    there are 145 unique locally built and installed software packages.
    I shudder at the thought of trying to tally up the total number we had
    at work.

    Yes, at work there are more software packages and to those software
    packages I also add my custom configuration packages. Those configuration packages contain anything from custom startup scripts to udev rules and setting for Xorg.

    So, ok. I'm curious enough to ask you my original question: what do you
    do to track version updates of locally built and installed software on
    your systems (either at work or at home; ideally, though not
    necessarily, staying within the context of Slackware Linux)?

    The tool that I use both to check if my third party packages are up-to-
    date and to install third party packages is slpkg. However, I take most
    of my third party packages from slackbuilds.org. Also, I usually do not upgrade my third party packages just because there is a new version.

    When providing a new version of Slackware to users I add some third party packages and I try not to perform any upgrades that would break things. I might even be hesitant to install a new version of gcc or clang if
    Slackware provides an update. Instead, if someone wants some new version
    of a tool or a library like cuda I keep the old version installed on the system disk and add the new version to an NFS disk where users get access
    to newer versions with a tool which much resembles Environment Modules: https://modules.readthedocs.io/en/latest/ Such a solution allows
    different users to use different versions of the same software for
    different purposes.

    The nice thing with your tool is that it will show the latest version
    from upstream while slpkg only shows the latest version supported by the SlackBuild script maintainer.

    However, slpkg is only used to check for updates and initial build of Slackware packages. All my Slackware systems mount an NFS share
    containing the slackware64 directory for their Slackware version. That slackware64 directory contains the standard directories like a, ap and so
    on, most important the patches directory. It also contains a directory
    "cus" with my custom packages and "opt" which contains packages I only
    install on some machines (like nVidia drivers which only machines with
    nVidia cards get). And most of all it contains a directory called
    "updates" which contains symbolic links to updated packages in the
    patches directory or in my "cus" directory. In that directory, there is
    also a copy of /etc/slackware-version and a Makefile which makes sure
    that all linked packages have or get their corresponding entry below /var/ log/packages after checking that it is run on the right version of
    Slackware (I once made the mistake to manually run make in the wrong directory). This Makefile is called from a cron job in /etc/cron.hourly.

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Thu May 28 23:55:29 2026
    From Newsgroup: alt.os.linux.slackware

    On 2026-05-28, Henrik Carlqvist wrote:

    ... In my case, I bite that bullet whenever I upgrade to a new
    version of Slackware.

    Right; Upgrading to a new OS version is already going to be disruptive
    anyway, so perhaps longer disruption, but less frequent "suffering".

    ... as long as you stay on a stable version of Slackware, official
    Slackware package updates usually do not break things.

    In general, I do stay with the stable releases, but I recently
    (well, it was last December, so perhaps "recently" only in terms of
    Slackware release intervals? ;-) moved my personal workstation (and more recently one other system) to Slackware-current because I was finding
    it progressively harder to just shrug off the aging of the installed
    software (and unable to update some packages of which I really wanted
    newer versions). Mind you, the workstation was still at Slackware-14.2,
    so even compared to my other systems it was out of date. I'd left it
    at 14.2 for so long simply because I dread updating the day-to-day
    workstation (see my comment above about the OS update being rather
    disruptive), and ultimately switched it to current rather than 15.0 in
    order to simply not have to worry about that disruption again, while
    still having the benefit of a more up-to-date environment. I really
    haven't been sorry about that update, though some of my systems (the "infrastructure" systems mentioned in an earlier post) are certainly
    best left on the latest stable release with regular patching.

    ... and I don't update "current" daily either. I apply updates as
    part of my routine patching cycle, when I apply security patches to
    the other systems. I treat "current" no differently than any stable
    Slackware release, from that perspective.

    Whenever I jump on to a new version of Slackware I spend about 100
    hours to configure it as I want and add third party software. For
    that reason, during the years, I have not jumped on to every new
    version of Slackware.

    I hear you, and have followed a similar philosophy, at least until the
    end of last year, when I decided it was time to bring the workstation
    into the 21st century. I may ultimately do the same with one (or
    both?) of my laptops (though they're at Slackware-15.0, so not nearly
    as annoyingly out of date as the workstation was).

    However, about once every third year it might be a good idea to update
    and lately there have been many years between the stable versions.

    Yes, but again ... updating the workstation needs some psychological preparation. I had the same trouble with my workstation at work.
    I always felt that I was just too busy to take a day (or two) to put
    a newer version of Slackware on it. Every once in a while, though
    (usually a few years after the "next" Slackware version had been
    released; chances are only after security updates would cease for
    the Slackware version running on the workstation) I'd give in ...

    Maybe you also prefer to run Slackware current rather than a stable
    version of Slackware?

    On my workstation, *now*, yes, but that's still mostly new to me.
    I've even installed the build toolchain from "testing", but this is a
    major deviation from my usual approach. This was my very first look
    at Slackware-current. Contrary to what one might expect, though, it
    *is* quite stable, despite it being "-current". I expect that when Slackware-15.1 (or 16.0, or whatever it'll be called) is released,
    I'll probably want to stay with that, rather than move immediately
    to the *next* "-current", at least for a year or two, to let the
    stability settle back in.

    It makes sense for a bleeding edge distribution like Fedora to
    maintain such a database keeping track of the latest version of
    every software.

    Right. Understand, though, that I'm not aiming for Slackware (or
    even just my own Slackware systems) to be in any way like Fedora or
    any other bleeding-edge system. I was looking to solve a particular
    problem with trying to keep track of when new versions are released
    of software that I have built and installed locally (because for the
    most part there aren't any official Slackware packages for these),
    many of which are more than a few years out of date.

    There's nothing "bleeding-edge" about wanting to keep up with
    current versions of cfengine or freeradius, for example, but in
    both cases, the versions that I have used for years are so far
    behind the current versions that I need to start over from scratch.
    The cfengine developers accepted a patch that I submitted to make it
    not identify Slackware as "Unknown", but by the time I'd submitted
    that, they had already released their latest version (so although
    I'm no longer ... wow ... well over a decade behind with that one,
    I'm still behind yet again ... and actually, I did update freeradius
    last year, so it's not as far behind as I'm suggesting.)

    I'm not suggesting that I (or anyone using my script) should immediately
    jump to update locally installed software as soon as a new version is available, either. The script is intended only to help track what of
    the installed software it's configured to track has a newer version
    available than what is installed on a local system. The idea is to
    decrease the work involved in *knowing* about the availability of
    an update. The decision to apply the update or not still rests with
    the human.

    ... I really like the convenience of the stock Slackware packages
    getting official security updates.

    So do I, of course. Keep in mind that all that we're discussing here
    (and what I presented as the reasoning behind my script) are locally
    built and installed software packages. There aren't going to be any
    official security updates for those from Slackware. You need to look
    for them yourself. (... and I haven't been very good at doing that
    consistently ... thus the desire to automate the search)

    The third party multilib and compat32 packages do also get updates
    on some kind of "best effort basis", ...

    ... but again these aren't locally built packages.

    ... Packages from slackbuilds.org differ very much in freshness
    depending on their maintainers.

    Indeed, and these *are* locally built. Many of them might even be
    far out of date (at least of those that I've checked on; I mostly use SlackBuild.org more as a reference, rather than a source for build
    scripts; "how did this package get handled by that maintainer").

    Yes, at work there are more software packages and to those software
    packages I also add my custom configuration packages. ...

    Right. Do you ever find yourself wishing you'd had a chance to
    know sooner that a newer version of a certain piece of software
    was available? Your work environment (if my memory serves) is not
    very different from what mine was, and in my case, if a user needed
    a particular (usually newer than we already had installed) version
    of some software, we'd find out about its existence through them.
    It would have been nice in at least a few instances to just have it
    already available.

    The tool that I use both to check if my third party packages are up-to-
    date and to install third party packages is slpkg.

    I'm not familiar with that. Mostly, though, (perhaps with a small
    number of exceptions), I don't install pre-built third-party packages.
    I build locally into a Slackware-compatible package, and install that.

    However, I take most of my third party packages from
    slackbuilds.org. Also, I usually do not upgrade my third party
    packages just because there is a new version.

    I mostly don't either, and the script I wrote yesterday isn't intended
    for that. It *is* however, intended to help me keep up with *knowing*
    that a new version is available so that I can decide to update it
    if it seems appropriate to do so. I certainly will update more
    frequently than I have in the past, now that I know new versions
    are available, but it isn't going to be a case of "drop everything,
    there's a new version of $software available." The idea here isn't "bleeding-edge"; it's "let's give ourselves a chance to keep locally
    built and installed packages from becoming quaintly archaic."

    ... if someone wants some new version of a tool or a library like
    cuda I keep the old version installed on the system disk and add
    the new version to an NFS disk where users get access to newer
    versions with a tool which much resembles Environment Modules: https://modules.readthedocs.io/en/latest/ Such a solution allows
    different users to use different versions of the same software for
    different purposes.

    We used Environment Modules at work. They probably still do.
    That works very well in that environment.

    The nice thing with your tool is that it will show the latest
    version from upstream while slpkg only shows the latest version
    supported by the SlackBuild script maintainer.

    Right, and in my case since not all the software I've installed
    locally even has a slackbuild.org maintainer (and in many cases
    where there is one, I already have a newer version installed than
    they have on the site), just depending on that wasn't going to be
    suitable for me. However, your comment suggests to me that the
    SlackBuild script maintainers themselves *could* use my script just
    to monitor the packages for which they maintain SlackBuild scripts.
    It would reduce the amount of work involved in just knowing that new
    versions are available.

    However, slpkg is only used to check for updates and initial build
    of Slackware packages. All my Slackware systems mount an NFS share
    containing the slackware64 directory for their Slackware version.

    Yes, I keep a local mirror as well. It's much easier to maintain
    even a small number of systems that way.

    ... It also contains a directory "cus" with my custom packages and
    "opt" which contains packages I only install on some machines ...

    ... *that* I haven't done on my local mirror, but I have pondered
    something very similar.

    ... And most of all it contains a directory called "updates" which
    contains symbolic links to updated packages in the patches directory
    or in my "cus" directory.

    ohhh... that's too much manual maintenance, at least in how I'm
    imagining your updates directory is populated. Consider this code
    snippet, which might help you not need that (or, I suppose, might
    already be how you populate that directory?)

    for package in $( ls $SRCPATH/$series/*.t?z | sort -V |\
    awk -F/ '{ match ( $NF, /-[0-9]/ )
    if ( RSTART > 0 ) {
    pkg = substr ( $NF, 1, RSTART-1 )
    a[pkg] = $NF
    }
    } END {
    for ( i in a ) print a[i] | "sort"
    }'
    ); do
    ... do something with $package ...
    done

    In that directory, there is also a copy of /etc/slackware-version
    and a Makefile which makes sure that all linked packages have or get
    their corresponding entry below /var/ log/packages after checking
    that it is run on the right version of Slackware (I once made the
    mistake to manually run make in the wrong directory). This Makefile
    is called from a cron job in /etc/cron.hourly.

    sounds similar to one of my own worst blunders: pointing upgradepkg to a
    a set of updates for the wrong architecture (and I probably also pointed
    to the right architecture but wrong OS version at least once ...)
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Sat May 30 00:39:28 2026
    From Newsgroup: alt.os.linux.slackware

    On Thu, 28 May 2026 23:55:29 +0000, Sylvain Robitaille wrote:
    There aren't going to be any official security updates for those from Slackware. You need to look for them yourself.

    Yes, exactly! And I wish there were some mechanism like the official
    stable Slackware ChangeLog.txt that says there is now a security update
    for package X, but you can feel safe because upgrading is not going to
    break anything for you. However, such a mechanism would basically require slackbuilds.org to keep track of which old versions of packages had some
    CVE fixed by a later version of that package. It would also put a burden
    on SlackBuild script maintainers to on the best case update their scripts
    for new versions when they get an automatic notification that their
    current version has some CVE or in the worst case expect the SlackBuild
    script maintainers to keep track of any CVEs of their packages.

    Many of them might even be far out of date (at least of those that I've checked on; I mostly use SlackBuild.org more as a reference, rather
    than a source for build scripts; "how did this package get handled by
    that maintainer").

    Yes, especially when you use automatic tools like slpkg or sbotools to
    build your packages from slacksuilds.org it is convenient to simply stick
    to the version provided by the SlackBuild maintainer.

    in my case, if a user needed a particular (usually newer than we
    already had installed) version of some software, we'd find out about
    its existence through them. It would have been nice in at least a few instances to just have it already available.

    For simple tools, yes, in most cases you can simply change the version
    number in the SlackBuild script and it will work for the newer version. However, manually rebuilding from SlackBuild scripts might become more
    tricky when it comes to packages with deep nested dependencies. If you
    want to update a package deep down in the dependency chain you will
    probably need to rebuild all packages with dependencies to that package.

    On 2026-05-28, Henrik Carlqvist wrote:
    The tool that I use both to check if my third party packages are up-to-
    date and to install third party packages is slpkg.

    I'm not familiar with that. Mostly, though, (perhaps with a small
    number of exceptions), I don't install pre-built third-party packages. I build locally into a Slackware-compatible package, and install that.

    Slpkg does build from sources from slackbuilds.org, the big advantage of
    slpkg is that it automagically handles all those nested dependencies
    described by the .info files at slackbuilds.org. So when you ask slpkg to build and install a tool like FreeCAD it will start by building and
    installing graphviz and its other 9 dependencies, but before doing that
    it will build and install SoQt because Pivy depends upon that and VTK
    because OpenCASCADE depends upon that and so on...

    It *is* however, intended to help me keep up with *knowing* that a new version is available so that I can decide to update it if it
    seems appropriate to do so.

    Nice with easy access to knowledge helping you to make informed decisions.

    However, your comment suggests to me that the SlackBuild script
    maintainers themselves *could* use my script just to monitor the
    packages for which they maintain SlackBuild scripts.
    It would reduce the amount of work involved in just knowing that new
    versions are available.

    Yes, maybe the script maintainers, maybe some central service. Some year
    ago there was someone in South America who started providing prebuilt
    packages using build scripts from slackbuilds.org. As a side effect of
    that service he could also provide statistics about which SlackBuild
    scripts were broken. Unfortunately I am now unable to google myself back
    to that statistics page.

    ... It also contains a directory "cus" with my custom packages and
    "opt" which contains packages I only install on some machines ...

    ... *that* I haven't done on my local mirror, but I have pondered
    something very similar.

    I also make my own custom installation media which installs all the
    packages in "cus" after the official Slackware packages has been
    installed. Those custom packages are not only extra software, but also
    some configuration files intended to overwrite the stock Slackware configuration files.

    ... And most of all it contains a directory called "updates" which
    contains symbolic links to updated packages in the patches directory or
    in my "cus" directory.

    ohhh... that's too much manual maintenance, at least in how I'm
    imagining your updates directory is populated.

    I also have two other scripts. One script uses lftp to mirror the patches
    and extra directories from a Slackware mirror. The other script verifies
    the gpg signatures of downloaded patches, copies them to the /patches directory and lists which of them are new. My only manual work is to
    create the symbolic links from the updates directory to the patches
    directory and remove any obsolete links in the updates directory. I want
    to do this manually as I do not install all patches. For example, I do
    not install any updates of CUPS because I have replaced CUPS with LPRng.
    As I wrote before, I also avoid upgrading compilers.

    I apologize for turning your thread about your nice tool to a discussion
    about Slackware administration.

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Sat May 30 13:01:15 2026
    From Newsgroup: alt.os.linux.slackware

    On 2026-05-30, Henrik Carlqvist wrote:

    ... I wish there were some mechanism like the official stable
    Slackware ChangeLog.txt that says there is now a security update
    for package X, but you can feel safe because upgrading is not going
    to break anything for you. ...

    Well, I wonder whether tracking something like that isn't (or perhaps "shouldn't be") what makes a package maintainer a "package maintainer".

    Just because someone creates one SlackBuild script according
    to the conventions asked for on slackbuilds.org doesn't actually
    mean that they're maintaining anything associated with that script.
    My scepticism there isn't new. "maintaining" something does involve
    some time commitment.

    For simple tools, yes, in most cases you can simply change the
    version number in the SlackBuild script and it will work for the
    newer version.

    Yes. You might be surprised at how transferrable that can be even
    to more complex applications and their dependencies. One thing that
    I've been very negligent of, though, through the years, is keeping
    track of *why* a particular package was installed ("dependency for ...")

    ... the big advantage of slpkg is that it automagically handles
    all those nested dependencies described by the .info files at slackbuilds.org.

    Ok, that actually gives it a useful purpose, then.

    It *is* however, intended to help me keep up with *knowing* that
    a new version is available so that I can decide to update it if
    it seems appropriate to do so.

    Nice with easy access to knowledge helping you to make informed
    decisions.

    Exactly. I can narrow the search down to *only* those packages for
    which I already know that new versions exist.

    I also make my own custom installation media which installs all
    the packages in "cus" after the official Slackware packages has
    been installed. Those custom packages are not only extra software,
    but also some configuration files intended to overwrite the stock
    Slackware configuration files.

    I've long considered something like that for my own installations, but
    have settled instead on using cfengine for that purpose. I'm still in the process of turning my local configurations into a cfengine policy.

    I apologize for turning your thread about your nice tool to a
    discussion about Slackware administration.

    No apology necessary. This sort of discussion is exactly what has made
    this newsgroup worthwhile, and it's nice to see that it can still happen.
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Sun May 31 10:43:43 2026
    From Newsgroup: alt.os.linux.slackware

    On Sat, 30 May 2026 13:01:15 +0000, Sylvain Robitaille wrote:
    I've long considered something like that for my own installations, but
    have settled instead on using cfengine for that purpose. I'm still in
    the process of turning my local configurations into a cfengine policy.

    Both the solution with configuration packages and the solution with
    cfengine give the advantages:

    * Knowing what custom settings you have done

    * Easy to update settings on all machines

    * Being able to keep different settings for different versions of
    Slackware.

    The advantage of cfengine is that it is not limited to Slackware. If I
    were managing some mixed environment with also other Linux distributions
    or even *BSD or old Unix systems cfengine would probably be a better
    choice also for me.

    The advantage of my system with Slackware packages containing all the configurations is that I next to the a, ap... patches, "cus", "opt" and "updates" have yet another directory called "unnet". When I create isos
    for installation media I create two iso files: One for network
    installations which boots from a small cdrom and mounts the packages directories by NFS and another one for standalone installations which
    fits on a bootable bluray disk. Fortunately, there are USB connected
    bluray readers which you can boot from...

    Just like the "cus" directory contain a lot of configuration packages
    that overwrite default settings in Slackware (it also contains packages
    to avoid any questions at the end of the installation), the "unnet"
    directory contain configuration packages that undo all the settings
    related to the network it was intended for. No assumptions about DNS
    servers, cataloge services, networked printers, networked home
    directories and so on.

    No apology necessary. This sort of discussion is exactly what has made
    this newsgroup worthwhile, and it's nice to see that it can still
    happen.

    Thanks!

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Mon Jun 1 02:07:21 2026
    From Newsgroup: alt.os.linux.slackware

    On 2026-05-31, Henrik Carlqvist wrote:

    The advantage of cfengine is that it is not limited to Slackware. If
    I were managing some mixed environment with also other Linux
    distributions or even *BSD or old Unix systems cfengine would
    probably be a better choice also for me.

    It's more than that, though. What I'm about to describe admittedly
    (mostly) doesn't apply to Slackware, thanks to configuration files
    typically being shipped as ${filename}.new, but I'm sure you'll relate
    to the notion: When you apply OS distribution supplied software
    updates, and they also update their configuration files, you don't
    need to remember to reapply any local changes, as cfengine will
    just silently redo those. If you're methodical about creating the
    cfengine policy, applying your customizations won't also remove any
    (sometimes important) updates to the stock configuration (think of
    how sshd configuration has changed over the years).

    (I'm not there yet with my own cfengine policy, but the idea is
    that when updates are applied with upgradepkg, I'll be able to just
    copy ${filename}.new onto ${filename}, and cfengine will take care
    of reapplying local customizations, reloading or restarting the
    service, etc. I'll no longer need to worry about whether there are
    any new defaults or comments that I need to apply to my customized configuration files)

    If you adjust file permissions on (for example) setuid-root files
    (and perhaps others), you don't have to worry about re-applying those
    changes after OS-distribution-supplied updates. If it's in your
    cfengine policy, cfengine will simply reapply the policy on schedule.

    Those are just a couple of examples, of course, and yes; one major
    advantage of cfengine is that it can work seamlessly with multiple
    OSes and versions of OS distributions.

    The advantage of my system with Slackware packages containing all
    the configurations is that I next to the a, ap... patches, "cus",
    "opt" and "updates" have yet another directory called "unnet".

    Cfengine could do that for you as well. The systems don't need to have
    network access to use it for configuration management. You would,
    of course, need to manually maintain policy for the non-networked
    systems, somehow, but they don't need to be networked.

    I realize that I may be sounding like I'm trying to convince you to
    switch to cfengine; I'm not; Switching to it is a major undertaking
    that you would want to do on your own terms, not just because someone
    in a newsgroup is praising it. I'm only trying to point out how it
    can be adapted to many different environments, and that includes a
    homogeneous Slackware Linux environment.

    In fact, I would say that although it only recently gained the
    ability to recognize Slackware Linux as more than "Unknown", much
    of the mindset that goes into using cfengine is very compatible with
    the mindset that (at least in my opinion) goes into using Slackware
    Linux as a preferred Linux distribution: that is that the individual
    system administrator has the final say. The software, like the OS distribution, is not trying to impose any decisions on you. It's only providing the tools with which you can apply decisions that you've made.
    What it's really offering you is some assurance that these decisions
    will remain true throughout the cycles that a system goes through.
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Mon Jun 1 05:12:12 2026
    From Newsgroup: alt.os.linux.slackware

    On Mon, 01 Jun 2026 02:07:21 +0000, Sylvain Robitaille wrote:
    I'm sure you'll relate to the notion: When you apply OS distribution
    supplied software updates, and they also update their configuration
    files, you don't need to remember to reapply any local changes

    Yes, I do recognize that. For example custom system wide settings for
    Mozilla Firefox are in packages named mzfirefoz* to get installed after
    any package named mozilla-firefox*. When there is an update of mozilla- firefox, i will touch the mz* packages in the "cus" directory and my
    "updates" directory will get new symbolic links to the new mozilla-
    firefox packages and keep its links to the configuration packages.

    I realize that I may be sounding like I'm trying to convince you to
    switch to cfengine; I'm not;

    Maybe I one day will install and configure cfengine. Thanks for all the information!

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Sun Jun 21 12:36:42 2026
    From Newsgroup: alt.os.linux.slackware

    On Sat, 30 May 2026 00:39:28 +0000, Henrik Carlqvist wrote:
    Yes, exactly! And I wish there were some mechanism like the official
    stable Slackware ChangeLog.txt that says there is now a security update
    for package X,

    I just found a rather nice web-page /database at https://repology.org
    which shows packages latest versions, legacy versions and outdated
    versions. It also shows which versions do have known CVEs.

    but you can feel safe because upgrading is not going to
    break anything for you.

    Unfortunately, that information is missing and I do understand the
    challenges in adding such information. Also, the CVE information is not allways 100% correct, for example it claims that the latest ffmpeg
    version has some CVEs which were fixed with a specific commit which
    probably made it hard to detect from which version it was fixed.

    However, it was a really nice database and web pages which also lists statistics about Stable Slackware 15.0, Slackware current and SlackBuilds.

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Sylvain Robitaille@syl@therockgarden.ca to alt.os.linux.slackware on Sun Jun 21 14:36:21 2026
    From Newsgroup: alt.os.linux.slackware

    On 2026-06-21, Henrik Carlqvist wrote:

    I just found a rather nice web-page /database at https://repology.org
    which shows packages latest versions, legacy versions and outdated
    versions. It also shows which versions do have known CVEs.

    Hrmmm... They appear to be tracking ... for lack of better terminology
    ... pre-packaged packages. Although they do include SlackBuilds,
    they're assuming that the reader is not deviating from the versions
    profiled on SlackBuilds entries. ... and unless it's there and I'm
    just not seeing it, they're not providing a means by which their data
    can easily be queried programmatically for latest stable versions.

    Have another look at my script. It's not intended to track OS-distribution-supplied packages. The OS distribution is already
    presumably tracking those. It's checking for software that you've
    built locally into a Slackware-style package, and installed with the
    Slackware installation tools, and finding whether there are newer
    versions than what you have installed on the target system(s).

    The fact that my script doesn't look for CVE data, for example, might be considered an omission, I'll grant, but what it's intended to check for
    is software actually installed on the system(s) and whether the sysadmin
    might need to consider updating to newer versions of that software.

    ... and it's intended to gather that information while the sysadmin
    in question is sleeping, eating, or otherwise occupied, presenting
    them with a short list of currently installed software for which newer
    versions are available, rather than making them seek that information
    manually for each of a list of installed packages.

    However, it was a really nice database and web pages which also lists statistics about Stable Slackware 15.0, Slackware current and
    SlackBuilds.

    Perhaps, but speaking for stable Slackware and Slackware-current,
    necessary updates are made available rather promptly and announed on
    a mailing list and in a changelog that's easy to find. I don't need
    to track these myself, I just need to compare today's changelog with yesterday's to know what is newly available.

    As for SlackBuilds, since there isn't regular tracking done for updated versions of each bit of software profiled on their site, that's the
    sort of thing that my script can be helpful for, without the sysadmin
    needing to periodically go out and check for each installed package.
    Configure the list of locally built packages, set it to run from cron
    at a suitable interval, and carry on with other tasks.
    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@therockgarden.ca ----------------------------------------------------------------------
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Mon Jun 22 05:50:34 2026
    From Newsgroup: alt.os.linux.slackware

    On Sun, 21 Jun 2026 14:36:21 +0000, Sylvain Robitaille wrote:
    Hrmmm... They appear to be tracking ... for lack of better terminology
    ... pre-packaged packages.

    Yes, as only software packaged for a limited set of distributions are
    tracked they do not track odd software not included in any distribution.
    For example they do not track my https://github.com/henca/obis2snmp which
    is not included in any distribution or third party provider that they
    track.

    Although they do include SlackBuilds, they're assuming that the reader
    is not deviating from the versions profiled on SlackBuilds entries.

    But they do seem keep track of latest versions. For example, a search for freecad shows that SlackBuilds at the time of this writing provides
    outdated version 1.0.2 while the latest version is 1.1.1. However,
    somehow they claim that 1.0.2 is outdated while 1.0.0 is a legacy version.

    ... and unless it's there and I'm just
    not seeing it, they're not providing a means by which their data can
    easily be queried programmatically for latest stable versions.

    No, as you say, it seems rather package oriented. To be able to get the
    latest version it would assume that at least some package provider does provide the latest version.

    Perhaps, but speaking for stable Slackware and Slackware-current,
    necessary updates are made available rather promptly and announed on a mailing list and in a changelog that's easy to find. I don't need to
    track these myself, I just need to compare today's changelog with
    yesterday's to know what is newly available.

    As for SlackBuilds, since there isn't regular tracking done for updated versions of each bit of software profiled on their site, that's the sort
    of thing that my script can be helpful for, without the sysadmin needing
    to periodically go out and check for each installed package. Configure
    the list of locally built packages, set it to run from cron at a
    suitable interval, and carry on with other tasks.

    Yes, your script is great for keeping up with the latest and usually that
    is a good way to avoid CVEs. However, for a production environment,
    keeping up with the latest is not allways a good thing, thats why stable releases and LTS versions are usually prefered for production
    environments instead of rolling releases and short lived version branches.

    regards Henrik
    --- Synchronet 3.22a-Linux NewsLink 1.2