[gt-user] Determining which advisories to install

Discussion:

Adam Mercer

2015-06-12 14:01:15 UTC

Hi

For various reasons I have installed the Globus Toolkit from source,
in looking at the list of advisories:

<http://toolkit.globus.org/toolkit/advisories.html>

it seems that there are several important issues that these fix. How
can I determine which I need to install? Is there a command that
displays which sub-packages I have installed, and the corresponding
version?

The only thing I've found so far is the ${GLOBUS_LOCATION}/share/doc
directory as this seems to list sub-packages, but I can't find version
information. Is there a better way?

Cheers

Adam

Adam Mercer

2015-06-12 15:49:13 UTC

Permalink

On Fri, Jun 12, 2015 at 10:46 AM, Daniel Powers <***@uchicago.edu> wrote:

> Probably the simplest way to check to see which fixes you need to install would be to look at the release date for the source tarball you used for your build. You could then apply all the fixes that came out after that date to your source directory, then rebuild and reinstall whatever components you've been using.

I thought about that but didn't want to get into the position where I
was installing updates that I didn't have installed or missing updates
that I thought I wasn't using but in fact was.

Cheers

Adam

Daniel Powers

2015-06-12 16:09:58 UTC

Permalink

Hi Adam,

That's the thing, when you build and install from source you really are stuck with having to track all of that manually. The only way you can be sure you've got all the needed fixes is to look at your source release date, and then apply all the patches that come out afterward. Once you've patched your source directory, you can then build your binaries/libs/etc again and reinstall. That's the only way I know to be sure your source built components have all the fixes. At least, that's the best I can come up with.

-Dan

________________________________________
From: Adam Mercer [***@uwm.edu]
Sent: Friday, June 12, 2015 10:49 AM
To: Daniel Powers
Cc: gt-***@lists.globus.org
Subject: Re: [gt-user] Determining which advisories to install

On Fri, Jun 12, 2015 at 10:46 AM, Daniel Powers <***@uchicago.edu> wrote:

> Probably the simplest way to check to see which fixes you need to install would be to look at the release date for the source tarball you used for your build. You could then apply all the fixes that came out after that date to your source directory, then rebuild and reinstall whatever components you've been using.

I thought about that but didn't want to get into the position where I
was installing updates that I didn't have installed or missing updates
that I thought I wasn't using but in fact was.

Cheers

Adam

Adam Mercer

2015-06-12 16:11:35 UTC

Permalink

On Fri, Jun 12, 2015 at 11:09 AM, Daniel Powers <***@uchicago.edu> wrote:

> That's the thing, when you build and install from source you really are stuck with having to track all of that manually. The only way you can be sure you've got all the needed fixes is to look at your source release date, and then apply all the patches that come out afterward. Once you've patched your source directory, you can then build your binaries/libs/etc again and reinstall. That's the only way I know to be sure your source built components have all the fixes. At least, that's the best I can come up with.

OK, thanks.

Cheers

Adam

Joseph Bester

2015-06-12 18:27:30 UTC

Permalink

> On Jun 12, 2015, at 12:11 PM, Adam Mercer <***@uwm.edu> wrote:
>
> On Fri, Jun 12, 2015 at 11:09 AM, Daniel Powers <***@uchicago.edu> wrote:
>
>> That's the thing, when you build and install from source you really are stuck with having to track all of that manually. The only way you can be sure you've got all the needed fixes is to look at your source release date, and then apply all the patches that come out afterward. Once you've patched your source directory, you can then build your binaries/libs/etc again and reinstall. That's the only way I know to be sure your source built components have all the fixes. At least, that's the best I can come up with.
>
> OK, thanks.
>
> Cheers
>
> Adam

If you install from source and have PKG_CONFIG_PATH set to point to GLOBUS_LOCATION/lib/pkgconfig, you should be able to get the version for most things (I'm not sure if the executable-only packages install pkgconfig metadata):

% pkg-config globus-common --modversion
15.30

We've lately been generating new snapshot installers that include all of the updated package sources whenever we publish advisories for GT6, so if you get the newest installer
(currently globus_toolkit-6.0.1433516164.tar.gz) it will contain all of the updates.

Unfortunately, we we don't have a convenient way to see exactly which packages were updated in each snapshot---you'd need to compare version numbers (from subpackage configure.ac files). I'll see if there's a easy way to generate a change manifest in the installer creation process.

Joe

Adam Mercer

2015-06-12 19:37:19 UTC

Permalink

On Jun 12, 2015 13:27, "Joseph Bester" <***@mcs.anl.gov> wrote:

> We've lately been generating new snapshot installers that include all of
the updated package sources whenever we publish advisories for GT6, so if
you get the newest installer
> (currently globus_toolkit-6.0.1433516164.tar.gz) it will contain all of
the updates.

Interesting, I have a script that I use to build so it may be easier to
simply rerun my script against the current snapshot tarball. That'll be
easier than manually tracking which sub-packages I need to update.

Cheers

Adam
--
Sent from Android