[chef] Re: Re: Shellshock patching with Chef

[Morgan Blackthorne < >]

We have our own mirror for ubuntu, but we don't force the latest version. I don't think we have RHEL or OL or Debian mirrors at the moment, though.

Forcing the latest version might just be the simplest way to resolve it.

--

~*~ StormeRider ~*~

"Every world needs its heroes [...] They inspire us to be better than we are. And they protect from the darkness that's just around the corner."

(from Smallville Season 6x1: "Zod")

On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen < " target="_blank"> > wrote:

yo,

On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
< "> > wrote:
> I'm looking to see if there's a good way to help manage patching of
> vulnerabilities with Chef. This Shellshock one seems to be a great example
> of why Chef would be a helpful tool for the job, since it's just a package
> in need of upgrading (bash).
>
> My question is, what's the best way in Chef to say "for this distribution
> and release, ensure that this package is at least at version X" without
> potentially downgrading the package down the road? I want to set a minimum
> bar, but I don't wan't to permanently pin the version.

I like pushing sec packages into a signed internal repository. Always
roll to latest. Makes the chef code simple(r), especially for managing
multiple edges.

Some providers support pessimistic version specifications (~>). They
may be of use.

--aj

>
> Thoughts? Thanks!
>
> --
> ~*~ StormeRider ~*~
>
> "Every world needs its heroes [...] They inspire us to be better than we
> are. And they protect from the darkness that's just around the corner."
>
> (from Smallville Season 6x1: "Zod")
>
> On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS