Hi, first of all, thanx for syspatch. One-liner to apply all the errata patches instead of syncing source and rebuilding stuff are welcomed on my fleet of geographically remote OpenBSD firewalls running on PC Engines' apu2d4, not only because of its speed and simplicity, but also because of SDcard tear&wear minimisation.
Now, I know I'm in unsupported waters because I noticed this on a box with only / mounted read-only, and /dev /var and /tmp as writable mfs file systems described (warning! blatant self-promotion below!) here: [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] ...but the problem I am facing is that syspatch -l shows installed patches up to 013: pacija@zemun:~ $ doas syspatch -l 001_dhcpd 002_vmmfpu 003_libressl 004_softraid_concat 005_pf_src_tracking 006_libssl 007_freetype 008_exec_subr 009_icmp_opts 010_perl 012_wsmux 013_icmp6_linklocal ...whereas syspatch -c returns zero, while I guess it should return 014_libcrypto at the time of writing this. Another identical box which was patched up to 012 shows correct information (-l up to 012, -c 013 and 014). I'm not whining or anything, I trust my OpenBSD firewalls to be more secure than any other solution out there even without these patches. But maybe someone with more knowledge of syspatch finds this behaviour worth investigating, even on unsupported setup. Finally, my question: How does syspatch check current patchlevel? By checking contents of /var/syspatch or some other way? I guess I'm showing my ignorance here :) Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
