Solène Rapenne recently reminded me about the sysclean utility. It'd be ideal to run it, if installed, especially after having performed a sysupgrade (see issue #2).

It appears that there is a typo in the fw_update command used by the -l (i.e. list) option:

fw_update: unknown option -- -i
usage: fw_update [-adFnv] [-p path] [driver | file ...]

This probably should have been calling fw_update -n (dry run) instead.

Currently, the logic as to whether a reboot is necessary after syspatch is run by swupdate -i is to check to see if the kernel in /bsd was updated within the last 15 minutes. However, if you happen to run swupdate -i within 15 minutes after rebooting (e.g. when syspatch has itself been updated`), it will again tell you that the machine needs to reboot, even if the kernel wasn't updated again.

It'd be smarter to track how long it took to execute syspatch and only check for changes in /bsd within that number of minutes.

Solène Rapenne has developed a new openbsd-check-outdated tool for OpenBSD developers & port maintainers which, "compares the version of installed packages with upstream, using repology.org database."

It'd be great to have an option to warn of outdated packages using openbsd-check-outdated, if one is running on snapshots (which swupdate does discern) and the user has it installed.

Via Laurent Cheylus on Mastodon.

With Issue #8 (and improved in Issue #11), I added a new is_post_beta_pre_release() function which is used to determine if swupdate should use pkg_add -Dsnap. It does so by checking for a SHA256.sig file exists in the release's directory on the mirror being used by installurl.

As OpenBSD 7.4 is now in the post-beta/pre-release window, I've updated my dev environment to the latest snapshot, and swupdate -d (download) and swupdate -i (install) options both appear to be correctly identifying that we're in the the post-beta/pre-release window. However, at least in the 0.7.1 release, the swupdate -l (list) option is still trying, and failing, to fetch 7.4-release/-stable packages, despite them not existing yet:

$ doas swupdate -vl
Checking for firmware updates...
fw_update: add none; update none; keep intel
Skipping checking for system patches (running snapshot).
Checking for updated packages...
https://cdn.openbsd.org/pub/OpenBSD/7.4/packages/amd64/: no such dir
Couldn't find updates for avahi-libs-0.8p3 brotli-1.0.9p0 bzip2-1.0.8p0 cairo-1.
17.8p0 curl-8.3.0p0 cvsps-2.1p2 cyrus-sasl-2.1.28 dbus-1.14.10v0 desktop-file-utils-0.26 gettext-runtime-0.22.2 git-2.42.0 gitwrapper-0.93 glib2-2.76.5 gmp-6.3.
0 gnutls-3.8.1 jpeg-2.1.5.1v0 libevent-2.1.12p0 libffi-3.4.4 libgcrypt-1.10.2p0
libgpg-error-1.47 libiconv-1.17 libidn2-2.3.0p0 libnettle-3.9.1 libtasn1-4.19.0
libunbound-1.18.0 libunistring-0.9.7 libvncserver-0.9.14 lz4-1.9.4 lzo2-2.10p2 m
lvwm-0.9.4 nghttp2-1.56.0 nghttp3-0.15.0 ngtcp2-0.19.1 p11-kit-0.25.0 p5-Error-0
.17029 p5-Mail-Tools-2.21p0 p5-Time-TimeDate-2.33 pcre2-10.37p1 png-1.6.39 pytho
n-3.10.13 sqlite3-3.42.0 tcl-8.5.19p6 tk-8.5.19p2 x11vnc-0.9.16p2 xz-5.4.4 zstd-1.5.5
Skipping checking for system upgrades (running snapshot).

My initial implementation of the is_post_beta_pre_release() function, introduced while fixing Issue #8, executes ftp to check if the running OpenBSD kernel version has a file on the current (or default) installurl(5) mirror. It doesn't actually process or save any output from ftp, sending it all to /dev/null, but swupdate must be run as root so that it can in turn execute fw_update, syspatch, pkg_add, and pkg_delete (all of which require they be run as root) therefore is also running ftp (a program that fetches & processes unknown data from the network/Internet) as root. Yikes!

It needs to be updated to drop privileges before executing ftp.

Solène Rapenne recently published a blog post regarding the shell script she wrote and uses on OpenBSD to check for users & groups created by an installed package which has since been uninstalled, orphaning the user/group:

https://dataswamp.org/~solene/2023-04-03-openbsd-delete-old-users.html

She has no plans to package the script and has approved the inclusion of its functionality in swupdate:

https://bsd.network/@solenepercent/110156280843492332

I probably won't automatically remove orphaned users/groups, but note & instruct users.

As was recently mentioned on ports@, when fonts are updated, it can cause issues with running GUI applications, so best to restart them. So, if a fonts package is updated by swupdate -i, it should warn the user.

We love manual pages in OpenBSD, so I'm considering adding one. If I do, it should be installed along with swupdate via a Makefile (see Issue #9).

I'm not sure if the manual page should be in section 1 (general commands, like pkg_add & pkg_delete) or 8 (system maintenance and operation commands, like fw_update & syspatch). Since it uses commands in both sections 1 & 8, I guess it'd probably be safer to use section 8.

See mdoc(7) manual page for formatting documentation.

My initial implementation of the install_patches() function calculates the number of elapsed minutes since syspatch execution started when trying to determine whether the kernel has been updated (see Issue #5). However, when converting the elapsed seconds to minutes, I did not take the remainder/modulus into account, so there's some potential that it could not detect kernel updates. It should really round up to the nearest minute to ensure that it always detects whether the kernel was modified.

I generally forget to run pkg_delete -a to delete unused packages (those not required by anything that was installed manually), so it'd be nice to perform that after updating installed packages.

When running OpenBSD -current, after beta and before a release has officially been launched, snapshots will be using the new release version number. Twice per year, in this short window of time, one needs to use -Dsnap with pkg_add -u to ensure that it checks for -current (i.e snapshot) packages instead of release packages (which would be for the release that hasn't yet been published/launched, so therefore it will generally not find any packages.)

Currently, swupdate is really only checking whether it's running under a release or snapshots, and so the pkg_add -u functionality will result in errors from not finding packages during the post-beta/pre-release window.

We happen to be in this window right now, but I doubt for much longer (if even a day), so am not sure if I'll be able to address this in time.

When I implemented the new install_patches() function, I added functionality for it to re-execute syspatch if the exit status was 2 . My intention was to handle the situation where syspatch updated itself and should be executed again to actually apply any pending patches, because it will exit with a status of 2 in such a case. However, in practice, it will also exit with a status of 2 if it just didn't find any patches needing to be installed.

I propose that install_patches() be updated to, upon the first run, check the modification date of syspatch to see if it was modified within the elapsed time (see Issue #6 re:calculating elapsed minutes) if it exited with a status of 2. That should prevent it from re-executing syspatch in other cases.

Similar to Issue #4, the -d (download) doesn't actually download package updates. It correctly executes pkg_add -n, which is the dry-run mode, but -- if I'm reading the manual page correctly -- the dry-run mode will only download/copy the packages locally if the PKG_CACHE environment variable is set.

So, we should be setting PKG_CACHE too. Again, like mentioned Issue #4, I'm not sure if we want to put that in a subdirectory of /tmp (with root-only permissions, of course) or something like /home/_swupdate/ (like sysupgrade does with /home/_sysupgrade/). I'm leaning toward the latter as it'd be preserved across reboots.

Of course, if we do that, we should probably also then update the -i (install) option to download firmware to and install it from /home/_swupdate/ (or whatever directory we end up using).

It would be convenient to check and notify if a newer major OpenBSD version is available to be installed with sysupgrade.

I don't believe sysupgrade has an option to just check if an update is available. It does, however, have an -n option to download the files, but not perform the upgrade. Naturally, it would be important to check for release vs snap upgrades.

For some reason, the -d (download) option doesn't actually download firmware and instead calls fw_update -n, which is dry-run mode. That lists the firmware that would be installed, but doesn't download anything.

It'd be preferable if it used fw_update -F ${some_path}, which will download firmware from the default URL to the ${some_path} directory. I'm not sure if we want to put that in a subdirectory of /tmp (with root-only permissions, of course) or something like /home/_swupdate/ (like sysupgrade does with /home/_sysupgrade/). I'm leaning toward the latter as it'd be preserved across reboots.

Of course, if we do that, we should probably also then update the -i (install) option to download firmware to and install it from /home/_swupdate/ (or whatever directory we end up using) with fw_update -p ${some_path}.

It'd probably be good to add a Makefile to install sbin/swupdate in /usr/local/sbin, for those that don't want to manually install. Probably would make creating an OpenBSD port slightly easier too.

I ran swupdate through ShellCheck and it identified some bugs that need to be fixed:

Line 72:
  eval su -s /bin/sh _pkgfetch -c "'ftp $@'"
                                        ^-- SC2145 (error): Argument mixes string and array. Use * or separate argument.
                                        ^-- SC2294 (warning): eval negates the benefit of arrays. Drop eval to preserve whitespace/symbols (or eval as string).
 
Line 87:
  while read _line; do
        ^-- SC2162 (info): read without -r will mangle backslashes.
 
Line 154:
  [ $(find "$1" -type f -mmin "-$(elapsed_minutes $2)" >/dev/null | wc -l) -eq 1 ]
    ^-- SC2046 (warning): Quote this to prevent word splitting.
                                                  ^-- SC2086 (info): Double quote to prevent globbing and word splitting.
                                                       ^-- SC2260 (error): This redirection overrides the output pipe. Use 'tee' to output to both.

Did you mean: (apply this, apply all SC2086)
  [ $(find "$1" -type f -mmin "-$(elapsed_minutes "$2")" >/dev/null | wc -l) -eq 1 ]
 
Line 169:
  if [ $_result -eq 2 ] && modified_since $(which syspatch) $_start; then
                                          ^-- SC2046 (warning): Quote this to prevent word splitting.
>>                                                          ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
  if [ $_result -eq 2 ] && modified_since $(which syspatch) "$_start"; then
 
Line 174:
  [ $_result -eq 0 ] && modified_since /bsd $_start && reboot=true
                                            ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
  [ $_result -eq 0 ] && modified_since /bsd "$_start" && reboot=true
 
Line 219:
args=$(getopt vhldi $*)
                    ^-- SC2048 (warning): Use "$@" (with quotes) to prevent whitespace problems.
                    ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
args=$(getopt vhldi "$*")
 
Line 220:
if [ $? -ne 0 ]; then
     ^-- SC2181 (style): Check exit code directly with e.g. 'if ! mycmd;', not indirectly with $?.
 
Line 225:
set -- $args
       ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
set -- "$args"
 
Line 247:
if [ $(id -u) -ne 0 ]; then
     ^-- SC2046 (warning): Quote this to prevent word splitting.
 
Line 302:
    if $reboot && read now?'A reboot is necessary. Reboot now (y/n)? ' ; then
                  ^-- SC2162 (info): read without -r will mangle backslashes.
 
Line 303:
      case "$now" in
            ^-- SC2154 (warning): now is referenced but not assigned.
 
Line 313:
    if check_for_sysupgrade && read install?"Do you want to upgrade to OpenBSD $(next_kern_version) now (y/n)? "; then
                               ^-- SC2162 (info): read without -r will mangle backslashes.
 
Line 314:
      case "$install" in
            ^-- SC2154 (warning): install is referenced but not assigned.