Nmap Development mailing list archives

Re: Updater Investigation

From: Fyodor <fyodor () insecure org>
Date: Tue, 7 Jun 2011 17:00:17 -0700

On Thu, Jun 02, 2011 at 01:45:31PM -0700, Colin L. Rice wrote:

David asked me to investigate more potential updating solutions with
regards to writing an auto-updater for nmap.


Thanks Colin.  I'm not sure of this, but I'm starting to think we
might want a hybrid approach between
just-updating-platform-independent-files and updating the binaries.
For example, one option is for the updater to do the following:

1) Contact server and ask for the earliest version number (or maybe
   svn revision number) which is suitable for platform-independent
   updates.  The server also gives the current (latest) Nmap version
   number.

2) If host version number or revision date (the one being updated) is
   older than the earliest-allowed provided by server, tell the user that
   their Nmap version is too old for updates and they should visit
   (download page URL) and upgrade to $latest_version.  This isn't
   very hard since we already offer release binaries for 32 and 64 bit
   Linux as well as Windows and Mac.

3) If host version number is at least as new as $earliest_allowed, but
   not as new as $latest_version, consider notifying the user that a
   newer Nmap is available but still do the updates.

4) I suppose it is possible that the host version is $latest_version
   and yet it is still too old for updates.  This might be the case if we
   just made an incompatible change to the NSE engine and we haven't done
   a new Nmap release yet.  This case should be quite rare since we
   should try to avoid incompatible changes, and when we do need them we
   should do a new Nmap release promptly.  In this unusual case, the
   updater could recommend that the user update to the SVN version or
   just wait until a new release.

5) Update the platform-independent files (NSE scripts, libraries, Nmap
   OS database, nmap-services, etc).

6) Whenever we make a change to one of the platform independent files
   which will cause it to not work on older (but still at least as new
   as $earliest_allowed) versions of Nmap, we need to bump up
   $earliest_allowed to the current (post-change) revision date.  We
   could also bump it if it gets to be 6+ months old (or whatever
   period we decide on) to ensure that people update the rest of Nmap
   on a somewhat regular basis.  Besides giving the users a better
   experience, it would mean that we spend less time tracking down
   bugs related to updating to the newest scripts with an ancient
   version of Nmap.

Of course there is the question of what platform-independent files we
should provide.  One option is to include the latest versions in svn,
but that might be too bleeding-edge for some.  Another option is to
maintain a tag/branch in SVN.  It could get bumped forward on an
automated fashion.  Maybe a new file change could be tagged after
there are no further changes to the affected file(s) in 24 hours.  And
we could do it manually if we really badly wanted to push an awesome
new script or change into the update stream.

I'm not 100% convinced this is the right approach, but I wanted to at
least put it into writing as one option.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Updater Investigation Colin L. Rice (Jun 02)
- RE: Updater Investigation Rob Nicholls (Jun 02)
- Re: Updater Investigation Fyodor (Jun 07)
  - Re: Updater Investigation Ron (Jun 16)
    - Re: Updater Investigation Fyodor (Jun 19)
    - Re: Updater Investigation David Fifield (Jun 21)