Hi,
I'm looking to draft a process to keep on top of and roll out security fixes/patches. Using SmartOS with pkgsrc binary packages via pkgin.
My current plan is to essentially mirror all binary repos locally, and maintain integration/staging/production versions using ZFS snapshots of each so i can implement change control. Rolling packages out or holding them back as necessary, and have a record of the package set at a specific point in time.
The primary purpose here is to reduce overhead/config required. Currently i use puppet to handle upgrades but this is less than ideal for a number of a reasons.
If i can manage the repos centrally keeping up to date is just a case of running pkgin full-upgrade across all servers as required.
The only sticky issue is if i have a version of a package i want to keep pinned to an older version on a subset of nodes. So i want the new version in the repo for some nodes but not others, currently i can't see an easy way to accomplish this. A pkgin full-upgrade would upgrade to the newest version available.
Is there anything similar to Debian's apt-pinning, where i can pin packages at a specific version so they are ignored during a pkgin full-upgrade ?
Also curious to hear how others are handling pkgsrc patch management when using binary packages.
Cheers
Steve W.