https://github.com/osquery/osquery logo
#general
Title
# general
a

allister

06/22/2022, 7:31 AM
I am being encouraged to NOT file an issue with a question on github, so… Here's a weird, basic-feeling blind spot: Ubuntu does not have a 'patch' field in its os-release output, and so osquery initializes integer 0 and that becomes the value. The patch level is present in the full, all-caps "VERSION" string output with a whole bunch of info, (e.g. "20.04.4 LTS (Focal Fossa)") but the os_version table doesn't bend over backwards attempting to parse it out of there. Should I file a feature request to fix it?
s

seph

06/23/2022, 1:27 AM
I don’t think I know enough Ubuntu to have any sense. @alessandrogario @Stefano Bonicatti Either of you have an opinion here?
a

allister

06/23/2022, 2:20 AM
I've asked people in my company that are on the canonical steering committee whatever thing to chime in on the topic and they don't seem quite convinced at first glance that they should make parsed output for patch level
patch version doesn't really apply to Ubuntu as much as it does for RHEL
a fully up to date 20.04 should have almost identical packages as a 20.04.1 install
my qualm with it being unavailable is that the media used to install the OS is valuable info to tell the history of interactions with the computer for my team/role, and if it's valuable enough to update the version/description string with, I don't know why that can't additionally be presented in a trivially parse-able format
The only difference being that the 20.04.1 install may have been installed with an HWE kernel
whenever someone who knows their stuff tells you there's 'only' one difference… there's more differences that they're just glossing over 😉
in any case, I think my current 'beef' is osquery initializes ubuntu's LACK of patch as integer zero, which is inaccurate
s

Stefano Bonicatti

06/23/2022, 9:11 AM
If only LSB was a real standard and the distro used a single format.. In any case, I don’t have strong opinions beyond the fact that if the distro does not consider that format as somewhat fixed, it could break the parsing.
a

allister

06/23/2022, 9:14 AM
I'm not for or against parsing the string, but considering they haven't changed it in even 22 LTS means this would cover a whole bunch of devices in use and potentially could remain stable enough
s

Stefano Bonicatti

06/23/2022, 9:16 AM
But re-reading, you’re right for the default to 0. We should either return empty or attempt to parse it.
or even use -1 if cannot parse, if we want to avoid a schema change, since the column is INTEGER
s

sharvil

06/23/2022, 2:18 PM
yep, had encountered this before:
Copy code
Nothing in the definition of /etc/os-release requires that this field be updated for point releases. It is Ubuntu policy to not update the machine-readable field in this file (and in /etc/lsb-release), because software *should not* treat point releases differently than they treat the original release. If there is a need to treat the releases differently, it should be on the basis of specific packages that are installed (or not), which you would check with dpkg, not with /etc/os-release.
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1394469
a

allister

06/23/2022, 2:31 PM
Great, so being obstinate about it is Policy 😬
s

seph

06/23/2022, 2:34 PM
@allister If one installs a
20.04
machine with the .1 media. I assume the release is
20.04.1
right? If time passes, and there is then a
20.04.2
, does my
20.04.1
machine update that when it’s fully taken updates, or is it a weird artifact of the installer?
The snippet from Sharvil implies that it’s an installer artifact. In which case I think we should not expose it as a patch level. As someone would become cross that it implies out of date. (It feels like if would belong in an
ubuntu-installer-spoo
table.)
I think we should return NULL on ubuntu.
a

allister

06/23/2022, 2:42 PM
I’m still going to maintain the impression (however unfounded, I’m not a Debian expert nor is Ubuntu my daily driver) that ‘media’ used for both initial install and ‘landmark’ updates has non-zero value, but if they want to purposely avoid writing this out for their platform, mazel tov
s

seph

06/23/2022, 6:19 PM
“maybe” As I said, I think it could be interesting to gather. But I would not attach it to the OS version string. Fundamental in these are that the OS version is upgradeable. Neither macOS nor windows provides an immutable way to see what the original installed version is.
A mac i’ve upgraded rom 12.1 to 12.4 is, theoretically, the same as a mac I install as 12.4. Ubuntu seems to maintain that same stance
a

allister

06/24/2022, 12:14 AM
until Apple's planned Rapid Security Response things land, it's still the case that webkit and firmware and countless other things regularly depend on OS patch levels. That being said, Apple doesn't make it machine-parseable by default neither, so it's all chopping strings
s

seph

06/24/2022, 2:01 AM
I think we’re talking cross purposes.
Machine parsable is less important than whether or not it exists.
If an updated mac displays a different patch level, then it’s a meaningful number and we should report on it,
If a ubuntu machine’s “patch” number doesn’t change with updates, and is an artifact of the installer, then it should not be reported as the patch level. Because it is not. While it might be worth reporting on it somewhere, I’m not sure where
a

allister

06/24/2022, 2:19 AM
there's no patch field whatsoever in os-release output is the current/previous state for ubuntu
it only exists in the all-caps "version" string I referred to all the way at the beginning of this thread, the fact any other platform does have it was why I was barking up canonical's tree
I think osquery 1. shouldn't return an incorrect integer value, which we seem to be in agreement about, but additionally 2. I think we should parse patch out of the VERSION string, no matter ubuntu's reasoning for not having it in os-release
s

seph

06/24/2022, 2:34 AM
On a fully updated ubuntu machine, does the value change? Earlier you said not.
a

allister

06/24/2022, 5:13 AM
ubuntu machines have the full version in the VERSION output of os-release, AFAICT it stays in sync with base-files
24 Views