Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add opendirectoryd_version artifact to check for installation of Secu… #9

Merged
merged 3 commits into from Dec 1, 2017

Conversation

@haircut
Copy link
Contributor

@haircut haircut commented Nov 30, 2017

…rity Update 2017-001 for High Sierra

SCCS project version checking as provided in https://support.apple.com/en-gb/HT208315

Copy link
Contributor

@clburlison clburlison left a comment

My 2 cents

stdout = None

if stdout:
result = stdout.splitlines()[-1].split(':')[-1]
Copy link
Contributor

@clburlison clburlison Nov 30, 2017

To match other "version" facts in this repo I would change this to:

result = stdout.splitlines()[-1].split('-')[-1]
Old 
<result>opendirectoryd-483.20.7</result>
vs new
<result>483.20.7</result>

Copy link
Contributor Author

@haircut haircut Nov 30, 2017

I disagree, but you raise an important point about specificity.

This isn't really reporting the running version of opendirectoryd, rather the project version used to build the program.

From the what man page:

what -- show what versions of object modules were used to construct a file

what reads each file name and searches for sequences of the form
@(#)'', as inserted by the source code control system. It prints the remainder of the string following this marker, up to a null character, newline, double quote, or > character.''

In the case of a 10.13.1 system the output of what /usr/libexec/opendirectoryd includes PROJECT:opendirectoryd-483.20.7. In the relevant KB Apple refers to the full string as the "project version number", so for accuracy, the full string should be returned.

However, checking the version of /usr/libexec/opendirectoryd provides an altogether different output. Again, for a patched 10.13.1 system, the output of /usr/libexec/opendirectoryd --version is opendirectoryd (build 483.200). It would be more accurate to report 483.200 as the "version" of opendirectoryd.

Perhaps the best way forward here is actually:

  1. Rename this current artifact to opendirectoryd_project_version_number
  2. Create a new artifact to report the actual version of opendirectoryd and report it as 483.200 to match other "version" facts

If this sounds good I'm happy to do the work and add a new commit.

Copy link
Owner

@chilcote chilcote Nov 30, 2017

TIL about /usr/bin/what

As for the PR, I really don't care as long as it doesn't break the run :)

Copy link
Contributor

@clburlison clburlison Nov 30, 2017

I must have skimmed past that. I personally would prefer your recommendation to make rename this artifact. Also didn’t even realize/ think to look at the --version output.

@haircut
Copy link
Contributor Author

@haircut haircut commented Nov 30, 2017

I've pushed the two changes.

  • Renamed the original subject artifact to opendirectoryd_project_version_number.py to more accurately reflect its purpose and output
  • Added opendirectoryd_build_number.py to report on that separately

No conflicts during the run @chilcote ;)

@chilcote chilcote merged commit 7793d74 into chilcote:master Dec 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants