HP UX Patch Management manual 67

•Application depot — contains patches specific to a given application. This type of depot might actually be a specific version of a periodic patch depot.

After you have identified the need that a specific depot will address, you should determine whether a directory depot or a tape directory best suits your needs. Most often, directory depots will be more useful for patch management. You must also select a location for the depot.

Choosing depot type and depot location

You should review the following considerations before creating and using depots:

•Do you require the depot to be available remotely for use by SD-UX commands such as the swinstall command?

If you are creating a depot for remote access, you need a directory depot. You must place the depot on a networked system that is accessible by all of the intended users, and you must register the depot. See “Registering and unregistering directory depots” (page 71).

•Will the depot be heavily used?

You should ensure that both the system and the network are capable of meeting performance needs based on the intended use. If multiple users will access the depot simultaneously, you need a directory depot.

•What amount of disk space and what level of disk performance are required?

You should ensure that both the disk space and level of disk performance are capable of meeting these needs. Depots can be large, and depot operations can involve a significant amount of disk activity.

•Is the availability of the depot critical?

If the answer to this question is yes, you should consider high-availability storage solutions such as disk arrays or mirroring.

•Does your organization need a heightened level of security?

If the answer to this question is yes, you should give additional consideration to safeguarding the depot. Access Control Lists (ACLs) can play a role in depot security. See “Advanced topic: access control lists” (page 72). In many cases, users of depots install software from the depot as the root user. Therefore, any compromise of software in a depot could lead to a security breach.

Although overlooked at times, a well-conceived depot-naming scheme can be very helpful. This is especially true if you have multiple depots, and is even more important if multiple users will access the depots.

•You should combine all the patches needed for a given purpose into a single depot.

•The depot should include all products (including patches) necessary to meet the dependencies of patches in the depot.

•You can help limit risk by making only the necessary changes to the depot.

•You can reduce the size of a depot by removing superseded patches. See “Advanced topic: removing superseded patches from a depot” (page 76).

Viewing depots

Use the swlist command to list the registered directory or tape depots on a local or remote system. You can also use the swlist command to view the contents of a directory or tape depot. This section provides examples of how to use the swlist command to view depots.

Examples of the swlist command

To view a list of registered depots on the local system, use this command:

swlist -l depot