Open source software security

Using URPM with Mandriva

30 November -0001
Justin Klein Keane
Feb 6, 2007

While Mandriva Linux come pre-bundled with the Mandriva Control Center application that allows you to quickly and easily select packages to install or update, often the power and flexibility of the command line is required. Many users of Mandriva may not even be aware that there is a command line option to install and manage packages. Using the command line you can easily manage your package sources, update them, and install new packages.

Media Sources

The first thing you'll want to do is take a look at what repositories you have installed. The URPM database keeps track of what packages are available, which ones are installed, and the appropriate versions and dependencies. You can look at your sources using:

justin@madirish$ sudo urpmq --list-media

You need root privileges to manipulate URPM so you'll have to su to root or use the sudo command.

It is often a good idea to remove all of the installation media from this list. The reason for this is that if you're ever trying to install a package remotely, you don't want the installation to require you to put a CD into the drive to install the media. You can remove sources from the list using:

justin@madirish$ sudo urpmi.removemedia [name]

where [name] is the name of the media. If you want to remove all of your media sources you can use:

justin@madirish$ sudo urpmi.removemedia -a

Once you've removed all the installation media it's time to add in some package repositories from the internet. The best place for this information is EasyURPMI. The website has an easy front end and you can cut and paste the results into a terminal. What you'll want to do is choose a site for each of the sources (except backports unless you need those) and then add them using the command supplied. For instance, say you wanted to add a new media source for 'main' from France, you would use the command:

justin@madirish$ sudo urpmi.addmedia main [url] with media_info/hdlist.cz 

where [long_url] is the URL to the actual repository. The source name will be 'main', the URL is the location of the packages and the last piece is a relative URL that holds the CZ list. This is just a short listing of the packages and versions the repository contains. You can actually point a web browser at these locations and see what all is there.

At the very least you're going to want a source for 'main' and one for 'updates'. The updates source is the place where the newest versions of software including patches, bug fixes and security updates are located.

Updating the URPM Database

So once you have your sources set up you'll need to keep them up to date. Your URPM database is only going to be as accurate as the last snapshot your machine has taken of the remote sources. Periodically you'll want to update your source lists so they reflect what is actually stored on the remote servers so you can search for packages accurately. To update a source you can use the command:

justin@madirish$ sudo urpmi.update [name]

where [name] is the source name. Alternatively you can just use the '-a' flag.

justin@madirish$ sudo urpmi.update -a 

will update all the package listings for all your sources. You may even want to add this to the cron jobs that run daily on your machine. All of those scripts are located in /etc/cron.daily/.

Searching for Packages

Once you have a good list of the sources that are available you'll want to search to find out which packages are installed. The easiest way is to just use RPM with the -q (query) flag:

justin@madirish$ rpm -q package

This will let you know if the package is installed. What if you don't know the package name though? What if you want a package that has to do with MySQL but you're not sure what the exact name is. You can do a fuzzy search in this case using:

justin@madirish$ sudo urpmq --fuzzy mysql

This will return a list of all the packages that roughly match the search string you used (in this case 'mysql'). Be warned that this list could be quite extensive.

Installing Packages

Once you know you want to install a certain software package you can use the URPMI tool.

justin@madirish$ sudo urpmi package_name

Will install the package named package_name (or update the package if it is out of date). If you want to update all of your out of date packages at once you can use the command:

justin@madirish$ sudo urpmi --auto-select

Be aware, however, that this may require some user input so it's not a good option for scripting. If you want to script an auto update of all your out of date packages be sure to use the '--auto' flag.

Uninstalling Software

If you run across a package that you want to get rid of you can use the urpme command in pretty much the same way as the urpmi command. For instance:

justin@madirish$ sudo urpme package

Will remove the package named package from the system. This is a clean way to remove software quickly and reliably.

Potential problems

Sometimes you'll get an error that says "urpmi database locked" and be unable to do any package manipulation. URPM actually follows a relatively simple scheme for database locking and this error is easy to fix. URPM simply writes files to the directory /var/lib/urpmi that include the .LOCK and .RPMLOCK extension. To 'unlock' these databases all you have to do is delete these files. Once they're gone the database is 'unlocked' and you can continue working normally.