Release date: 2021-01-19
Development branch: master
Supported version: WSUS Offline Update, Community Edition 12.4
The Linux download scripts, version 2.3 try to keep up with WSUS Offline Update, Community Edition 12.4. These scripts are not compatible with the upcoming WSUS Offline Update, Community Edition 12.5, because of major changes in the calculation of dynamic updates.
Important: The option -includesp was added back. If this option is not used, then several large updates for Windows 8.1 / Server 2012 R2 may be omitted. The option -includesp is pre-selected in the script update-generator.bash. If you use the script download-updates.bash directly, e.g. in cron jobs, then you should add the option there.
New Features
Added support for Windows 10, version 20H2
All Windows 10 versions are enabled by default. They can be disabled with a series of version-specific exclude lists in the directory wsusoffline/exclude:
- Code: Select all
ExcludeList-w100-1507.txt
ExcludeList-w100-1607.txt
ExcludeList-w100-1803.txt
ExcludeList-w100-1809.txt
ExcludeList-w100-1903.txt
ExcludeList-w100-1909.txt
ExcludeList-w100-1903_1909.txt
ExcludeList-w100-2004.txt
ExcludeList-w100-20H2.txt
ExcludeList-w100-2004_20H2.txt
Adding the support for version 20H2 means, that you can now disable this version.
Optional "fast mode" for the calculation of the integrity database
WSUS Offline Update uses three hash function to create the integrity database: MD5, SHA-1 and SHA-256. This always looked over-engineered, and it is unnecessarily slow on old machines. An optional "fast mode" was introduced, which only calculates the SHA-1 hash. This option can be enabled in the file preferences.bash.
The resulting hashdeep files will be compatible with previous versions of the Linux scripts and with the Windows scripts, because hashdeep recognizes the file format automatically. You don't need to delete any existing files in the directory ../client/md, because the hashdeep files will be deleted and recreated automatically on each download run.
Note: The Windows script DownloadUpdates.cmd can use the same fast mode with a small patch. This is only needed, if you like to compare the results on Windows and Linux with the script compare-integrity-database.bash:
- Change the hashdeep option "-c md5,sha1,sha256" to "-c sha1" everywhere.
- Find the line:
- Code: Select all
for /F "usebackq tokens=3,5 delims=," %%i in ("%TEMP%\sha1-%1-%2.txt") do (
and change it to:- Code: Select all
for /F "usebackq tokens=2,3 delims=," %%i in ("%TEMP%\sha1-%1-%2.txt") do (
The hashdeep files are used for a quick integrity check: The expected SHA-1 hash is embedded into the filename of most security updates. It is compared to the calculated SHA-1 hash in the hashdeep file. If they don't match, then the downloaded file will be deleted.
For this comparison, the script extracts fields 3 and 5 of the comma-separated hashdeep files in its default mode. It extracts fields 2 and 3 in the fast mode.
Default field order of the hashdeep files:- Code: Select all
Field 1 = File size
Field 2 = MD5 hash
Field 3 = SHA-1 hash as calculated by hashdeep
Field 4 = SHA-256 hash
Field 5 = Relative pathname with embedded SHA-1 hash
Field order in the fast mode:- Code: Select all
Field 1 = File size
Field 2 = SHA-1 hash as calculated by hashdeep
Field 3 = Relative pathname with embedded SHA-1 hash
Warning: The patch for the Windows script DownloadUpdates.cmd was tested and should work so far, but if you mess this up, all existing downloads will be deleted due to "mismatching SHA-1 hashes".
The option -includesp was added back
The option -includesp was added back to the master development branch, with a limited scope: If this option is not used, then updates for Windows 8.1 / Server 2012 R2 from two files will be omitted:
- Code: Select all
../client/static/StaticUpdateIds-w63-upd1.txt
../client/static/StaticUpdateIds-w63-upd2.txt
The option -includesp will be pre-selected in the Linux script update-generator.bash. You should add it manually, if you use the script download-updates.bash directly, e.g. in cron jobs.
Notes: The corresponding option in the Windows script DownloadUpdates.cmd is /excludesp, but it was translated to -includesp for consistency with the other optional downloads.
The Windows application UpdateGenerator.exe does not expose the option excludesp in its user interface. To use this option, you need to add it manually to the settings file UpdateGenerator.ini:
- Code: Select all
[Options]
excludesp=Enabled
Changed Features
Default languages are removed on the fly
By default, WSUS Offline Update downloads updates for the languages English and German.
In the Windows version, the default languages can be removed with the scripts RemoveGermanLanguageSupport.cmd and RemoveEnglishLanguageSupport.cmd (the latter is only included in the ESR-version). More languages can be added with the script AddCustomLanguageSupport.cmd.
The new Linux download scripts always tried to do that in a more consistent way:
- First, the default languages are removed from several global files in the directory wsusoffline/static.
- All languages, which are selected on the command-line, are then added back from the localized files in the same directory.
In previous versions, the removal of default languages would modify the global input files on disk. Now the default languages are removed on the fly, without changing the input files at all.
hashdeep messages are duplicated with tee
The functions create_integrity_database and verify_integrity_database now use "tee" to duplicate messages from hashdeep and to write them to the logfile and the screen. This is possible, because the logfile is referenced with absolute paths since version 1.11 of the Linux download scripts.
Previously, a workaround was needed, because relative paths to the logfile would become invalid, if the working directory was changed with pushd/popd.
Sysinternals utilities are downloaded to the directory ../bin
The archives AutoLogon.zip, Sigcheck.zip and Streams.zip are downloaded to the directory ../bin, as in the Windows script DownloadUpdates.cmd.
Five more obsolete configuration files are removed
The following configuration files are no longer needed in the master version and will be removed:
- Code: Select all
../static/StaticDownloadLink-mkisofs.txt
../static/StaticDownloadLinks-mkisofs.txt
../client/static/StaticUpdateIds-ie10-w61.txt
../client/static/StaticUpdateIds-ie11-w61.txt
../client/static/StaticUpdateIds-dotnet35.txt
Renamed the functions filter_cr and todos_line_endings
The functions filter_cr and todos_line_endings are both meant to change line endings from and to DOS. They are now named more appropriately:
- Code: Select all
filter_cr -> dos_to_unix
todos_line_endings -> unix_to_dos
The download directories dotnet/x86-glb and dotnet/x64-glb are no longer used
The download directories ../client/dotnet/x86-glb and ../client/dotnet/x64-glb for dynamic .NET Framework updates are no longer used. Dynamic updates for .NET Frameworks are now downloaded to the respective Windows directories, e.g. ../client/w62-x64/glb.
The following files will be removed automatically:
- Code: Select all
../xslt/ExtractDownloadLinks-dotnet-x86-glb.xsl
../xslt/ExtractDownloadLinks-dotnet-x64-glb.xsl
../client/md/hashes-dotnet-x86-glb.txt
../client/md/hashes-dotnet-x64-glb.txt
You may delete the following directories manually, but only in WSUS Offline Update 12.3 and higher (master development branch):
- Code: Select all
../client/dotnet/x86-glb
../client/dotnet/x64-glb
Do not delete the parent directory ../client/dotnet, because it is still needed for the static .NET Framework installation files.
Reference:
- Removed download of legacy .NET Framework updates
https://gitlab.com/wsusoffline/wsusoffline/-/commit/fad83dfb542a6e74aae287755857a27de80d0c60
Removed features
Removed support for Office 2010
This removes the following files:
- Code: Select all
../static/StaticDownloadLinks-o2k10-*.txt
../client/static/StaticUpdateIds-o2k10.txt
Removed support for Windows 10 version 1709
The following files will be removed:
- Code: Select all
../exclude/ExcludeList-w100-1709.txt
../client/static/StaticUpdateIds-w100-16299.txt
../client/static/StaticUpdateIds-w100-16299-x64.txt
../client/static/StaticUpdateIds-w100-16299-x86.txt
../client/static/StaticUpdateIds-wupre-w100-16299.txt
../client/static/StaticUpdateIds-servicing-w100-16299.txt
../client/static/StaticUpdateIds-w100-16299-dotnet.txt
../client/static/StaticUpdateIds-w100-16299-dotnet4-528049.txt
Downloads
The download links for this version are:
- http://downloads.hartmut-buhrmester.de/linux-scripts-2.3.tgz
- http://downloads.hartmut-buhrmester.de/linux-scripts-2.3_hashes.txt
- http://downloads.hartmut-buhrmester.de/linux-scripts-2.3_virusreport.pdf
- http://downloads.hartmut-buhrmester.de/linux-scripts-2.3_virusreport-fullpage.png
Link for the online check at VirusTotal. Note, that the URL includes the SHA-256 hash of the archive:
The hashes for the archive linux-scripts-2.3.tar.gz are:
- Code: Select all
MD5 fb141a2efd0d4d0fb0513984927da0b9
SHA-1 88cfdd1c6a459101532380aae049b16b98a665db
SHA-256 2035d4cfa48abf4396cd6c19ec11f2b286f8575f2e612561ca04ab258447b410
Further Reading
The first three posts in the original topic A complete rewrite of the Linux scripts are still being updated, to point to the latest version: