Search this site:

TEPATCHE - OpenBSD automatic system patcher / Parchador Automático de sistema OpenBSD


OpenBSD is a stable, robust and secure operating system. Systems administrators running OpenBSD tend to be also more security conscious than administrators running other operating systems. Nevertheless, patching an OpenBSD system can be a tedious process for many people. If a person manages multiple OpenBSD servers, patching each of them can be a long and repetitive task, ideal for automatization.

Tepatche will periodically check the FTP site we indicate it to, and if there is a new patch to be applied, downloads, applies, builds and installs it. Tepatche mantains a small status database to know in what is the status of each of the system’s patches.




Tepatche consists of one program file (/usr/local/sbin/tepatche), a configuration file (/etc/tepatche.conf) and a data directory (/var/db/tepatche/). The configuration file has the following fields:

With this file in place, Tepatche can be run simply with no arguments, just /usr/local/sbin/tepatche. I suggest you to run it from your crontab (see man crontab(5)). I suggest running it once a day, at most once an hour - please don’t flood with requests every minute ;-)


Tepatche keeps the information it needs about the state of the system in the ‘statusfile’ (by default, located at /var/db/tepatche/statusfile). This is a plain-text file following the format: <descriptor>::<status> Where ‘descriptor’ is an alphanumeric string, and ‘status’ is a valid status number. Valid status numbers are:

The descriptor is usually in the form <arch>/<num>_<description>.patch - It states the architecture for which it was created, the consecutive patch number, a very short description on what it does, and the ‘.patch’ suffix. This is the standard nomenclature followed by the OpenBSD team. a sample name would be:


This shows that the patch will be applied to all architectures (common), it is the first patch produced for this release (001), and it fixes a problem related to ‘sshafs’.

If you want to modify this file (of course, always AT YOUR VERY OWN RISK), you can follow this conventions to let Tepatche know the new status of the patch. For example, in the 3.1 release a very dangerous bug appeared in OpenSSH. The OpenBSD team advised to upgrade to OpenSSH 3.4, overwriting the /usr/src/usr.bin/ssh directory. Later, they published a patch (common/006_sshpreauth.patch) to fix the vulnerability for people who prefered not to upgrade. Many people already have the 3.4 tree installed, and the patch files to be applied. You should then edit /var/db/tepatche/statusfile and replace





At least:


You can get your Tepatche (currently at version 0.85) right here. If you are interested in reading the article I wrote on it for the December 2003 issue of Sysadmin, you can find it here.


Tepache is a popular, slightly alcoholic drink in Mexico, where I live and where this program was devised. Tepache is the result of fermenting pineapple in water. Quoting from :

Tepache is a light, refreshing beverage prepared and consumed throughout Mexico. In the past, tepache was prepared from maize, but nowadays various fruits such as pineapple, apple and orange are used. The pulp and juice of the fruit are allowed to ferment for one or two days in water with some added brown sugar. The mixture is contained in a lidless wooden barrel called a "tepachera", which is covered with cheese cloth. After a day or two, the tepache is a sweet and refreshing beverage. If fermentation is allowed to proceed longer, it turns into an alcoholic beverage and later into vinegar. The microorganisms associated with the product include Bacillus subtilis, B. graveolus and the yeasts, Torulopsis insconspicna, Saccharomyces cerevisiae and Candida queretana (Aidoo, 1986).

If you are curious, you can find recipes to prepare tepache (in Spanish) at and

I found a recipe in German (I cannot tell if it is right or not ;-) ) at:


First and foremost, I want to thank the OpenBSD team for the incredible amount of work they have thrown into this great project.

On a smaller scale, Tepatche would not have been possible without the help of OpenBSD México. In this specific project, I recieved great help from Alex Juárez, César Yáñez and Karl Heinz Holtschmit.

Of course, I want to thank my workplace, UNAM FES Iztacala, for granting me time to work in security and Free Software for already three years - and I expect many more.


tepatche-0.85.tar_.gz (10 KB)

tepatche_sysadmin.txt (11 KB)