Small site OS X patching

It would be nice if OS X machines that downloaded patches via Software Update could make those patches available to other OS X machines on the same network. Especially since some of the patches nowadays are very large (the latest Leopard patch was a whopping 180MB) and it takes time and bandwidth away to do it.

Larger sites are served by running an OS X Server somewhere on the LAN, and running Software Update Server on it. Then you can either fake DNS entries or change client settings to have all your clients use the centrally downloaded patches.

But what about a small, client-only Mac network that a lot of people have at home? e.g. an Mac Mini and a couple of MacBooks. Perhaps there is a way for Macs to play nicely together if you've got things like Bonjour turned on (I don't), but alas, I've never come across it. Please let me know if there is a way.

In the meantime, I created a centralised patch directory on my LAN file server to save all the dowloaded patches to once one machine had done the hard work (using the "Install and Keep Package" option of Software Update). When selecting this option, the package is saved to /Library/Packages on Tiger and /Library/Updates on Leopard. I then copy the files over the network (I use rsync, but you could just as easily share the directory and mount it via AFP, SMB, NFS, etc), ready for download on the next Mac. If you were really adventurous, you could even try NFS mounting the directory as /Library/Packages directly on each machine... let me know if anyone does this and it works ok. :)

A further note here; I set all my Macs to not automatically download patches in System Preferences, and on all but the "primary" Mac I disable the automatic checking to see if patches are available. The idea is that I want to know patches are available on the primary Mac, and I will then "Install and Keep Package" for each patch and make sure it is saved to the network before going on to the next one. This I learnt the hard way, in that on my Leopard MacBook it seems to want to clear out /Library/Updates between reboots for some reason... I haven't had time to look into why.

I know what packages need to be downloaded on to the second and subsequent Macs by making sure the /Library/Packages directory is cleared on the primary Mac once all the patching is done. Then when new patches are available, I just get the directory listing from /Library/Patches to know which ones to copy over to every other Mac (then delete and clear this directory again, etc). You need to do this as some patches (e.g. iTunes) are just saved as a package like "iTunesX.pkg" in the directory. Each new version of iTunes gets saved over the top of this package. The last modified time of this top level directory is usually unchanged, meaning that you can't tell a new iTunes patch is available just by looking at the date stamp.

It's also a shame that Software Update doesn't seem to look at /Library/Packages automatically for you to see if you've already downloaded the patch. It keeps it's own (per-user) cache files for downloads and ignores this central directory for some reason, even though it gives you the option of keeping the patch here after installation. Not very user-friendly, is it?

Let me know if you've got a better way of keeping your small home network of Macs patched without repeatedly downloading patches. Oh, and before you suggest just caching the patches in a small home network proxy server (also suggested in the macosxhints.com thread above), I already do. :) However, this relies on changing settings on your proxy server to accommodate some rather large files that you mightn't otherwise want to do. And it isn't fool-proof... for some reason (probably related to the delay in between patching machines) I've had Macs on my network download the same patch twice, even though the first download should have been cached. Besides, the whole "play with Squid" route to do this starts to just get too complicated, especially when it seems like it should be very easily handled via file sharing or support within OS X itself....