Let me share my experience with OCS. Few months ago I started dealing with OCS inventory. All the tutorials I've seen in the Internet was related to so called manual installation (git clone.. so on) although this is not recommended way for my environment (1)
I decided to go with it.
I have downloaded, configured OCS Server, all went fine. Then I found that, there is pre-compiled binary for on the official repository for OCS-agent and decided to implement this via my configuration manager (puppet). So I deployed the OCS repository on all of my systems, installed the client and configured it to talk to my server. All good.
Few weeks ago I noticed that, there is new version of the agent. I have updated it (automatically via Ansible) as I using this approach for all the updates (except security) on my systems. Day or two later I wanted to check something on the reports page and noticed that - the clients don't report to the server anymore. When I logged into one of the clients and run ocsinventory-agent it returned exit status 1, and error 400....
I checked google and found an article which says, the client and the server should be on the same version. Ok, let's compare the versions then - Ooops, it seems that the client is using 2.9 but the server is still on 2.8.1, ok no worries, will just upgrade the server to 2.9, but wait, there is no such version? On the official repo? Wow, no words to say.
In modern world, most of the apps are backward compatible, Am I right?
Then I decided to downgrade the client. But wait on the official repo, there is no older version????? You joke.. Ah, will try to find version 2.8.1 of the agent, somewhere in the Internet and install it manually.
Luckily, on official Debian/Ubuntu repo, there is such version, so I downgraded.
The next day I got an e-mail from unattended-upgrades (2) that, the version of OCS-agent is upgraded from 2.8.1 to 2.9 - because of security issues. Buy why instead of releasing next minor version, you jump over next major?
Now I have unresolvable case, to use security vulnerable package or to disable assessment for period of time until server is upgraded to 2.9... What a case.
So guys, I will be glad to hear your opinion on that case.
Please share with me how you will proceed, and why this is happening at all.
1. Bear with me, I'm doing all of this in my home lab, but I want to have rules and think like big enterprise companies. Having manually/statically downloaded software/binaries is bad because they cannot be assessed easily (via the package manager), cannot easily understand that there is new version of it, cannot be upgraded easily etcetera.
2. I'm installing security upgrades automatically, security has to be installed no matter what.