(Originally published in 2015 when AIX 7.2 was released.)

AIX network applications for the most part are organized in three installp packages: bos.net.tcp.cient, bos.net.tcp.server, and bos.net.uucp. On one hand, the coarse grain packages make it easy for installation and maintenance. On the other hand, they make it impossible to reject some part of software, e.g., ftp and telnet, which are deemed less secure and preferably not used. For some customers, refraining from using such applications is not enough. In order to comply with their in-house computer system and software security policy, they need ensure the applications classified as high security risk not present on the systems.

To meet the requirement, in AIX 7200-00 (AIX 7.2), the network application packages have been re-organized in much fine granularity.Figure 1 illustrates the packaging change on bos.net.tcp.client. 

As can be seen, the original bos.net.tcp.client content is divided into a base package, namely, bos.net.tcp.client_core, plus a set of individual application packages. The package bos.net.tcp.clientin the AIX 7.2 release is an empty shell, containing no files. However it specifies co-requisites on the new split-out application packages. By default, bos.net.tcp.client is installed, which makes certain the new split-out packages are installed by default. As far as network applications are concerned, the content installed in the AIX 7.2 release is equivalent to that in the previous AIX releases. The shell packages also ensure that any third-party software with requisites to either bos.net.tcp.client or bos.net.tcp.server will still install on AIX 7.2, until their requisites can be modified for AIX 7.2.

                       Table 1  Re-organized networking application packages.

Table 1 displays the new packages created from each of the three packages. Packaging change to bos.net.tcp.server is very similar to the transformation applied to bos.net.tcp.client. As for bos.net.uucp, the package is split into the two bos.net.uucode and bos.net.uucp. The former, bos.net.uucode, contains two applications uuencode and uudecode from the original bos.net.uucppackage. The rest goes into the new bos.net.uucp package.

Other AIX software packages that have dependency on the original three network packages have been updated to reflect packaging change. Note that if any 3^rd party software, packaged in installp, has dependency on any of the three packages mentioned above, the software packaging needs to be updated accordingly. 

If any customer cares to remove some individual application packages carved out from the original bos.net.tcp.client, it is necessary to remove the shell package (bos.net.tcp.client) in the AIX 7.2 release. After that individual application packages can be removed. Similar procedure applies to application packaged derived from bos.net.tcp.server. To list dependences on a package you can run "lslpp -d <package_name>"

Once an individual application package is removed, they will not be re-installed either as a part of service update or TL update. This compares more advantageously than the previous “secure by default” option, which simply removes a set of high risk files after package installation, but the removed files may come back in subsequent service pack update.

Considerations for migration installation

In AIX 7.2, some packages are moved from the base media to the expansion pack. Those packages, if installed, will not be updated in a migration installation (of 7.2) from base media only. Their old dependency information would prevent the removing of the shell packages. In such a case, upgrade to the newer level of the software shipped on the expansion pack to clear the stale dependency

There are two filesets requiring the special treatment:

• Java6.sdk (most likely as it was previously installed by default)
• bos.cifs_fs.rte (less likely as it was never installed by default)

Last, a helpful YouTube video by Shawn Bodily (Clear Technologies) on AIX network applications packaging changes in 7.2