Aaron Hunter
2015-Apr-12 12:22 UTC
[asterisk-users] Recommended changes to the binary packaging system
I think the way Digium has structured the binary packages could use a major change. I rely on the binary packages rather than compiling by source because my systems are managed by an automated CM tool (I use Ansible but those using Chef or Puppet will face the same problems) and for security reasons. I use the CentOS packages. Some issues with the current package structure are: - It installs unneeded repositories. The asterisknow package install 12 repositories, of which I use at most 4 (2 asterisk and 2 digium) - It changes which repositories are enabled and disabled. - It overwrites .repo files - Packages are not signed - It overwrites /etc/issue which is a security violation (albeit a minor one). - It installs packages I don't need such as the dahdi ones.( Maybe some of these are needed for a minimal system, I could be wrong.) - It requires the "--enablerepo=x" in the yum command line The conflict between the Digium repositories and epel is a problem for me as well but since I can't determine what the actual cause is (probably package naming issues) I won't include it in my list. These problems break the automated management of my system and cause security concerns. Instead of the complex current system I would recommend something more simple: - Remove asterisknow or at least make it optional - Allow users to install a minimally functioning asterisk from the asterisk-x and asterisk-current repos only. Any additional modules needed should be installed separately, including those from the commercial digium repositories. - Sign the packages and enable gpgcheck - Don't overwrite system files or current .repo files In other words: install asterisk .repo files, yum install asterisk, install config files, done. If others on this list also use automated tools to manage their systems I'd like to hear how you handle the installation and maintenance of asterisk. Thank you, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150412/21258f7f/attachment.html>
Tzafrir Cohen
2015-Apr-19 16:21 UTC
[asterisk-users] Recommended changes to the binary packaging system
On Sun, Apr 12, 2015 at 08:22:44AM -0400, Aaron Hunter wrote:> I think the way Digium has structured the binary packages could use a major > change. I rely on the binary packages rather than compiling by source > because my systems are managed by an automated CM tool (I use Ansible but > those using Chef or Puppet will face the same problems) and for security > reasons. I use the CentOS packages.If you don't like the existing packages, build your own packages.> > Some issues with the current package structure are: > - It installs unneeded repositories. The asterisknow package install 12 > repositories, of which I use at most 4 (2 asterisk and 2 digium) > - It changes which repositories are enabled and disabled. > - It overwrites .repo files > - Packages are not signed > - It overwrites /etc/issue which is a security violation (albeit a minor > one). > - It installs packages I don't need such as the dahdi ones.( Maybe some of > these are needed for a minimal system, I could be wrong.)Unless something changed recently, there's a separate package asterisk-dahdi. Don't install it if you don't want it.> - It requires the "--enablerepo=x" in the yum command line > > The conflict between the Digium repositories and epel is a problem for me > as well but since I can't determine what the actual cause is (probably > package naming issues) I won't include it in my list.Do include an example output of a conflict so we can have an idea of the potential problem.> > These problems break the automated management of my system and cause > security concerns. > > Instead of the complex current system I would recommend something more > simple: > - Remove asterisknow or at least make it optional > - Allow users to install a minimally functioning asterisk from the > asterisk-x and asterisk-current repos only. Any additional modules needed > should be installed separately, including those from the commercial digium > repositories. > - Sign the packages and enable gpgcheck > - Don't overwrite system files or current .repo filesWhat's the problem? Have you considered providing your own asterisk.conf with an alternative astetcdir?> > In other words: install asterisk .repo files, yum install asterisk, install > config files, done."yum install asterisk" means it installs a pre-defined set of modules. But you preffered to have a more modular packaging.> > If others on this list also use automated tools to manage their systems I'd > like to hear how you handle the installation and maintenance of asterisk.-- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com