Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installer is broken, also potential security issue with ansible/GVM install #8

Open
SphericalBastards opened this issue Apr 24, 2022 · 4 comments
Open

Installer is broken, also potential security issue with ansible/GVM install #8

SphericalBastards opened this issue Apr 24, 2022 · 4 comments

Comments

@SphericalBastards
Copy link

SphericalBastards commented Apr 24, 2022
edited
Loading

Hi,

Is there any intent to freshen up the installer for newer environments (CentOS 7, CenOS 6 is EOL, etc.) (also for instance, the domain referenced for GVM is a potentially malicious domain now and the install script tries to run bash code from there, potentially creating a security issue for anyone who tries to use as-is. GVM also appears to be a defunct project).

See: ./installer/roles/common/tasks/main.yml: 'Common: Download GVM'

federationregistry2-Tuakiri/installer/roles/common/tasks/main.yml

Line 34 in 19ee077

- name: 'Common: Download GVM'

Also, is there any interest in creating a more modern approach for testing such as creating a docker container for running the registry in a testing environment?

Thanks!
@vladimir-mencl-eresearch
Copy link
Contributor

Hi,

Thanks for reaching out.

We are currently maintaining this fork for our internal use only - and the installer code is something we just "inherited" from upstream and never used.

Perhaps might be eaiest to just remove the installer, or very clearly mark it as unsupported.

Do you have a specific need for running a Federation Registry instance, or was this comment just based on general interest?

Cheers,
Vlad

@SphericalBastards
Copy link
Author

SphericalBastards commented Apr 26, 2022
edited
Loading

I had assumed the installer code was languishing, though the security issue is concerning enough that others that may want to "kick the tires" might stumble into with bad results. There's probably enough in the ansible tasks for me to recreate an installation through other means, but wanted to at least let you know about this.

I do have a specific need for at least being able to run at least a proof-of-concept Federation Registry of some sort at present, and I am looking at this as potentially filling that need. Future use might see the functionality rewritten in a different implementation. However just for a PoC something useable would be ideal and there's not very many web based federation registries out there for multilateral federations. So, more than just a casual general interest.

@vladimir-mencl-eresearch
Copy link
Contributor

Thanks - I'll put a warning into the installer documentation, and I'll comment out this task just to avoid the issue. It would be a "install Groovy/Grails yourself" recommendation.

@James-REANNZ , would you be OK with making such PR against tuakiri-develop yourself ?

@SphericalBastards , would you be able to share more about your use case? If you'd rather send it in a private email (instead of posting publicly), my email is vladimir dot mencl at reannz dot co dot nz.

Cheers,
Vlad

@SphericalBastards
Copy link
Author

Thank Vladimir. I'll reach out directly. Please expect an email shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladimir-mencl-eresearch @SphericalBastards