ctubbsii commented on a change in pull request #411:
URL: https://github.com/apache/fluo-muchos/pull/411#discussion_r722491026
##########
File path: ansible/roles/proxy/tasks/main.yml
##########
@@ -25,3 +25,10 @@
file: path={{ tarballs_dir }} state=directory
- name: "copy /etc/hosts to proxy"
template: src=roles/proxy/templates/etc_hosts dest=/etc/etc_hosts owner=root
group=root mode=0644
+# Update ca-certificates to ensure that CA certificates are new enough
+# to support SSL verification against websites used to download software
+- name: "update ca-certificates package to latest version"
+ yum:
+ name: 'ca-certificates*'
Review comment:
Why the wildcard? That seems questionable. RPMs are named based on
artifact name, (epoch), version, and release (followed by arch). For YUM, it is
sufficient to install/update by name only. See
https://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/
To install or update the ca-certificates RPM, it is sufficient to specify
`ca-certificates`. Adding the wildcard would match on tangentially related
packages, perhaps debug packages, or 3rd party packages that start with that
pattern. It does help that `update_only` is specified, so you don't install any
new packages, but it still implies that this could grab more than intended.
##########
File path: ansible/roles/influxdb/defaults/main.yml
##########
@@ -16,4 +16,4 @@
#
influxdb_rpm: influxdb-1.8.3.x86_64.rpm
-influxdb_checksum:
"sha512:4c0557c24e5083e9d94d49cfad496f45421bb50aacf75737ca6bff36c8ef276af884c5419b5cc74e4fa1e8062e6bee18af53e3650eaa8a6ecd656346151ea87c"
+influxdb_checksum:
"sha512:60abf31c70beb8a391ded82569532a255384516da0b3c287d20065fe7047be343c50b37bbe31d5dd8df4bcb31144ef696b90e21d6739ce375b7e4fc33bae4f03"
Review comment:
This is out of scope of this PR, and comes with security risks that need
to be checked to ensure the RPM isn't modified in some way. Please put this in
a separate PR, in case we need to discuss it. There's previous history with
this. See #381
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
