Installer is broken, also potential security issue with ansible/GVM install

[SphericalBastards]

Hi,

Is there any intent to freshen up the installer for newer environments (CentOS 7, CenOS 6 is EOL, etc.) (also for instance, the domain referenced for GVM is a potentially malicious domain now and the install script tries to run bash code from there, potentially creating a security issue for anyone who tries to use as-is. GVM also appears to be a defunct project).

See: ./installer/roles/common/tasks/main.yml: 'Common: Download GVM' https://github.com/REANNZ/federationregistry2-Tuakiri/blob/19ee077d210a3c25cba9b447fbc9efc2bf57d773/installer/roles/common/tasks/main.yml#L34

Also, is there any interest in creating a more modern approach for testing such as creating a docker container for running the registry in a testing environment?

Thanks!

[vladimir-mencl-eresearch]

Hi,

Thanks for reaching out.

We are currently maintaining this fork for our internal use only - and the installer code is something we just "inherited" from upstream and never used.

Perhaps might be eaiest to just remove the installer, or very clearly mark it as unsupported.

Do you have a specific need for running a Federation Registry instance, or was this comment just based on general interest?

Cheers, Vlad

[SphericalBastards]

I had assumed the installer code was languishing, though the security issue is concerning enough that others that may want to "kick the tires" might stumble into with bad results. There's probably enough in the ansible tasks for me to recreate an installation through other means, but wanted to at least let you know about this.

I do have a specific need for at least being able to run at least a proof-of-concept Federation Registry of some sort at present, and I am looking at this as potentially filling that need. Future use might see the functionality rewritten in a different implementation. However just for a PoC something useable would be ideal and there's not very many web based federation registries out there for multilateral federations. So, more than just a casual general interest.

[vladimir-mencl-eresearch]

Thanks - I'll put a warning into the installer documentation, and I'll comment out this task just to avoid the issue. It would be a "install Groovy/Grails yourself" recommendation.

@James-REANNZ , would you be OK with making such PR against tuakiri-develop yourself ?

@SphericalBastards , would you be able to share more about your use case? If you'd rather send it in a private email (instead of posting publicly), my email is vladimir dot mencl at reannz dot co dot nz.

Cheers, Vlad

[SphericalBastards]

Thank Vladimir. I'll reach out directly. Please expect an email shortly.