[asterisk-dev] Security Patches for third-party/patches: How to force a fresh build?
Michael Maier
m1278468 at mailbox.org
Thu Mar 18 14:18:12 CDT 2021
On 18.03.21 at 17:09 Alexander Traud wrote:
> Some folks might not download the whole Asterisk, apply their patches, and
> build Asterisk but download just the last diff/patch, apply that, and re-build
> Asterisk.
>
> Those diffs/patches are available via
> <https://downloads.asterisk.org/pub/telephony/asterisk/> which is terrible
> handy when you have many custom patches.
>
> Now comes my concern. The last security fix included a patch for the bundled
> PJ-Project (ASTERISK-29196). With that applied, the PJ-Project does not
> re-build automatically. One has to touch
> third-party/pjproject/patches/config_site.h for example, to trigger a fresh
> build of the PJ-Project.
>
> I am not sure everyone knows that. Those users have the latest version of
> Asterisk but not of the PJ-Project. That is a headache for support. In this
> case, they even face a security concern. I am thinking about changing one file
> permission twice within the patch file. Any other idea?
You're probably right. But people seriously operating a phone environment
(especially if they have (a lot of) own patches), should be very careful about
their version management and how to easily revert to a known working version
without loosing any data.
That's why I'm always building asterisk from scratch based on a carefully
documented spec file. This ensures / provides:
- proper versioning
- documentation about changes and added (own) patches
- easy deployment
- easy fall back if problems occur with the new version
- reproducibility
Building asterisk nowadays each time from scratch in a clean environment shouldn't
be any headache. I'm doing this on a VM in < 1 minute including rpm debuginfo package.
As a starting point, you can use the sangoma srpm e.g. and modify this one
according your own requirements.
Thanks
Michael
More information about the asterisk-dev
mailing list