[asterisk-dev] Security Patches for third-party/patches: How to force a fresh build?

Michael Maier m1278468 at mailbox.org
Thu Mar 18 14:18:12 CDT 2021

On 18.03.21 at 17:09 Alexander Traud wrote:
> Some folks might not download the whole Asterisk, apply their patches, and
> build Asterisk but download just the last diff/patch, apply that, and re-build
> Asterisk.
> Those diffs/patches are available via 
> <https://downloads.asterisk.org/pub/telephony/asterisk/> which is terrible
> handy when you have many custom patches.
> Now comes my concern. The last security fix included a patch for the bundled
> PJ-Project (ASTERISK-29196). With that applied, the PJ-Project does not
> re-build automatically. One has to touch
> third-party/pjproject/patches/config_site.h for example, to trigger a fresh
> build of the PJ-Project.
> I am not sure everyone knows that. Those users have the latest version of
> Asterisk but not of the PJ-Project. That is a headache for support. In this
> case, they even face a security concern. I am thinking about changing one file
> permission twice within the patch file. Any other idea?

You're probably right. But people seriously operating a phone environment 
(especially if they have (a lot of) own patches), should be very careful about 
their version management and how to easily revert to a known working version 
without loosing any data.

That's why I'm always building asterisk from scratch based on a carefully 
documented spec file. This ensures / provides:
- proper versioning
- documentation about changes and added (own) patches
- easy deployment
- easy fall back if problems occur with the new version
- reproducibility

Building asterisk nowadays each time from scratch in a clean environment shouldn't 
be any headache. I'm doing this on a VM in < 1 minute including rpm debuginfo package.

As a starting point, you can use the sangoma srpm e.g. and modify this one 
according your own requirements.


More information about the asterisk-dev mailing list