You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID> on 2022/05/06 18:40:21 UTC
Installing ffmeg-devel and tomcat
Are there any repositories for Guacamole that install ffmpeg-devel and tomcat that are United States only? We've had to tighten up our firewalls and we are not permitted to access non-US repositories. So we can no longer install new Guacamole instances because the install process is having us install EPEL and RPMFusion RPMs, and those seem to be going to Denmark and Canada.
Thanks,
Harry
Harry Devine
Secure-OSE System Administrator
Red Hat Certified System Administrator (RHCSA)
Work: (609) 485-4218
FAA Cell: (609) 612-7274
Home Office/Telework: (609) 547-3579
RE: Installing ffmeg-devel and tomcat
Posted by Sean Hulbert <sh...@securitycentric.net.INVALID>.
Have your admin add the url(s) to a greylist, and inform him/her this is how most repos work in the world, to minimize the ssl(tls) packet overhead in bandwidth for page load to downloads/uploads. Unless they are super junior and don't understand why ssl(tls) is used for, this shouldn't be an issue. Https doesn't stop viruses or malicious code execution, it's meant to encrypt communication of sensitive data, personal information, logins credentials.Best of luck with your admin, and hope I gave enough information on the differences of http and https for you to bring to your network admin.Also like to point out that http is still allowed in CMMC and DFARs as well as NIST 800s when no login or sensitive data is being processed. That is like saying the sites need an ECA certificate. Alternatively you can build a private repository for internal use and validate new packages in a devsecops sandbox as they are release. SeanSent by Android Ai hijacked INS communications 6G
-------- Original message --------From: "Devine, Harry (FAA)" <ha...@faa.gov.INVALID> Date: 5/10/22 5:21 AM (GMT-08:00) To: user@guacamole.apache.org Subject: RE: Installing ffmeg-devel and tomcat
There is a need when our network admins block http going out and only allow https.
Harry
From: Sean Hulbert <sh...@securitycentric.net.INVALID>
Sent: Monday, May 9, 2022 5:05 PM
To: user@guacamole.apache.org
Subject: RE: Installing ffmeg-devel and tomcat
No need to HTTPS and put extra overhead on a site and doesn’t require login creds.
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.292.4309
www.securitycentric.net
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally
privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Devine, Harry (FAA) [mailto:harry.devine@faa.gov.INVALID]
Sent: Monday, May 9, 2022 11:37 AM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: RE: Installing ffmeg-devel and tomcat
I am, and there are 4, and all 4 are http, not https. In fact, all of the mirrors (including other countries) are http only. Strange that in 2022 these mirrors
aren’t https.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>
Sent: Monday, May 9, 2022 2:35 PM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA) <ha...@faa.gov.invalid> wrote:
Are there any that are https? We aren’t allowed to contact http-only sites either.
I don't know - you'll have to look at the mirror pages and see.
-Nick
RE: Installing ffmeg-devel and tomcat
Posted by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID>.
There is a need when our network admins block http going out and only allow https.
Harry
From: Sean Hulbert <sh...@securitycentric.net.INVALID>
Sent: Monday, May 9, 2022 5:05 PM
To: user@guacamole.apache.org
Subject: RE: Installing ffmeg-devel and tomcat
No need to HTTPS and put extra overhead on a site and doesn’t require login creds.
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.292.4309
www.securitycentric.net<http://www.securitycentric.net/>
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
[logo-acad400]
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Devine, Harry (FAA) [mailto:harry.devine@faa.gov.INVALID]
Sent: Monday, May 9, 2022 11:37 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Cc: harry.devine@faa.gov.invalid<ma...@faa.gov.invalid>
Subject: RE: Installing ffmeg-devel and tomcat
I am, and there are 4, and all 4 are http, not https. In fact, all of the mirrors (including other countries) are http only. Strange that in 2022 these mirrors aren’t https.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>>
Sent: Monday, May 9, 2022 2:35 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Cc: harry.devine@faa.gov.invalid<ma...@faa.gov.invalid>
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA) <ha...@faa.gov.invalid>> wrote:
Are there any that are https? We aren’t allowed to contact http-only sites either.
I don't know - you'll have to look at the mirror pages and see.
-Nick
RE: Installing ffmeg-devel and tomcat
Posted by Sean Hulbert <sh...@securitycentric.net.INVALID>.
No need to HTTPS and put extra overhead on a site and doesn’t require login creds.
Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.292.4309
www.securitycentric.net <http://www.securitycentric.net/>
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
System Award Management
CAGE: 8AUV4
AFCEA San Francisco Chapter V.P.
If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
From: Devine, Harry (FAA) [mailto:harry.devine@faa.gov.INVALID]
Sent: Monday, May 9, 2022 11:37 AM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: RE: Installing ffmeg-devel and tomcat
I am, and there are 4, and all 4 are http, not https. In fact, all of the mirrors (including other countries) are http only. Strange that in 2022 these mirrors aren’t https.
Thanks,
Harry
From: Nick Couchman <vnick@apache.org <ma...@apache.org> >
Sent: Monday, May 9, 2022 2:35 PM
To: user@guacamole.apache.org <ma...@guacamole.apache.org>
Cc: harry.devine@faa.gov.invalid <ma...@faa.gov.invalid>
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA) <harry.devine@faa.gov.invalid <ma...@faa.gov.invalid> > wrote:
Are there any that are https? We aren’t allowed to contact http-only sites either.
I don't know - you'll have to look at the mirror pages and see.
-Nick
RE: Installing ffmeg-devel and tomcat
Posted by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID>.
OK, no problem. I did find that I can change http to https and it hits the mirror as https, but I have other dependency issues. I’ll keep looking.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>
Sent: Monday, May 9, 2022 2:38 PM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:36 PM Devine, Harry (FAA) <ha...@faa.gov.invalid>> wrote:
I am, and there are 4, and all 4 are http, not https. In fact, all of the mirrors (including other countries) are http only. Strange that in 2022 these mirrors aren’t https.
Okay, but this project/community doesn't control those mirrors, so, if you need HTTPS, you'll have to reach out to the maintainers of those pages. I don't have any inside information - I'm looking at exactly the same thing you are looking at.
-Nick
Re: Installing ffmeg-devel and tomcat
Posted by Nick Couchman <vn...@apache.org>.
On Mon, May 9, 2022 at 2:36 PM Devine, Harry (FAA)
<ha...@faa.gov.invalid> wrote:
> I am, and there are 4, and all 4 are http, not https. In fact, all of the
> mirrors (including other countries) are http only. Strange that in 2022
> these mirrors aren’t https.
>
>
Okay, but this project/community doesn't control those mirrors, so, if you
need HTTPS, you'll have to reach out to the maintainers of those pages. I
don't have any inside information - I'm looking at exactly the same thing
you are looking at.
-Nick
>
RE: Installing ffmeg-devel and tomcat
Posted by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID>.
I am, and there are 4, and all 4 are http, not https. In fact, all of the mirrors (including other countries) are http only. Strange that in 2022 these mirrors aren’t https.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>
Sent: Monday, May 9, 2022 2:35 PM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA) <ha...@faa.gov.invalid>> wrote:
Are there any that are https? We aren’t allowed to contact http-only sites either.
I don't know - you'll have to look at the mirror pages and see.
-Nick
Re: Installing ffmeg-devel and tomcat
Posted by Nick Couchman <vn...@apache.org>.
On Mon, May 9, 2022 at 2:32 PM Devine, Harry (FAA)
<ha...@faa.gov.invalid> wrote:
> Are there any that are https? We aren’t allowed to contact http-only
> sites either.
>
>
I don't know - you'll have to look at the mirror pages and see.
-Nick
>
RE: Installing ffmeg-devel and tomcat
Posted by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID>.
Are there any that are https? We aren’t allowed to contact http-only sites either.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>
Sent: Monday, May 9, 2022 2:06 PM
To: user@guacamole.apache.org
Cc: harry.devine@faa.gov.invalid
Subject: Re: Installing ffmeg-devel and tomcat
On Mon, May 9, 2022 at 2:00 PM Devine, Harry (FAA) <ha...@faa.gov.invalid>> wrote:
OK, good news and bad news: I was able to update my Ansible Playbook to grab the RPM Fusion free & non-free RPM from a US mirror. The bad news is that once that gets installed, it creates a repo file under /etc/yum.repos.d that has the following for its mirrorlist:
mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch
The issue with this in our case is that the mirror goes out to Canada and Germany, which we block as per our government security requirements. Absolutely NO non-US repositories are allowed with NO exceptions. If we can’t contact a US repository to install the necessary packages, we will have to abandon Guacamole and look for other alternatives.
Is there a mirrorlist or baseurl that does the package installation that we can guarantee is a US repository? I’m OK with having our own maintained repo file that we push out to a system for Guacamole installation, I just need to find a URL that’s US only.
Yes, if you go to the pages I sent you before - for example, the RPMFusion mirror list, and you filter for the one you're interested in (RPMFusion Free for EL -> 8 -> x86_64, for example), and scroll to the bottom, you'll see US mirrors. Just change the "baseurl" line to one of those - for example:
http://mirrors.ocf.berkeley.edu/rpmfusion/free/el/updates/8/x86_64/
(rpmfusion free -> el -> 8 -> x86_64). That particular one is based in Berkeley, CA.
-Nick
Re: Installing ffmeg-devel and tomcat
Posted by Nick Couchman <vn...@apache.org>.
On Mon, May 9, 2022 at 2:00 PM Devine, Harry (FAA)
<ha...@faa.gov.invalid> wrote:
> OK, good news and bad news: I was able to update my Ansible Playbook to
> grab the RPM Fusion free & non-free RPM from a US mirror. The bad news is
> that once that gets installed, it creates a repo file under
> /etc/yum.repos.d that has the following for its mirrorlist:
>
>
>
> mirrorlist=
> http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch
>
>
>
> The issue with this in our case is that the mirror goes out to Canada and
> Germany, which we block as per our government security requirements.
> Absolutely NO non-US repositories are allowed with NO exceptions. If we
> can’t contact a US repository to install the necessary packages, we will
> have to abandon Guacamole and look for other alternatives.
>
>
>
> Is there a mirrorlist or baseurl that does the package installation that
> we can guarantee is a US repository? I’m OK with having our own maintained
> repo file that we push out to a system for Guacamole installation, I just
> need to find a URL that’s US only.
>
>
>
Yes, if you go to the pages I sent you before - for example, the RPMFusion
mirror list, and you filter for the one you're interested in (RPMFusion
Free for EL -> 8 -> x86_64, for example), and scroll to the bottom, you'll
see US mirrors. Just change the "baseurl" line to one of those - for
example:
http://mirrors.ocf.berkeley.edu/rpmfusion/free/el/updates/8/x86_64/
(rpmfusion free -> el -> 8 -> x86_64). That particular one is based in
Berkeley, CA.
-Nick
>
RE: Installing ffmeg-devel and tomcat
Posted by "Devine, Harry (FAA)" <ha...@faa.gov.INVALID>.
OK, good news and bad news: I was able to update my Ansible Playbook to grab the RPM Fusion free & non-free RPM from a US mirror. The bad news is that once that gets installed, it creates a repo file under /etc/yum.repos.d that has the following for its mirrorlist:
mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-8&arch=$basearch
The issue with this in our case is that the mirror goes out to Canada and Germany, which we block as per our government security requirements. Absolutely NO non-US repositories are allowed with NO exceptions. If we can’t contact a US repository to install the necessary packages, we will have to abandon Guacamole and look for other alternatives.
Is there a mirrorlist or baseurl that does the package installation that we can guarantee is a US repository? I’m OK with having our own maintained repo file that we push out to a system for Guacamole installation, I just need to find a URL that’s US only.
Thanks,
Harry
From: Nick Couchman <vn...@apache.org>
Sent: Friday, May 6, 2022 3:18 PM
To: harry.devine@faa.gov.invalid
Cc: user@guacamole.apache.org
Subject: Re: Installing ffmeg-devel and tomcat
I would check out these pages:
http://mirrors.rpmfusion.org/mm/publiclist/
https://admin.fedoraproject.org/mirrormanager/mirrors/EPEL
I think you can locate by country on those, so you should be able to force to a US-based mirror.
-Nick
On Fri, May 6, 2022 at 2:40 PM Devine, Harry (FAA) <ha...@faa.gov.invalid>> wrote:
Are there any repositories for Guacamole that install ffmpeg-devel and tomcat that are United States only? We’ve had to tighten up our firewalls and we are not permitted to access non-US repositories. So we can no longer install new Guacamole instances because the install process is having us install EPEL and RPMFusion RPMs, and those seem to be going to Denmark and Canada.
Thanks,
Harry
Harry Devine
Secure-OSE System Administrator
Red Hat Certified System Administrator (RHCSA)
Work: (609) 485-4218
FAA Cell: (609) 612-7274
Home Office/Telework: (609) 547-3579
Re: Installing ffmeg-devel and tomcat
Posted by Nick Couchman <vn...@apache.org>.
I would check out these pages:
http://mirrors.rpmfusion.org/mm/publiclist/
https://admin.fedoraproject.org/mirrormanager/mirrors/EPEL
I think you can locate by country on those, so you should be able to force
to a US-based mirror.
-Nick
On Fri, May 6, 2022 at 2:40 PM Devine, Harry (FAA)
<ha...@faa.gov.invalid> wrote:
> Are there any repositories for Guacamole that install ffmpeg-devel and
> tomcat that are United States only? We’ve had to tighten up our firewalls
> and we are not permitted to access non-US repositories. So we can no
> longer install new Guacamole instances because the install process is
> having us install EPEL and RPMFusion RPMs, and those seem to be going to
> Denmark and Canada.
>
>
>
> Thanks,
>
> Harry
>
>
>
> Harry Devine
>
> Secure-OSE System Administrator
>
> Red Hat Certified System Administrator (RHCSA)
>
> Work: (609) 485-4218
>
> FAA Cell: (609) 612-7274
>
> Home Office/Telework: (609) 547-3579
>
>
>