On Thu, Oct 19, 2023 at 02:01:45PM +0000, Jan Harris via IBM TechXchange Community wrote:
> You do not need an OSS contract to install DNF.
That is true. However the number of visible issues with the AIX
Toolkit has skyrocketed since the introduction of additional
dependencies and the use of DNF. With my professional customers I can
only recommend using the Toolkit under support.
If we were administering Redhat systems, and there was a popular
movement to install a second parallel package manager (say, Guix), it
would cause the same friction and breakage. We'd have the same
conversation about which method is supported, and rightly question why
the other is needed.
I think the Toolkit should have provided LPP packages from the start,
so that there was no conflict. Or common packages should be provided
as standalone RPMs without dependencies. It is not reasonable to
insist on fully setting up parallel software packaging for one package.
> The DNF support is provided through this forum.
Most customers expect high quality support from IBM, not a web
forum. My recommendation to only use DNF under support from IBM is
because IBM Support can provide more thorough support than a web
forum. We are working on production systems in sensitive environments.
> In fact, many customers get fast resolution because they are able
> to communicate directly with the AIX OSS development team through
> the community.
I agree. I do think the feedback is useful. In particular I give them
strong praise for keeping up with the large volume of CVEs in a prompt
manner.
> Community support is common for OSS, across platforms. In fact, if
> you need sudo help, you have to join the sudo community. I have
> directed countless customers to the DNF starting point:
Not to spread FUD, but we're talking about installing a separate OSS
product to arbitrate access to the root account. That's bad enough,
but also without IBM support?
> In fact, many SMEs in AIX development and support use DNF even
> behind firewalls, using Sangamesh's instructions:
Certainly you can proxy the downloads. It doesn't mean you aren't
installing unsupported software on production servers.
> Additionally, many IBM products have dependencies on AIX Toolbox
> packages now, so the likelihood that "sudo" will be the ONLY OSS
> package on the system is decreasing regularly.
Then IBM should be shipping those as LPPs with the product or on the
expansion pack. Or ensuring the package includes support for DNF.
This means now we have to do software management through two package
managers with multiple sources, two sets of software version to report
to cybersecurity, and a significant increase in patch frequency.
> I have seen many issues where customers have non-toolbox packages
> that have installed their own dependencies in to /opt/freeware,
> causing conflicts for future installations.
Of course. Parallel packaging causes problems. You're providing
additional points supporting that there is a packaging conflict.
I'm well aware that I'm advocating conservative software management
practices against the convenience of quickly installing OSS
tools.
AIX systems are typically the largest servers in critical customer
environments. We have strict change controls, strict network access,
and only use trusted software sources.
I appreciate that the Toolkit team maintains a set of OSS packages
available for install. Using those resources under a support contract
allows IBM to monitor the issues with DNF and RPMs, and conforms to
the policy of only using supported software in production.
That way when DNF breaks, you can rely on IBM support to resolve your
problem discretely and in a timely manner.
------------------------------------------------------------------
Russell Adams
Russell.Adams@AdamsSystems.nlPrincipal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 10/19/2023 10:02:00 AM
From: Jan Harris
Subject: RE: SUDO dependency
I want to offer a different perspective:
You do not need an OSS contract to install DNF. The DNF support is provided through this forum. In fact, many customers get fast resolution because they are able to communicate directly with the AIX OSS development team through the community. Community support is common for OSS, across platforms. In fact, if you need sudo help, you have to join the sudo community. I have directed countless customers to the DNF starting point:
- Get Started with the AIX Toolbox for Open Source Software
In fact, many SMEs in AIX development and support use DNF even behind firewalls, using Sangamesh's instructions:
- Creating a local repo with DNF and the AIX Toolbox Media Image
Additionally, many IBM products have dependencies on AIX Toolbox packages now, so the likelihood that "sudo" will be the ONLY OSS package on the system is decreasing regularly. I have seen many issues where customers have non-toolbox packages that have installed their own dependencies in to /opt/freeware, causing conflicts for future installations.
</main>
</main>
------------------------------
Jan Harris
AIX Development Support (Liaison to the AIX Toolbox for Open Source)
IBM (Contract)
Austin TX
------------------------------
Original Message:
Sent: Thu October 19, 2023 05:37 AM
From: Russell Adams
Subject: SUDO dependency
Incorrect.
The dead simple method is to download sudo precompiled for AIX as a
single RPM from the sudo project.
https://www.sudo.ws/getting/packages/
If you want to add a conflicting non-native parallel package manager
to AIX, requiring internet access and downloading volumes of
questionable dependencies, then install DNF. If you have not
specifically added the OSS contract add-on to your support contract,
do not install DNF.
Alternatively use IBM supported software like SSH to become root.
On Thu, Oct 19, 2023 at 07:55:47AM +0000, Niklas V. via IBM TechXchange Community wrote:
> Hi,
>
>
> the "easiest" way is to install dnf and manage dependencys automatically. Read this guide if you want to know how to install dnf: DNF is now available on AIX Toolbox (ibm.com)
#AIXOpenSource