Hi @bishopolis   - 

I’m a Community Moderator in the Splunk Community. 
This question was posted 12 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

No, let's not let this one fade out. - the question is relevant - the context is relevant, as is the history - the goal is as trivial now, as then, to achieve - the continued "any day now" feeling is important Bump this one. Maybe it's okay for still-relevant issues to be still-relevant, even if it's hard for a small number of us to value something more than a fortnight old. Thanks for your suggestion.

Let me repeat myself and rephrase what I already wrote in https://community.splunk.com/t5/Security/Is-there-a-yum-rpm-repo-for-Splunk/m-p/606611/highlight/tru... in this thread.

You should _not_ be doing unattended updates, especially in a bigger environment, without doing a thorough risk analysis of possible downtime and such.

Apart from that, simple yum update or aptitude upgrade would _not_ leave you in a running state - you still have to run splunk manually at least once to accept license for a new version, perform updates if needed and so on. If you are able to automate _that_, providing source for package download is the least of your problems.

So while it might be indeed useful for your (or mine) splunk free at home, it is not something I would advise anyone to use in production environment.

Splunk is not something that I'd expect yum-cron to manage.

What lets you believe that I intend to do unattended updates? We implemented a very tight release process using tools like RH Satellite.

Then creating a custom repo and uploading a single package once in a while is really not that much of a nuissance, is it?

OK, I admit that maybe UF's could be easier available. In this case you could even risk unattended updates.

> Then creating a custom repo and uploading a single package once in a while is really not that much of a nuissance, is it? As a security person, you may need to review the risks of manual processes with manual validation of forgettable work. It's been well-discussed. We understood these risks in 2000 while producing, securing, and releasing Unix: a repeatable, verifiable, consistent process was not one compatible with manual work. It also was neither scalable nor reliable. I suspect the same is still true in 2023, enterprise space or not, and maybe even more important given the larger scale of resume-driven architecture design. For instance, you may discover with time that proper change control requires processes tested in non-prod to be replicated exactly for production, and you may realize that humans are imperfect even at 'nuissance'[sic] work like that, even after only a few repetitions. Are you confusing 'unattended' with 'unmonitored' or 'negligent'? That may be a little hasty. I've escaped the need to work around splunk's naivete, but I'm still happy to celebrate this birthday in the hopes they may one day learn to use tools built to improve their process and tested for the last 25+ years.

Honestly, I have no idea why you're trying to make it personal.

Nevertheless - a simple, easily documentable procedure which must be performed once a few months is not that hard to do. And in a typical production environment there are so many other steps you have to perform if you have a proper change control process in place that adding one additional one is really not that biggie.

Sorry, that's my personal opinion. You may not share it, that's fine, but it's not a reason to start being offensive.

And providing a "ready to use" source of packages for updates which can easily go haywire is just asking for trouble. I might not use it, you might not use it, but there will be many people who would happily just add the repo to yum and enable yum-cron (or the debian equivalent). And that would obviously end badly. And people would start blaming the vendor (just as I blame Microsoft for very badly written RPMs).

So not providing the repo might actually be a safer choice here. Yeah, there are some dissatisfied users but it's a minor nuisance for them. A bit annoying, but not severe. A stopped or even broken production server because some admin did one yum upgrade too far could mean much more potential loss.

I'm sorry you're deciding it's offensive. If you're confused about release management, proper artifact validation or why we enable signed artifacts from signed sources via pre-programmed tools to avoid human error, it's just an opportunity for learning; nothing more. 'Once a few months'? I hope you're updating your OSS-based gear more often, as even back then the response time for bad actors was very fast. And, too, the longer between releases, the less often a manual process will even *notice* a valid update is in the queue to test and promote internally. If you don't know that, please don't be offended. A bad RPM update is trivial to back out due to how RPMs are built. It's actually a really great thing. If you're assuming these ones will be bad, then it's a fixable problem and far from irremediable . Because you only hose the test rig. Right? Again, please don't be insulted if you're just discovering this now. Broken servers a nothing. Terraform-taint the test rigs and re-apply. Again, please don't let this insult you somehow, and I'm sorry if discovery has that effect. You can surely get there from anywhere you may be now, and it's just a matter of resources and planning. There's absolutely no reason a valid repo isn't provided, and dreaming up contingencies to solve on the downstream side is great brainstorming for customers themselves, but no reason to withhold adequacy. And, it starts to sound like an excuse by Year Eleven. Have a great day. Try not to be insulted!

That's what I was talking about. You make assumptions about me and you try to talk from position of superiority even though nothing warrants that.

Let me give you the benefit of a doubt and assume that it's either because english is not your native language (mine either) or you're young and full of yourself and think that your point of view is the onky valid one. In such case, don't worry, most people, including yours trully, grow out of this phase.

Let me just tell you that no, sometimes a bad rpm update is not that easy to rollback. Just like any other update. If your data gets damaged what good to you is that you can redeploy the software? Regardless of whether it's terraform, puppet, ansible, your own bash scripts or even SCCM, if your data is damaged... well, you're in deep heap of manure.

That's why - for example - you have separate packages for different postgres major versions in most distributions - so that nothing gets accidentally updated in such a way that would render your environment inoperable.

Also I'm pretty sure "once every few months" is a pretty accurate desciption of splunk release history.

And that's pretty much it. And these are my last words in this thread. I described my point of view. You may agree with it but don't have to. There's nothing else to be gained here.

Have a nice life.

Silly that this hasn't been addressed in 11 years... lol

You know, after being initially annoyed with lack of a repo as such, I must say that after giving it some thought I don't think it's that much of a problem.

Yes, not having a static (or semi-static) address to download the software from which could be easily incorporated into your script or puppet/ansible/chef/whatever mechanics is a bit frustrating but the repo as such...

Honestly, I wouldn't want my servers to go on and to a yum upgrade just because I have yum-cron set up and there is a new version available. It can make sense in your all-in-one lab installation without any serious data. But in production? What if the new version does introduce some changes which are not fully compatible with your config? What if upgrade fails? Splunk is relatively chatty on upgrade whereas rpm operation should be completely "hands-off". (here a small piece of rant - Microsoft produces worst rpms I've ever seen - they require you to manually accept license during install).

So I don't think that repo as such is that much needed or that it's that good idea at all.

But not having to go through all the hassle with logging in to Splunk's website just to get the download link which you can supply to your wget would be a major help.

Happy 8th birthday, question 33933 !

It's been 96 months since you were first recorded.

And while the RPM technology hasn't changed significantly in 21 years, it's still a really big challenge.

Hang in there, question 33933 !

happy 9th bday!

 

seriously though... c'mon splunk