Please clarify meaning of "Approach A: Bitnami installations using system packages"

Keywords: WordPress - AWS - Technical issue - Services (Apache, MariaDB, MySQL…)

bnsupport ID: d5ff1e5c-ca69-c3d1-830e-626580e96ee9

bndiagnostic output:

? Apache: Found possible issues
? Connectivity: Found possible issues
? Wordpress: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/general/faq/administration/use-firewall/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
The documentation at https://docs.bitnami.com/aws/faq/get-started/understand-upcoming-changes/ (and on every page referring to it by means of a notification box) seems to suggest that newer images (exclusively) make use of OS (here: Debian Linux) provided software packages. At least it can be easily (mis)understood this way.

However, Bitnami Wordpress images still seem to ship pre-built Apache HTTPs, MariaDB and other services / software. I.e. these softwares are still shipped in a fixed version with the Bitnami image, which means that no security updates for these services can be provided by operating system packages.

The current documentation seems to indicate that all (or the very most of) packages now come from the operating system, which would mean they would immediately benefit from security patches provided by the OS. But this is not the case.

Please clearly specify which packages are / software is still provided with the Bitnami images, and will require deploying a newer Bitnami image so that security patches (such as the recent Apache 0-Day) are applied.

Hi @olafk,

Unfortunately I can’t provide you with a list but you can check the installed packages using “sudo apt list” for example. If the component doesn’t appear there it means that Bitnami uses it’s own component.

Regards,
Michiel

Thanks for your reply, Michiel.

May I suggest to clarify this on the (linked) documentation, though, so that other users will not be misled into (incorrectly) assuming that all components are now OS managed / can receive OS security patches?

Right now, this phrase could easily mislead users:

Bitnami Stacks on Linux will start depending on native system packages for Debian 10, dropping the previous approach of providing a complete self-contained environment.

I suggest adding a note similar to this:

Please note: While the new approach will depend on native system packages, some software will continue to be provided as self-contained builds, and will not benefit from security updates provided by the operating system.

We recommend to:

  • subscribe to our image release announcements (add link here!) to become aware of security updates to these software components
  • deploy the latest image whenever security impacted components are updated

Hi @olafk,

Thanks, I pinged our docs team, they will have a look at ways to improve the messaging.

Regards,
Michiel