ZeroMQ and Security Concerns

I’m working on setting up a new Xibo Installation (custom install) using the current version of Xibo on an Apache/IIS server and migrating from my current 1.7.9 installation.

I have primarily been hung up by the ZeroMQ requirement and in working with our webhost support, I learned that the last update to ZeroMQ was version 1.1.3 that was released in 2016, is not being updated for newer versions of PHP (topping out at 7.2, it looks like) and appears to essentially be abandoned by the developer.

Until now, I thought it was required to use ZeroMQ to complete the installation but now realize I can continue and complete the installation without this feature, even though it is recommended during the installation phase.

So, I’m wondering why the Xibo development team would rely so heavily on what appears to be abandoned software with plans to continue adding possibly more dependencies on software that could be a point of potential vulnerability?

Seeing as it appears I can proceed with the installation without it, that is what I’m planning to do, but it would be nice to have some insights on the future of ZeroMQ and how it factors into the Xibo platform long term. Maybe the Xibo team can take over development of it and bring it current.

Hi,

If you plan to use a fresh install inside Unix (Ubuntu / CentOS), you can add andrej/ppa to repositories and find for php7.4 all the librairies needed.

In my case, just added the php-zmq lib and it’s all fine / smooth.

On Windows OS, don’t forget to add the php libs (dll) to the environment variables.
Remember : At this time, Xibo does not support php8

For security questions, keep in mind the ZMQ lib is used only for com packets that only use ISO layers, no need more security on it cause there are other headers that take care of it. You can improve packets security by adding crypted layers between terminals (sha / md5…).

Use of SSL certificate + HTTP/2 secure headers + .htacces + firewall and… your server provider service is more sufficient to maintain a good security level for many scenarii in usual cases.

In case of your server may be under attacks, keep in mind this one is targetted for precise reason that you should know and people who try to attack it should not be beginners.

I think you’re confusing libzmq and php-zmq.

php-zmq is a wrapper around the libzmq library - which is updated regularly. The PHP wrapper hasn’t been released for some time that’s true, but it is still actively patched and those patches are in the Docker containers we provide.

libzmq does all the heavy lifting. php-zmq is just a wrapper to the library.

libzmq is used by some of the largest in the Cloud computing industry and so is well tested and maintained.

You are welcome to use Xibo without zmq. You’ll loose push messaging functionality and the ability to run commands in near-real time, but you can use scheduled commands instead.

Thank you for the reply and clarification, Alex. That makes much more sense. I’ve not worked with the ZeroMQ module at all before and have been working with our webhost support to ensure our server had the requirements in order to be able to update to the newest version of Xibo. When we saw that php-zmq hadn’t been updated since 2016, it gave us pause about installing it. I appreciate you taking the time to explain and clarify that. I think our implementation and usage will still be fine without the need for ZeroMQ right now, but it’s good to know this for the future if we decide to go back and enable that for those additional push features.

2 Likes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.