Package Verification in OTRS 3.1.16 / 3.2.7

Moderator: crythias

User avatar
Johannes
Moderator
Posts: 100
Joined: 30 Jan 2008, 02:26
OTRS Version?: 3.X.X
Real Name: Hannes
Company: Znuny|OTTERHUB
Location: Halle/S.
Contact:

Package Verification in OTRS 3.1.16 / 3.2.7

Postby Johannes » 22 May 2013, 14:28

*Info: I wrote this text as a member of the otterhub, not as an employee of Znuny*

Public Service Announcement because this "feature" may affect some of you.

OTRS added a new method to validate packages. To achieve this they send package name and MD5 of every package to a validation server (https://pav.otrs.com/otrs/public.pl?Act ... rification).
(hint: they don't even ask you)

If the package is not validated by the OTRS AG you get a warning that says something like this:

Title: Package not verified by the OTRS Group! It is recommended not to use this package.
Please note that issues that are caused by working with this package are not covered by OTRS service contracts!


If you continue to install this package, the following issues may occur!
-Security problems
-Stability problems
-Performance problems


Leaving aside the fact that you can simply override the Package.pm, your OTRS system is not connected to the internet or dosen't have LWP::Protocol::HTTPS installed this check is ridiculous.
OTRS offers a check to "take full advantage of the OTRS package verification." for third party vendors. I can't even tell how much this hurts the OpenSource part in me :cry: .

At the moment we have no information where to get access for the "package check program", how it works, how much do we have to pay and so on... Hey OTRS what about some more infos on your webpage. *hint*hint*

The most critical point of this behaviour remains the fact that OTRS AG collects data of your system(s) and what you do with it without asking for permission. Existence, IP and information about the usage of your system are sent and registered.
I don't even know if this is legal? Also the security part ist obviously easy to override, so it can't be the only/real reason.

Link to GitHub:
https://github.com/OTRS/otrs/blob/rel-3 ... e.pm#L1393
https://github.com/OTRS/otrs/blob/rel-3 ... e.pm#L1388

Release notes:
...
What's New

Updated Package Manager, that will ensure that packages to be installed meet the quality standards of OTRS Group. This is to guarantee that your package wasn’t modified, which may possibly harm your system or have an influence on the stability and performance of it. All independent package contributors will have to conduct a check of their Add-Ons by OTRS Group in order to take full advantage of the OTRS package verification.
...
Me on Github: https://github.com/hanneshal/
Znuny4OTRS Extensions auf Github: https://github.com/znuny/
Znuny4OTRS - intl. Enterprise Services: https://znuny.com
Twitter -> http://twitter.com/frank_zabel
ADN -> https://alpha.app.net/johannesn

reneeb
OTRS guru
Posts: 4350
Joined: 13 Mar 2011, 09:54
OTRS Version?: 3.3.x
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby reneeb » 22 May 2013, 16:30

That's ridiculous. It doesn't have anything to do with security (you mentioned a few things, but there is more). It is only pseudo security and discredits third party vendors (if it is not "verified" it shows "It is recommended not to use this package.").
Perl / OTRS development: http://perl-services.de
Free OTRS add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de

User avatar
brann
OTRS wizard
Posts: 115
Joined: 14 Nov 2011, 10:11
OTRS Version?: 3.3.x
Real Name: Anna Brakoniecka
Company: c.a.p.e. IT GmbH
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby brann » 22 May 2013, 23:03

Thanks for the hint, Hannes, we'll analyse it asap.

User avatar
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
OTRS Version?: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby Daniel Obee » 23 May 2013, 13:24

Johannes wrote:I don't even know if this is legal?


I sincerely doubt sending information from and about a system without explicit permission of the owner is legal at least in Germany. Remember the chrome discussion? Google had to cut back on their data mining because of law issues.

The way the "feature" is implemented and communicated is neither reasonable nor acceptable. We'll see how things develop the next days. I'd at least await a comment of OTRS AG.

Daniel
OtterHub e.V.

richieri
OTRS newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
OTRS Version?: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby richieri » 23 May 2013, 14:53

The advantages of being open source is to increase stability and not the opposite! Community always have contribute for increase features, bug fixes and making opensource a good choice for corporations.
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com

richieri
OTRS newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
OTRS Version?: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby richieri » 23 May 2013, 14:57

If the problem is to not support third part packages, than my suggestion to OTRS AG is to show this message only for their customers of Subscriptions Support and Services. As it is now, OTRS AG is unqualifying the community, partners that devels software and opensource software model as well =/
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com

root
Moderator
Posts: 971
Joined: 18 Dec 2007, 12:23
OTRS Version?: 5.0.x
Real Name: Roy Kaldung
Company: Znuny Inc.
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby root » 23 May 2013, 17:16

My first intention was the idea to provide a 'RemoveCallHome' package.
It's ridiculous that the OTRS AG could be the one and only source to provide quality and security in packages...
OTRS 4 /5 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

You need professional services? Check out http://znuny.com/

User avatar
tto
Moderator
Posts: 315
Joined: 09 Jan 2007, 15:24
OTRS Version?: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby tto » 23 May 2013, 17:22

root wrote:My first intention was the idea to provide a 'RemoveCallHome' package..


...to be honest: such a package is under construction already and will be available soon, making this behavior configurable.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.

ojenning
OTRS newbie
Posts: 1
Joined: 01 Aug 2012, 20:46
OTRS Version?: 3.1.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ojenning » 23 May 2013, 18:09

Hello,

"Open Source

More than 5,000 active OTRS Community members, experts and enthusiasts, contribute to the OTRS open source project and software, driven by the same motivation, to enhancement and expedite OTRS' distribution based on voluntary contributions. Get involved, leverage OTRS' community tools and benefit from the support and technical expertise of this worldwide community."

Taken from http://www.otrs.com/de/open-source/

This new "feature" discredited this. Is there some from OTRS AG how could exlpain this please?

Regards
Ole

richieri
OTRS newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
OTRS Version?: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby richieri » 23 May 2013, 21:09

i Updated Package Manager, that will ensure that packages to be installed meet the quality standards of OTRS Group. This is to guarantee that your package wasn’t modified, which may possibly harm your system or have an influence on the stability and performance of it. All independent package contributors will have to conduct a check of their Add-Ons by OTRS Group in order to take full advantage of the OTRS package verification.
Furthermore we would like to inform all interested developers about the possibility of verifying your packages. Please let us know at verify@otrs.com if you have any issue concerning the verification of your developed packages.

Taken from http://www.otrs.com/de/open-source/comm ... -desk-327/
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ferrosti » 27 May 2013, 12:56

From a vendors point of view I´d also reject responsibility for software that did not pass my QA.

The way OTRS AG once more kicks its communities butt it would be a good point of time for a community fork of OTRS.

my .02€
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 27 May 2013, 13:09

I have no horse in this race, but all who oppose, how would you implement a package verification?

This is akin to either providing a self-signed SSL certificate or being backed by a trusted third party.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ferrosti » 27 May 2013, 16:13

OTRS AG already has its own Package Servers for their customers. This especially applies for their Feature Addons.

Checksums like MD5 or SHA would be enough to show, whether the downloaded package was quality approved by OTRS AG. Anyways, either one has a support contract with OTRS AG or not. In case of an issue one would have to send the support file, which could contain the installed packages SHA sums.

Next thing is: I even package my themes, but I do not want this information to be sent.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 27 May 2013, 16:48

From the original post:
Johannes wrote:To achieve this they send package name and MD5 of every package to a validation server

That doesn't sound like anything personally identifiable to me.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ferrosti » 27 May 2013, 17:13

Yeah, OTRS is in deep need of an array that consist of a package name and its MD5 sum. 8)
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

User avatar
brann
OTRS wizard
Posts: 115
Joined: 14 Nov 2011, 10:11
OTRS Version?: 3.3.x
Real Name: Anna Brakoniecka
Company: c.a.p.e. IT GmbH
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby brann » 27 May 2013, 17:21

Hi,

on 4th June, we will talk about it during the community meeting in Dresden. If there are any issues that anyone would like to bring into discussion, then please write them down in the forum thread so that we take them into consideration. Thanks in advance! We will also tweet about it from the capeIT twitter account (@capeIT) so that the discussion can be followed online by everyone who are not able to be in Dresden. We'll use hashtag #OTRS and #verify. You don't need to register to follow the tweets, but only as logged user you can participate in the exchange of opionions on twitter.

Regards,
Anna

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 27 May 2013, 17:46

ferrosti wrote:Yeah, OTRS is in deep need of an array that consist of a package name and its MD5 sum. 8)

I'm not sure I understand your statement. No, OTRS doesn't need it, but if I wanted to check that the package I'm installing is the one that has been registered with OTRS, and I send this package *name* and MD5 that I calculate on my side to otrs and ask "Do these match?" ... and get a "no", then I can still choose whether to install the package. I just know that the package name/MD5 combo isn't one that OTRS has heard of.

If this name/MD5 combo is a problem, in what way is it different than self-signing an SSL cert? "Are you sure you want to trust this cert?" "Sure ... I made it ..." but then again, if I happen to receive an OTRS plugin from a third party source, maybe an aggregate of OTRS plugins, I could guess that it's a good plugin because it says so itself, or I could check if it's been tampered with (barring the real possibility of MD5 collisions) versus a trusted verification system, assuming I trust OTRS to hold the data. In theory, I could also trust Znuny and Cape-IT.de, but whether I trust ferrosti or crythias just because the package says ...

Oh, it's all a crapshoot anyway ... the packages can still be malware. But at least you know it's the malware it says it is.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

reneeb
OTRS guru
Posts: 4350
Joined: 13 Mar 2011, 09:54
OTRS Version?: 3.3.x
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby reneeb » 28 May 2013, 11:52

crythias wrote:I have no horse in this race, but all who oppose, how would you implement a package verification?

This is akin to either providing a self-signed SSL certificate or being backed by a trusted third party.


OTRS AG should have talked to other vendors about that. Then a common concept could have been created to avoid some confusion, security issues, .... The current implementation is not a reliable system at all!
Perl / OTRS development: http://perl-services.de
Free OTRS add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 28 May 2013, 13:50

reneeb wrote:The current implementation is not a reliable system at all!

Reliable in what way? And, again, what's the specific problem you have with this? That they didn't tell vendors about it first? That's always a gripe.
Reliable because someone could make a name/MD5 collision pair? Absolutely agree. name/sha-256 would be a much better choice.
Reliable because the validation server could go down? eh.. okay. But If Znuny or CAPE-IT had validation servers for their own plugins, I wouldn't argue.
Reliable because it doesn't validate that the tagged code works/is not malware? Agree. Like I said before, it guarantees the malware you're about to install is the malware it says it is.
Reliable because some people don't have Internet and can't connect to the validation server? Can't be helped. See also: Self-signed SSL certificates.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

reneeb
OTRS guru
Posts: 4350
Joined: 13 Mar 2011, 09:54
OTRS Version?: 3.3.x
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby reneeb » 28 May 2013, 16:58

I have no problem with a package verification system per se, but with its current implementation.

So, you would rely on a service you don't know anything about? What do they check? Where is it checked? When it is not verified, what does that mean? Is it anything I can live with?

It's too easy to "work around" the verification process. Johannes mentioned a few things (override Package.pm, ...). I know that there is no 100% security, there is always a way to work around any system, but it's too easy at the moment.

And currently it seems to be a process that is done manually. How long will it take until a package is verified? When I release a new version to fix a security issue and ask all users to upgrade immediately they will get a "not verified".

And for vendors there are more concerns:

* they have to submit the code
* when they have signed the contributor agreement (what you have to to get patches applied) OTRS takes the ownership of your code
* what happens when you had an dispute with OTRS AG once (think of somebody who seems to be banned from the mailinglist)? OTRS AG doesn't have to verify your packages.
* do we have to pay for verification (that question wasn't answered in the mail I got from OTRS AG)?
Perl / OTRS development: http://perl-services.de
Free OTRS add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 28 May 2013, 17:44

reneeb wrote:So, you would rely on a service you don't know anything about? What do they check? Where is it checked? When it is not verified, what does that mean? Is it anything I can live with?

If I were not a programmer, I'd be oblivious to any number of call-home things [insert random application here] does. I am basing my "what do they check" (as a customer) on the original post of this topic: they check the name of the code and the md5 of the code. And where ... at the otrs server of the OP. And what does it mean? It means OTRS has matched the two.
Is it anything I can live with? Again, like a self-signed SSL... same questions.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

User avatar
tto
Moderator
Posts: 315
Joined: 09 Jan 2007, 15:24
OTRS Version?: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby tto » 28 May 2013, 18:25

crythias wrote:If I were not a programmer, I'd be oblivious to any number of call-home things [insert random application here] does. I am basing my "what do they check" (as a customer) on the original post of this topic: they check the name of the code and the md5 of the code. And where ... at the otrs server of the OP. And what does it mean? It means OTRS has matched the two.
Is it anything I can live with? Again, like a self-signed SSL... same questions.


I go with that if it's just the verifiaction and if it was just a simple "Verified: YES/NO". But from a vendor and community supporters perspective, the way this "verification" was implemented and communicated is (friendly spoken) not very community-oriented. From my personal point of view, the wording which is used right now on a failed package verification discredits all package contributors which are (for whatever reason) not verified by the OTRS AG. The verification process is neither clear nor open. There's a HUGE nformation gap which is not common to open source projects.

I for myself did send an email with some questions to verify@otrs.com last week. So far I haven't even received a receipt for this email... :-(

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ferrosti » 28 May 2013, 21:31

@crythias
1) OTRS AG is collecting data without telling their users
2) wording of the 'error' message sucks (sic!)
3) using the sent data makes it easy to
3.1) make statistics about package installations
3.2) these statistics can be used to gain competitive advantage over e.g. znuny, cape it, perl-services, community, just to mention some

Alternative for package verification could be:
OTRS AG provides XML file with package names as well as MD5 sums. This is still small enough to download the whole file for every verification on client side.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 28 May 2013, 21:57

1) I know their web access logs are also collecting more data than this about their users (otrs.xml anyone?)
2) If they stopped at the first half of the OP's message, I wouldn't be upset. But saying that bad stuff could happen if you install anyway ... I agree, too much FUD.
3) yeah. But they know *generally* their own package installation statistics because of the access logs to their package repositories.

ferrosti wrote:OTRS AG provides XML file with package names as well as MD5 sums. This is still small enough to download the whole file for every verification on client side.

How do you suppose/propose that works in practice? I need to download an entire file that could be (theoretically) rather big every time I want to install a package? And what if [extremely new package here] isn't on the list? Why'd I download the file again? and why did I download the file? If I already don't have access to the internet to do the original check, I'm still equally screwed.
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

User avatar
tto
Moderator
Posts: 315
Joined: 09 Jan 2007, 15:24
OTRS Version?: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby tto » 03 Jun 2013, 14:48

I finally got a response from OTRS AG. It basically says following:

(1) Costs for package verification will be estimated by OTRS AG after request. They didn't say if on which basis a community contributor will be charged (yet).

(2) They will try to make no difference on who submitted the packages...

(3) OTRS package must implement OTRS coding guidlines (http://doc.otrs.org/developer/3.0/en/html/code-style-guide.html)

(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)

(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)

(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.

I'll keep you posted on possible updates.

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.

User avatar
crythias
Moderator
Posts: 9920
Joined: 04 May 2010, 18:38
OTRS Version?: 4.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby crythias » 03 Jun 2013, 14:56

At this point, I agree with the concerns. Thank you.

Edit: This isn't Nintendo, right? Should we expect a developers license?
OTRS 4.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

User avatar
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
OTRS Version?: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby Daniel Obee » 03 Jun 2013, 15:32

Hmm. I got a cynical translator in me who reads:

(1) Costs for package verification will be estimated by OTRS AG after request. They didn't say if on which basis a community contributor will be charged (yet).

If you spend 4 days programming it we'll need half of it for checking. You will only pay our standard consulting fee that exceeds your own earnings by approximately 100%.

(2) They will try to make no difference on who submitted the packages...

Hey, we said, we'll try!

(3) OTRS package must implement OTRS coding guidlines (http://doc.otrs.org/developer/3.0/en/html/code-style-guide.html)

We just got to make sure we can a) read your code and b) (see (6))

(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)

(see (6))

(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)

Packages that have any effect or use can't be verified. Who are we to allow features or addons that are better than ours?

(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.

Thanks for contributing! You will find your code in the next update - of the OTRS AG feature add on catalog.

To make it clear: There's good reasons to protect installations covered by own support contracts from foreign code. But this could easily be done by a customized support module delivered to OTRS AG support clients only. The way it's implemented (read: sneaked into the code) I cannot see but a barefaced attempt to eliminate or at least discriminate other vendors and the free community.

Greets
Daniel

User avatar
brann
OTRS wizard
Posts: 115
Joined: 14 Nov 2011, 10:11
OTRS Version?: 3.3.x
Real Name: Anna Brakoniecka
Company: c.a.p.e. IT GmbH
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby brann » 05 Jun 2013, 15:11

Daniel, if you would have "+1" or "iLike" button here, I would definitely click on it for your last comment. :)

User avatar
brann
OTRS wizard
Posts: 115
Joined: 14 Nov 2011, 10:11
OTRS Version?: 3.3.x
Real Name: Anna Brakoniecka
Company: c.a.p.e. IT GmbH
Contact:

ConfigureCallHome for OTRS 3.1 and 3.2

Postby brann » 06 Jun 2013, 14:09

You can download our additional OTRS module ConfigureCallHome

http://www.cape-it.de/free-otrs-communi ... dules.html

It disables the unrequested automatic communication of installed packages and other system details to OTRS AG (can be enabled by configuration) and it sends notification to an email-adress you fill. If you don't fill anything, then there will be no notification sent to anyone.

choenig
OTRS newbie
Posts: 36
Joined: 28 Sep 2012, 11:26
OTRS Version?: 3.1.10
Location: 49° 54′ N, 10° 54′ O

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby choenig » 17 Jun 2013, 12:20

Hi,

On this note, the OTRS Group is really disappointed in the allegations of c.a.p.e IT GmbH and detached community members like Otterhub, which have,
since the beginning, decided – in spite of OTRS Group’s active efforts to integrate them – against contributing software packages to the OTRS standard for the
advantage of all community members.

Source: http://www.otrs.com/en/company/news/press-releases/statement-package-verification/

What does this mean? I don't hope that OTRS AG is starting a major offensive against the open source community, in order to sell her own feature packs
and block all other community addons....

The actual situation occurs to me like the turkish president Erdogan against the resistance movement. Can somebody stop this kindergarden?

Best regards
Christian (just an OTRS user)
OTRS 3.2.8 - KIX4OTRS - ConfigureCallHome - ZnunyCustomerMap - running on CentOS 6.4 and MySQL
anyone who finds clerical errors can keep it...

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby ferrosti » 17 Jun 2013, 17:09

OTRS AG is not starting anything. It´s rather like a drop of friends.
They used to have an employee to support the community, which is no more (at least not communicated).
They have once hosted this forum. Well, watch your URL, it´s not OTRS any more. It´s otterhub.
Does otterhub as THE community platform get involved / informed of any actions or steps taken by OTRS? Well, it does not seem so.
They mention a community meeting in Bad Homburg... At least none of the Otterhub persons I know was invited or has heard of the meeting before it took place.

No, OTRS AG is not starting anything, they don´t even start ending something.
I just can call on them to take a firm stand on what they want to do with
a) their community
b) their open source idea

On this note, the OTRS Group is really disappointed in the allegations of c.a.p.e IT GmbH and detached community members like Otterhub, which have,
since the beginning, decided – in spite of OTRS Group’s active efforts to integrate them – against contributing software packages to the OTRS standard for the
advantage of all community members.

I am not encouraged in the work of Otterhub e.V. itself, but as far as I know it has been OTRS AG who reduced their effort to support them any more.

my .02€
Ferrosti
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

User avatar
BIG_jan
OTRS wizard
Posts: 138
Joined: 05 Jun 2009, 11:32
OTRS Version?: 3.3.8
Company: Netzlink Informationstechnik GmbH
Location: Wolfenbüttel,GER
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby BIG_jan » 19 Jun 2013, 10:56

Fail of OTRS:

I Installed a new system for a customer yesterday with newest Version 3.2.8 and some packages

I saw, after installing FAQ, Support, Survey and cmdb that even their own Packages are to new to be verified yet :)

!! Don't use packages - it may be dangerous !!

HAHA
Live: OTRS 3.3.8, ITSM 3.3.8, in vm
Test: otrs 3.3.8, ITSM

OS: RedHat 6.5 64Bit, Apache: 2.2.15, MySQL 5.5.38, Perl: 5.10.1, mod_Perl 2.0.4

User avatar
tto
Moderator
Posts: 315
Joined: 09 Jan 2007, 15:24
OTRS Version?: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby tto » 24 Jun 2013, 17:26

Hi,

finally I got some response from OTRS AG.

tto wrote:(1) Costs for package verification will be estimated by OTRS AG after request. They didn't say if on which basis a community contributor will be charged (yet).

They did not mention a defined rate per hour or per day, but they provided some examples. The verification for CustomerUserImportExport, CustomerCompanyImportExport, ServiceImportExport and UserImportExport will cost approximately 800,- EUR (not sure if this is per package or for all of them). However, the price cannot be considered as fixed - the final costs depend on "how many iterations" will be required for verification.

For more complex extensions they suggested a personal consulting in one of their offices - I wonder how much this might cost.

tto wrote:(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)

No exact definition was provided but again a sample - just have a look at the FAQ-extension. Providing a POD-documentation in the package is not enough. The documentation must be provided in PDF-format and downloadable via the package manager in the admin area of OTRS.

tto wrote:(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)

No response on this point.


I added some more questions regarding possible interest conflicts between OTRS-AG and verification-requesters: if one requests a package to be verified and how OTRS AG could ensure that they respect the intellectual property and will not take illegitimate benefit from the verification-request. The response was, that asking this question is a just an unfounded assumption and not the basis for a fair partnership. I asked if some sort of NDA is intented on behalf of OTRS AG for increasing trust in the verification process.

Keep you posted & regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.

Andre Bauer
OTRS guru
Posts: 2191
Joined: 08 Dec 2005, 17:01
OTRS Version?: 5.0.x
Real Name: André Bauer
Company: Magix Software GmbH
Location: Dresden
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby Andre Bauer » 26 Jun 2013, 10:16

Prod: Ubuntu Server 16.04 / Zammad 1.2

DO NOT PM ME WITH OTRS RELATED QUESTIONS! ASK IN THE FORUMS!

OtterHub.org

User avatar
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
OTRS Version?: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby Daniel Obee » 26 Jun 2013, 10:24

I did my best to translate the official statement to readable english. So here's the letter:

Dear OTRS AG, dear Christopher, dear Manuel,

it's been a while since we talked. That might be deplorable. But meanwhile we used our resources to push the OtterHub infrastructure (namely the registered association OtterHub e.V.) . That is to provide the community with the chance to collaborate and help each other.

In your statement about the packageverification you talk about OtterHub as “detached community members”. That hurts a little. As well as you trying to discredit the community project OPAR where community members spend a lot of time to voluntarily contribute to the OTRS project.

Obviously your statement is a direct reaction to the critique that emerged from different parties (including individual members of OtterHub) on the new package verification.

Package Verification – Why bother?

Review and verification of packages is a reasonable and appropriate way to secure a certain standard. Our concern therefore isn’t about the verification itself. It’s all about the implementation, the ambiguous verification conditions, and the lack of communication ahead.

Renée Bäcker published a broad to-the-point analysis at http://reneeb-perlblog.blogspot.de/2013/06/otrs-und-die-paketverifizierung.html (German only).

From our point of view this leads to the following conclusions:

• The silent transmission of system data of any kind to servers of OTRS AG is not acceptable. Users must have the choice if such verification is wanted or not.
• If a package is not verified the wording of the “error” message must be non-discriminating to other vendors.
• The criteria for verification must be public.
• A verification of commercial packages by the OTRS AG must include an NDA. An implicit transfer of rights is not acceptable.
• Non-commercial packages should be verified for free if possible. Transfer of rights would be okay if limited to non-commercial usage (such as in the OTRS standard).
• Third party vendors must be allowed to verify their own packages.

Contributions to the standard

Your statement also brings in the explicit accusation OtterHub would willingly not contribute to the OTRS standard.

It’s a fact that concerning contributions there’s still a lot of unanswered question (see https://github.com/OTRS/otrs/pull/42, also Renée’s article). It’s also a fact that code snippets, mechanisms and ideas from packages made by OtterHub members where taken and put into the standard – without further notice, communication or any kind of acknowledgement.

A lot of us would be eager to contribute more and more directly to the project. It’s on you to provide acceptable conditions for that. That includes providing an official contributors file to honor the people who put their effort into the code.

A closing word

OTRS is a great project and there are many people out there putting a lot of effort and passion into making it even better. Part of those people are you at the OTRS AG. Another part of them chose to organize themselves at OtterHub to consolidate activities and develop together.

OtterHub is your chance to get in contact with the community. We’d be happy if you follow our invitation to discuss topics like that earlier and – that’s the main point – in corporation with us.

Regards

Daniel Obée
OtterHub e. V.

alexus
OTRS superhero
Posts: 252
Joined: 20 Sep 2010, 16:54
OTRS Version?: ITSM 4.0.11
Real Name: Alexey Yusov
Company: Radiant System
Location: Prague
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby alexus » 27 Jun 2013, 23:01

To Daniel Obee » 26 июн 2013, 12:24

LIKE!
Alexey Yusov

Production: OTRS ITSM 5.0.14 on CentOS 7 x64 Linux with MySQL 5.7
Tested: OTRS ITSM 5.0.14
Radiant System OTRS Intergrator
Stay tuned on our Facebook
Get OTRS Professional Services - Consulting, Implementation, Training, Development, Support!

User avatar
shostakovich
OTRS wizard
Posts: 146
Joined: 11 Apr 2011, 08:11
OTRS Version?: 3.2.5

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby shostakovich » 08 Jul 2013, 12:27

Very annoying. Will there be a vital open source community remaining? It's a strike against the open source community, which slowly disappears (understandably).

Daniel Obee wrote:
(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.

Thanks for contributing! You will find your code in the next update - of the OTRS AG feature add on catalog.

To make it clear: There's good reasons to protect installations covered by own support contracts from foreign code. But this could easily be done by a customized support module delivered to OTRS AG support clients only. The way it's implemented (read: sneaked into the code) I cannot see but a barefaced attempt to eliminate or at least discriminate other vendors and the free community.


Best statement in this thread.

denydias
OTRS newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
OTRS Version?: 5.x.x

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Postby denydias » 23 Dec 2014, 07:08

brann wrote:You can download our additional OTRS module ConfigureCallHome


Are there plans to update this to OTRS4?

User avatar
brann
OTRS wizard
Posts: 115
Joined: 14 Nov 2011, 10:11
OTRS Version?: 3.3.x
Real Name: Anna Brakoniecka
Company: c.a.p.e. IT GmbH
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby brann » 23 Dec 2014, 11:38

Function of ConfigureCallHome is included in KIX4OTRS (free module with many additional features: http://www.kix4otrs.com). When we'll publish ConfigureCallHome as a separate module for OTRS is not defined yet. I'll keep you informed, when I'll have more specific information.

denydias
OTRS newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
OTRS Version?: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby denydias » 23 Dec 2014, 11:43

brann wrote:I'll keep you informed, when I'll have more specific information.


I'll appreciate that. I have a fully functional/production environment that don't need the entire KIX4OTRS functionality. It would be nice to have just ConfigureCallHome available in OPAR for 4.0.x, just as it does to 3.3.x.

Thank you anyway.

User avatar
tto
Moderator
Posts: 315
Joined: 09 Jan 2007, 15:24
OTRS Version?: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Postby tto » 23 Dec 2014, 11:45

denydias wrote:
brann wrote:You can download our additional OTRS module ConfigureCallHome


Are there plans to update this to OTRS4?



There probably will be a version for OTRS 4.0 but it's not in focus right now. However ReneeB prepared something so that actually just a package build action is needed:

https://github.com/reneeb/otrs-ConfigureCallHome

(nevertheless we haven't found the time yet - sorry).

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.

denydias
OTRS newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
OTRS Version?: 5.x.x

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Postby denydias » 23 Dec 2014, 11:50

tto wrote:However ReneeB prepared something so that actually just a package build action is needed


Nice! Always him! That'll do.

Don't sorry. Time is much more difficult to find than support resources these days.

Thank you very much, @tto and @reneeb.

reneeb
OTRS guru
Posts: 4350
Joined: 13 Mar 2011, 09:54
OTRS Version?: 3.3.x
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby reneeb » 30 Sep 2015, 16:02

@jenniesmith: That has nothing to do with the package verification...
Perl / OTRS development: http://perl-services.de
Free OTRS add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de

denydias
OTRS newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
OTRS Version?: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby denydias » 06 May 2016, 09:00

Spammers? Really?

reneeb
OTRS guru
Posts: 4350
Joined: 13 Mar 2011, 09:54
OTRS Version?: 3.3.x
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby reneeb » 06 May 2016, 11:33

@denydias: You can notify the admins about those posts... (the exclamation mark button in the upper right of a post).
Perl / OTRS development: http://perl-services.de
Free OTRS add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de

denydias
OTRS newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
OTRS Version?: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Postby denydias » 09 May 2016, 08:27

Tks for the tip, @reneeb!


Return to “General”

Who is online

Users browsing this forum: No registered users and 6 guests