Package Verification in OTRS 3.1.16 / 3.2.7

Moderator: crythias

Post Reply
Johannes
Moderator
Posts: 390
Joined: 30 Jan 2008, 02:26
Znuny Version: All of them ^^
Real Name: Hannes
Company: Znuny|OTTERHUB

Package Verification in OTRS 3.1.16 / 3.2.7

Post by Johannes »

*Info: I wrote this text as a member of the otterhub, not as an employee of Znuny*

Public Service Announcement because this "feature" may affect some of you.

OTRS added a new method to validate packages. To achieve this they send package name and MD5 of every package to a validation server (https://pav.otrs.com/otrs/public.pl?Act ... rification).
(hint: they don't even ask you)

If the package is not validated by the xxx you get a warning that says something like this:
Title: Package not verified by the OTRS Group! It is recommended not to use this package.
Please note that issues that are caused by working with this package are not covered by OTRS service contracts!
If you continue to install this package, the following issues may occur!
-Security problems
-Stability problems
-Performance problems
Leaving aside the fact that you can simply override the Package.pm, your OTRS system is not connected to the internet or dosen't have LWP::Protocol::HTTPS installed this check is ridiculous.
OTRS offers a check to "take full advantage of the OTRS package verification." for third party vendors. I can't even tell how much this hurts the OpenSource part in me :cry: .

At the moment we have no information where to get access for the "package check program", how it works, how much do we have to pay and so on... Hey OTRS what about some more infos on your webpage. *hint*hint*

The most critical point of this behaviour remains the fact that xxx collects data of your system(s) and what you do with it without asking for permission. Existence, IP and information about the usage of your system are sent and registered.
I don't even know if this is legal? Also the security part ist obviously easy to override, so it can't be the only/real reason.

Link to GitHub:
https://github.com/OTRS/otrs/blob/rel-3 ... e.pm#L1393
https://github.com/OTRS/otrs/blob/rel-3 ... e.pm#L1388

Release notes:
...
What's New

Updated Package Manager, that will ensure that packages to be installed meet the quality standards of OTRS Group. This is to guarantee that your package wasn’t modified, which may possibly harm your system or have an influence on the stability and performance of it. All independent package contributors will have to conduct a check of their Add-Ons by OTRS Group in order to take full advantage of the OTRS package verification.
...
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by reneeb »

That's ridiculous. It doesn't have anything to do with security (you mentioned a few things, but there is more). It is only pseudo security and discredits third party vendors (if it is not "verified" it shows "It is recommended not to use this package.").
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
brann
Znuny advanced
Posts: 115
Joined: 14 Nov 2011, 10:11
Znuny Version: 3.3.x
Real Name: Anna Brakoniecka

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by brann »

Thanks for the hint, Hannes, we'll analyse it asap.
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
Znuny Version: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by Daniel Obee »

Johannes wrote: I don't even know if this is legal?
I sincerely doubt sending information from and about a system without explicit permission of the owner is legal at least in Germany. Remember the chrome discussion? Google had to cut back on their data mining because of law issues.

The way the "feature" is implemented and communicated is neither reasonable nor acceptable. We'll see how things develop the next days. I'd at least await a comment of xxx.

Daniel
OtterHub e.V.
richieri
Znuny newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
Znuny Version: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by richieri »

The advantages of being open source is to increase stability and not the opposite! Community always have contribute for increase features, bug fixes and making opensource a good choice for corporations.
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com
richieri
Znuny newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
Znuny Version: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by richieri »

If the problem is to not support third part packages, than my suggestion to xxx is to show this message only for their customers of Subscriptions Support and Services. As it is now, xxx is unqualifying the community, partners that devels software and opensource software model as well =/
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com
root
Administrator
Posts: 3931
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by root »

My first intention was the idea to provide a 'RemoveCallHome' package.
It's ridiculous that the xxx could be the one and only source to provide quality and security in packages...
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
tto
Znuny wizard
Posts: 315
Joined: 09 Jan 2007, 15:24
Znuny Version: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by tto »

root wrote:My first intention was the idea to provide a 'RemoveCallHome' package..
...to be honest: such a package is under construction already and will be available soon, making this behavior configurable.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.
ojenning
Znuny newbie
Posts: 1
Joined: 01 Aug 2012, 20:46
Znuny Version: 3.1.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ojenning »

Hello,

"Open Source

More than 5,000 active OTRS Community members, experts and enthusiasts, contribute to the OTRS open source project and software, driven by the same motivation, to enhancement and expedite OTRS' distribution based on voluntary contributions. Get involved, leverage OTRS' community tools and benefit from the support and technical expertise of this worldwide community."

Taken from http://www.otrs.com/de/open-source/

This new "feature" discredited this. Is there some from xxx how could exlpain this please?

Regards
Ole
richieri
Znuny newbie
Posts: 39
Joined: 18 Apr 2011, 19:29
Znuny Version: 3100000
Real Name: Ronaldo Richieri
Company: Complemento
Location: Brasil
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by richieri »

i Updated Package Manager, that will ensure that packages to be installed meet the quality standards of OTRS Group. This is to guarantee that your package wasn’t modified, which may possibly harm your system or have an influence on the stability and performance of it. All independent package contributors will have to conduct a check of their Add-Ons by OTRS Group in order to take full advantage of the OTRS package verification.
Furthermore we would like to inform all interested developers about the possibility of verifying your packages. Please let us know at verify@otrs.com if you have any issue concerning the verification of your developed packages.
Taken from http://www.otrs.com/de/open-source/comm ... -desk-327/
Ronaldo Richieri
Analista de Sistemas, desenvolvedor de módulos OTRS e CEO na empresa Complemento
http://www.complemento.net.br
http://www.richieri.com
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ferrosti »

From a vendors point of view I´d also reject responsibility for software that did not pass my QA.

The way xxx once more kicks its communities butt it would be a good point of time for a community fork of OTRS.

my .02€
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

I have no horse in this race, but all who oppose, how would you implement a package verification?

This is akin to either providing a self-signed SSL certificate or being backed by a trusted third party.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ferrosti »

xxx already has its own Package Servers for their customers. This especially applies for their Feature Addons.

Checksums like MD5 or SHA would be enough to show, whether the downloaded package was quality approved by xxx. Anyways, either one has a support contract with xxx or not. In case of an issue one would have to send the support file, which could contain the installed packages SHA sums.

Next thing is: I even package my themes, but I do not want this information to be sent.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

From the original post:
Johannes wrote:To achieve this they send package name and MD5 of every package to a validation server
That doesn't sound like anything personally identifiable to me.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ferrosti »

Yeah, OTRS is in deep need of an array that consist of a package name and its MD5 sum. 8)
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
brann
Znuny advanced
Posts: 115
Joined: 14 Nov 2011, 10:11
Znuny Version: 3.3.x
Real Name: Anna Brakoniecka

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by brann »

Hi,

on 4th June, we will talk about it during the community meeting in Dresden. If there are any issues that anyone would like to bring into discussion, then please write them down in the forum thread so that we take them into consideration. Thanks in advance! We will also tweet about it from the capeIT twitter account (@capeIT) so that the discussion can be followed online by everyone who are not able to be in Dresden. We'll use hashtag #OTRS and #verify. You don't need to register to follow the tweets, but only as logged user you can participate in the exchange of opionions on twitter.

Regards,
Anna
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

ferrosti wrote:Yeah, OTRS is in deep need of an array that consist of a package name and its MD5 sum. 8)
I'm not sure I understand your statement. No, OTRS doesn't need it, but if I wanted to check that the package I'm installing is the one that has been registered with OTRS, and I send this package *name* and MD5 that I calculate on my side to otrs and ask "Do these match?" ... and get a "no", then I can still choose whether to install the package. I just know that the package name/MD5 combo isn't one that OTRS has heard of.

If this name/MD5 combo is a problem, in what way is it different than self-signing an SSL cert? "Are you sure you want to trust this cert?" "Sure ... I made it ..." but then again, if I happen to receive an OTRS plugin from a third party source, maybe an aggregate of OTRS plugins, I could guess that it's a good plugin because it says so itself, or I could check if it's been tampered with (barring the real possibility of MD5 collisions) versus a trusted verification system, assuming I trust OTRS to hold the data. In theory, I could also trust Znuny and Cape-IT.de, but whether I trust ferrosti or crythias just because the package says ...

Oh, it's all a crapshoot anyway ... the packages can still be malware. But at least you know it's the malware it says it is.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by reneeb »

crythias wrote:I have no horse in this race, but all who oppose, how would you implement a package verification?

This is akin to either providing a self-signed SSL certificate or being backed by a trusted third party.
xxx should have talked to other vendors about that. Then a common concept could have been created to avoid some confusion, security issues, .... The current implementation is not a reliable system at all!
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

reneeb wrote:The current implementation is not a reliable system at all!
Reliable in what way? And, again, what's the specific problem you have with this? That they didn't tell vendors about it first? That's always a gripe.
Reliable because someone could make a name/MD5 collision pair? Absolutely agree. name/sha-256 would be a much better choice.
Reliable because the validation server could go down? eh.. okay. But If Znuny or CAPE-IT had validation servers for their own plugins, I wouldn't argue.
Reliable because it doesn't validate that the tagged code works/is not malware? Agree. Like I said before, it guarantees the malware you're about to install is the malware it says it is.
Reliable because some people don't have Internet and can't connect to the validation server? Can't be helped. See also: Self-signed SSL certificates.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by reneeb »

I have no problem with a package verification system per se, but with its current implementation.

So, you would rely on a service you don't know anything about? What do they check? Where is it checked? When it is not verified, what does that mean? Is it anything I can live with?

It's too easy to "work around" the verification process. Johannes mentioned a few things (override Package.pm, ...). I know that there is no 100% security, there is always a way to work around any system, but it's too easy at the moment.

And currently it seems to be a process that is done manually. How long will it take until a package is verified? When I release a new version to fix a security issue and ask all users to upgrade immediately they will get a "not verified".

And for vendors there are more concerns:

* they have to submit the code
* when they have signed the contributor agreement (what you have to to get patches applied) OTRS takes the ownership of your code
* what happens when you had an dispute with xxx once (think of somebody who seems to be banned from the mailinglist)? xxx doesn't have to verify your packages.
* do we have to pay for verification (that question wasn't answered in the mail I got from xxx)?
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

reneeb wrote:So, you would rely on a service you don't know anything about? What do they check? Where is it checked? When it is not verified, what does that mean? Is it anything I can live with?
If I were not a programmer, I'd be oblivious to any number of call-home things [insert random application here] does. I am basing my "what do they check" (as a customer) on the original post of this topic: they check the name of the code and the md5 of the code. And where ... at the otrs server of the OP. And what does it mean? It means OTRS has matched the two.
Is it anything I can live with? Again, like a self-signed SSL... same questions.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
tto
Znuny wizard
Posts: 315
Joined: 09 Jan 2007, 15:24
Znuny Version: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by tto »

crythias wrote:If I were not a programmer, I'd be oblivious to any number of call-home things [insert random application here] does. I am basing my "what do they check" (as a customer) on the original post of this topic: they check the name of the code and the md5 of the code. And where ... at the otrs server of the OP. And what does it mean? It means OTRS has matched the two.
Is it anything I can live with? Again, like a self-signed SSL... same questions.
I go with that if it's just the verifiaction and if it was just a simple "Verified: YES/NO". But from a vendor and community supporters perspective, the way this "verification" was implemented and communicated is (friendly spoken) not very community-oriented. From my personal point of view, the wording which is used right now on a failed package verification discredits all package contributors which are (for whatever reason) not verified by the xxx. The verification process is neither clear nor open. There's a HUGE nformation gap which is not common to open source projects.

I for myself did send an email with some questions to verify@otrs.com last week. So far I haven't even received a receipt for this email... :-(

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ferrosti »

@crythias
1) xxx is collecting data without telling their users
2) wording of the 'error' message sucks (sic!)
3) using the sent data makes it easy to
3.1) make statistics about package installations
3.2) these statistics can be used to gain competitive advantage over e.g. znuny, cape it, perl-services, community, just to mention some

Alternative for package verification could be:
xxx provides XML file with package names as well as MD5 sums. This is still small enough to download the whole file for every verification on client side.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

1) I know their web access logs are also collecting more data than this about their users (otrs.xml anyone?)
2) If they stopped at the first half of the OP's message, I wouldn't be upset. But saying that bad stuff could happen if you install anyway ... I agree, too much FUD.
3) yeah. But they know *generally* their own package installation statistics because of the access logs to their package repositories.
ferrosti wrote:xxx provides XML file with package names as well as MD5 sums. This is still small enough to download the whole file for every verification on client side.
How do you suppose/propose that works in practice? I need to download an entire file that could be (theoretically) rather big every time I want to install a package? And what if [extremely new package here] isn't on the list? Why'd I download the file again? and why did I download the file? If I already don't have access to the internet to do the original check, I'm still equally screwed.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
tto
Znuny wizard
Posts: 315
Joined: 09 Jan 2007, 15:24
Znuny Version: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by tto »

I finally got a response from xxx. It basically says following:

(1) Costs for package verification will be estimated by xxx after request. They didn't say if on which basis a community contributor will be charged (yet).

(2) They will try to make no difference on who submitted the packages...

(3) OTRS package must implement OTRS coding guidlines (http://doc.otrs.org/developer/3.0/en/ht ... guide.html)

(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)

(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)

(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.

I'll keep you posted on possible updates.

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by crythias »

At this point, I agree with the concerns. Thank you.

Edit: This isn't Nintendo, right? Should we expect a developers license?
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
Znuny Version: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by Daniel Obee »

Hmm. I got a cynical translator in me who reads:
(1) Costs for package verification will be estimated by xxx after request. They didn't say if on which basis a community contributor will be charged (yet).
If you spend 4 days programming it we'll need half of it for checking. You will only pay our standard consulting fee that exceeds your own earnings by approximately 100%.
(2) They will try to make no difference on who submitted the packages...
Hey, we said, we'll try!
(3) OTRS package must implement OTRS coding guidlines (http://doc.otrs.org/developer/3.0/en/ht ... guide.html)
We just got to make sure we can a) read your code and b) (see (6))
(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)
(see (6))
(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)
Packages that have any effect or use can't be verified. Who are we to allow features or addons that are better than ours?
(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.
Thanks for contributing! You will find your code in the next update - of the xxx feature add on catalog.

To make it clear: There's good reasons to protect installations covered by own support contracts from foreign code. But this could easily be done by a customized support module delivered to xxx support clients only. The way it's implemented (read: sneaked into the code) I cannot see but a barefaced attempt to eliminate or at least discriminate other vendors and the free community.

Greets
Daniel
brann
Znuny advanced
Posts: 115
Joined: 14 Nov 2011, 10:11
Znuny Version: 3.3.x
Real Name: Anna Brakoniecka

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by brann »

Daniel, if you would have "+1" or "iLike" button here, I would definitely click on it for your last comment. :)
brann
Znuny advanced
Posts: 115
Joined: 14 Nov 2011, 10:11
Znuny Version: 3.3.x
Real Name: Anna Brakoniecka

ConfigureCallHome for OTRS 3.1 and 3.2

Post by brann »

You can download our additional OTRS module ConfigureCallHome

http://www.cape-it.de/free-otrs-communi ... dules.html

It disables the unrequested automatic communication of installed packages and other system details to xxx (can be enabled by configuration) and it sends notification to an email-adress you fill. If you don't fill anything, then there will be no notification sent to anyone.
choenig
Znuny newbie
Posts: 36
Joined: 28 Sep 2012, 11:26
Znuny Version: 3.1.10
Location: 49° 54′ N, 10° 54′ O

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by choenig »

Hi,
On this note, the OTRS Group is really disappointed in the allegations of c.a.p.e IT GmbH and detached community members like Otterhub, which have,
since the beginning, decided – in spite of OTRS Group’s active efforts to integrate them – against contributing software packages to the OTRS standard for the
advantage of all community members.
Source: http://www.otrs.com/en/company/news/pre ... ification/

What does this mean? I don't hope that xxx is starting a major offensive against the open source community, in order to sell her own feature packs
and block all other community addons....

The actual situation occurs to me like the turkish president Erdogan against the resistance movement. Can somebody stop this kindergarden?

Best regards
Christian (just an OTRS user)
OTRS 3.2.8 - KIX4OTRS - ConfigureCallHome - ZnunyCustomerMap - running on CentOS 6.4 and MySQL
anyone who finds clerical errors can keep it...
ferrosti
Znuny superhero
Posts: 723
Joined: 10 Oct 2007, 14:30
Znuny Version: 3.0
Location: Hamburg, Germany

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by ferrosti »

xxx is not starting anything. It´s rather like a drop of friends.
They used to have an employee to support the community, which is no more (at least not communicated).
They have once hosted this forum. Well, watch your URL, it´s not OTRS any more. It´s otterhub.
Does otterhub as THE community platform get involved / informed of any actions or steps taken by OTRS? Well, it does not seem so.
They mention a community meeting in Bad Homburg... At least none of the Otterhub persons I know was invited or has heard of the meeting before it took place.

No, xxx is not starting anything, they don´t even start ending something.
I just can call on them to take a firm stand on what they want to do with
a) their community
b) their open source idea
On this note, the OTRS Group is really disappointed in the allegations of c.a.p.e IT GmbH and detached community members like Otterhub, which have,
since the beginning, decided – in spite of OTRS Group’s active efforts to integrate them – against contributing software packages to the OTRS standard for the
advantage of all community members.
I am not encouraged in the work of Otterhub e.V. itself, but as far as I know it has been xxx who reduced their effort to support them any more.

my .02€
Ferrosti
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
BIG_jan
Znuny advanced
Posts: 138
Joined: 05 Jun 2009, 11:32
Znuny Version: 3.3.8
Company: Netzlink Informationstechnik GmbH
Location: Wolfenbüttel,GER
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by BIG_jan »

Fail of OTRS:

I Installed a new system for a customer yesterday with newest Version 3.2.8 and some packages

I saw, after installing FAQ, Support, Survey and cmdb that even their own Packages are to new to be verified yet :)

!! Don't use packages - it may be dangerous !!

HAHA
Live: OTRS 3.3.8, ITSM 3.3.8, in vm
Test: otrs 3.3.8, ITSM

OS: RedHat 6.5 64Bit, Apache: 2.2.15, MySQL 5.5.38, Perl: 5.10.1, mod_Perl 2.0.4
tto
Znuny wizard
Posts: 315
Joined: 09 Jan 2007, 15:24
Znuny Version: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by tto »

Hi,

finally I got some response from xxx.
tto wrote:(1) Costs for package verification will be estimated by xxx after request. They didn't say if on which basis a community contributor will be charged (yet).
They did not mention a defined rate per hour or per day, but they provided some examples. The verification for CustomerUserImportExport, CustomerCompanyImportExport, ServiceImportExport and UserImportExport will cost approximately 800,- EUR (not sure if this is per package or for all of them). However, the price cannot be considered as fixed - the final costs depend on "how many iterations" will be required for verification.

For more complex extensions they suggested a personal consulting in one of their offices - I wonder how much this might cost.
tto wrote:(4) OTRS package must include sufficient documentation (a more precise requirement is already requested)
No exact definition was provided but again a sample - just have a look at the FAQ-extension. Providing a POD-documentation in the package is not enough. The documentation must be provided in PDF-format and downloadable via the package manager in the admin area of OTRS.
tto wrote:(5) OTRS package must not affect the integrity nor upgradebility of the OTRS installations (latter is influenced by any extensions, so I requested more details on this point as well)
No response on this point.


I added some more questions regarding possible interest conflicts between OTRS-AG and verification-requesters: if one requests a package to be verified and how xxx could ensure that they respect the intellectual property and will not take illegitimate benefit from the verification-request. The response was, that asking this question is a just an unfounded assumption and not the basis for a fair partnership. I asked if some sort of NDA is intented on behalf of xxx for increasing trust in the verification process.

Keep you posted & regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.
Andre Bauer
Znuny guru
Posts: 2189
Joined: 08 Dec 2005, 17:01
Znuny Version: 5.0.x
Real Name: André Bauer
Company: Magix Software GmbH
Location: Dresden
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by Andre Bauer »

Prod: Ubuntu Server 16.04 / Zammad 1.2

DO NOT PM ME WITH OTRS RELATED QUESTIONS! ASK IN THE FORUMS!

OtterHub.org
Daniel Obee
Moderator
Posts: 644
Joined: 19 Jun 2007, 17:11
Znuny Version: various
Real Name: Daniel Obée
Location: Berlin

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by Daniel Obee »

I did my best to translate the official statement to readable english. So here's the letter:
Dear xxx, dear Christopher, dear Manuel,

it's been a while since we talked. That might be deplorable. But meanwhile we used our resources to push the OtterHub infrastructure (namely the registered association OtterHub e.V.) . That is to provide the community with the chance to collaborate and help each other.

In your statement about the packageverification you talk about OtterHub as “detached community members”. That hurts a little. As well as you trying to discredit the community project OPAR where community members spend a lot of time to voluntarily contribute to the OTRS project.

Obviously your statement is a direct reaction to the critique that emerged from different parties (including individual members of OtterHub) on the new package verification.

Package Verification – Why bother?

Review and verification of packages is a reasonable and appropriate way to secure a certain standard. Our concern therefore isn’t about the verification itself. It’s all about the implementation, the ambiguous verification conditions, and the lack of communication ahead.

Renée Bäcker published a broad to-the-point analysis at http://reneeb-perlblog.blogspot.de/2013 ... erung.html (German only).

From our point of view this leads to the following conclusions:

• The silent transmission of system data of any kind to servers of xxx is not acceptable. Users must have the choice if such verification is wanted or not.
• If a package is not verified the wording of the “error” message must be non-discriminating to other vendors.
• The criteria for verification must be public.
• A verification of commercial packages by the xxx must include an NDA. An implicit transfer of rights is not acceptable.
• Non-commercial packages should be verified for free if possible. Transfer of rights would be okay if limited to non-commercial usage (such as in the OTRS standard).
• Third party vendors must be allowed to verify their own packages.

Contributions to the standard

Your statement also brings in the explicit accusation OtterHub would willingly not contribute to the OTRS standard.

It’s a fact that concerning contributions there’s still a lot of unanswered question (see https://github.com/OTRS/otrs/pull/42, also Renée’s article). It’s also a fact that code snippets, mechanisms and ideas from packages made by OtterHub members where taken and put into the standard – without further notice, communication or any kind of acknowledgement.

A lot of us would be eager to contribute more and more directly to the project. It’s on you to provide acceptable conditions for that. That includes providing an official contributors file to honor the people who put their effort into the code.

A closing word

OTRS is a great project and there are many people out there putting a lot of effort and passion into making it even better. Part of those people are you at the xxx. Another part of them chose to organize themselves at OtterHub to consolidate activities and develop together.

OtterHub is your chance to get in contact with the community. We’d be happy if you follow our invitation to discuss topics like that earlier and – that’s the main point – in corporation with us.

Regards

Daniel Obée
OtterHub e. V.
alexus
Znuny wizard
Posts: 380
Joined: 20 Sep 2010, 16:54
Znuny Version: OTRS 6 CE
Real Name: Alexey Yusov
Company: Radiant System Group s.r.o
Location: Prague
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by alexus »

To Daniel Obee » 26 июн 2013, 12:24

LIKE!
Alexey Yusov

Production: OTRS CE ITSM 6.0.28 on CentOS 7 + Apache 2.4 + MariaDB 10.4.13 + Radiant Customer Portal

Radiant System OTRS Intergrator
RS4OTRS marketplace
Stay tuned on our Facebook
((OTRS)) Community Edition - what next?
shostakovich
Znuny advanced
Posts: 146
Joined: 11 Apr 2011, 08:11
Znuny Version: 3.2.5

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by shostakovich »

Very annoying. Will there be a vital open source community remaining? It's a strike against the open source community, which slowly disappears (understandably).
Daniel Obee wrote:
(6) It is said, that the contributor must agree if his/their code or fuctionality may be adopted by OTRS.
Thanks for contributing! You will find your code in the next update - of the xxx feature add on catalog.

To make it clear: There's good reasons to protect installations covered by own support contracts from foreign code. But this could easily be done by a customized support module delivered to xxx support clients only. The way it's implemented (read: sneaked into the code) I cannot see but a barefaced attempt to eliminate or at least discriminate other vendors and the free community.
Best statement in this thread.
denydias
Znuny newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
Znuny Version: 5.x.x

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Post by denydias »

brann wrote:You can download our additional OTRS module ConfigureCallHome
Are there plans to update this to OTRS4?
brann
Znuny advanced
Posts: 115
Joined: 14 Nov 2011, 10:11
Znuny Version: 3.3.x
Real Name: Anna Brakoniecka

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by brann »

Function of ConfigureCallHome is included in KIX4OTRS (free module with many additional features: http://www.kix4otrs.com). When we'll publish ConfigureCallHome as a separate module for OTRS is not defined yet. I'll keep you informed, when I'll have more specific information.
denydias
Znuny newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
Znuny Version: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by denydias »

brann wrote:I'll keep you informed, when I'll have more specific information.
I'll appreciate that. I have a fully functional/production environment that don't need the entire KIX4OTRS functionality. It would be nice to have just ConfigureCallHome available in OPAR for 4.0.x, just as it does to 3.3.x.

Thank you anyway.
tto
Znuny wizard
Posts: 315
Joined: 09 Jan 2007, 15:24
Znuny Version: OTRS 5.0.x
Real Name: Torsten
Company: c.a.p.e. IT GmbH
Location: Chemnitz
Contact:

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Post by tto »

denydias wrote:
brann wrote:You can download our additional OTRS module ConfigureCallHome
Are there plans to update this to OTRS4?

There probably will be a version for OTRS 4.0 but it's not in focus right now. However ReneeB prepared something so that actually just a package build action is needed:

https://github.com/reneeb/otrs-ConfigureCallHome

(nevertheless we haven't found the time yet - sorry).

regards, T.
--
KIX 17.x (fork of OTRS)
Professional KIX-, or OTRS-integration, development and consulting by c.a.p.e. IT - http://www.cape-it.de
For questions and hints regarding KIX(4OTRS) please go to https://forum.kixdesk.com/
Bei Fragen und Hinweisen zu KIX(4OTRS) bitte an https://forum.kixdesk.com/ wenden.
denydias
Znuny newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
Znuny Version: 5.x.x

Re: ConfigureCallHome for OTRS 3.1 and 3.2

Post by denydias »

tto wrote:However ReneeB prepared something so that actually just a package build action is needed
Nice! Always him! That'll do.

Don't sorry. Time is much more difficult to find than support resources these days.

Thank you very much, @tto and @reneeb.
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by reneeb »

@jenniesmith: That has nothing to do with the package verification...
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
denydias
Znuny newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
Znuny Version: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by denydias »

Spammers? Really?
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by reneeb »

@denydias: You can notify the admins about those posts... (the exclamation mark button in the upper right of a post).
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
denydias
Znuny newbie
Posts: 49
Joined: 13 Jul 2014, 02:12
Znuny Version: 5.x.x

Re: Package Verification in OTRS 3.1.16 / 3.2.7

Post by denydias »

Tks for the tip, @reneeb!
Post Reply