Bug#406964: ITP: ocsinventory-agent -- Hardware and software inventory tool (client)
On Mon, Jan 15, 2007 at 02:03:10PM +0100, Vincent Danjean wrote:
> Pierre Chifflier a écrit :
> > Package: wnpp
> > Severity: wishlist
> > Owner: Pierre Chifflier <chifflier@cpe.fr>
> >
> > * Package name : ocsinventory-agent
> > Version : 1.0~rc3
> > Upstream Author : Pascal DANEK 2005
> > * URL : http://ocsinventory.sourceforge.net/index.php
> > * License : GPL
> > Programming Lang: Perl
> > Description : Hardware and software inventory tool (client)
> >
> > Open Computer and Software Inventory Next Generation is an application
> > designed to help a network or system administrator keep track of the computers
> > configuration and software that are installed on the network. It also
> > allows deploying softwares, commands or files on client computers.
>
> Last time I looked at this software, I was very disappointed by the
> security on the last part : the agent was downloading and installing
> new software without any verification (signature, ...).
> As my lab would like to try this tool, I made a debian package.
> I try to disable this remote deployment facility (as we did not want
> to use it) and let only the configuration and software report part.
> Even that was not secured at all !
> So, we use it for non laptop computer inside our lab (behind a
> firewall), but not on our laptops that can be connected in hostile
> environments.
> As I did not look at this software for several months, it is
> possible that some of my criticisms are wrong (and I would be very
> happy in this case).
>
> So, I hope you will address these issues if you create a official
> debian package. If you want, you are free to use the packaging I did
> for the 1.0-RC2-FINAL release :
> http://people.debian.org/~vdanjean/debian/pool/main/o/ocsinventory-client/
>
Thanks for your mail, and your remarks. I have indeed looked at the
software deployment part, it /seems/ to be better now (I must admit I
haven't tested it in a production environment) since the client and
the server must have a trust relation (it uses a PKI, or a self signed
certificate). I fully agree that this feature must be disabled by
default if not fully secure, this point is quite important.
I've downloaded your packages, thanks a lot. Version 1.0rc3 has lots
of important changes since 1.0rc2 (in particular, for the
installation), I believe most of your points are addressed, or will be
in the next stable release.
If you are still interested in the packaging, I would see no problem
in co-maintaining the packages (I plan to package the server as soon
as the client packages are ready).
Regards,
Pierre
Reply to: