[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#406964: ITP: ocsinventory-agent -- Hardware and software inventory tool (client)

On Mon, Jan 15, 2007 at 02:03:10PM +0100, Vincent Danjean wrote:
> Pierre Chifflier a écrit :
> > Package: wnpp
> > Severity: wishlist
> > Owner: Pierre Chifflier <chifflier@cpe.fr>
> > 
> > * Package name    : ocsinventory-agent
> >   Version         : 1.0~rc3
> >   Upstream Author : Pascal DANEK 2005
> > * URL             : http://ocsinventory.sourceforge.net/index.php
> > * License         : GPL
> >   Programming Lang: Perl
> >   Description     : Hardware and software inventory tool (client)
> > 
> >  Open Computer and Software Inventory Next Generation is an application
> >  designed to help a network or system administrator keep track of the computers
> >  configuration and software that are installed on the network. It also
> >  allows deploying softwares, commands or files on client computers.
> 
> Last time I looked at this software, I was very disappointed by the
> security on the last part : the agent was downloading and installing
> new software without any verification (signature, ...).
>   As my lab would like to try this tool, I made a debian package.
> I try to disable this remote deployment facility (as we did not want
> to use it) and let only the configuration and software report part.
> Even that was not secured at all !
>   So, we use it for non laptop computer inside our lab (behind a
> firewall), but not on our laptops that can be connected in hostile
> environments.
>   As I did not look at this software for several months, it is
> possible that some of my criticisms are wrong (and I would be very
> happy in this case).
> 
>   So, I hope you will address these issues if you create a official
> debian package. If you want, you are free to use the packaging I did
> for the 1.0-RC2-FINAL release :
> http://people.debian.org/~vdanjean/debian/pool/main/o/ocsinventory-client/
> 

Thanks for your mail, and your remarks. I have indeed looked at the
software deployment part, it /seems/ to be better now (I must admit I
haven't tested it in a production environment) since the client and
the server must have a trust relation (it uses a PKI, or a self signed
certificate). I fully agree that this feature must be disabled by
default if not fully secure, this point is quite important.

I've downloaded your packages, thanks a lot. Version 1.0rc3 has lots
of important changes since 1.0rc2 (in particular, for the
installation), I believe most of your points are addressed, or will be
in the next stable release.

If you are still interested in the packaging, I would see no problem
in co-maintaining the packages (I plan to package the server as soon
as the client packages are ready).

Regards,
Pierre
Reply to: