Michael Wyres wrote: > The way I see it, the reason you have encountered some resistance to your > opinion in regards to whether guest access should be allowed by default or > should not be, is not because your opinion is "right" or "wrong" - everyone > is entitled to an opinion - and your stance has merit, certainly - I don't > think anyone is actually disputing that. It is more that a lot of the people > on this list have been using Asterisk for a LOOOOOOOONG time, and have > explained why it might be advantageous to have guest access enabled by > default. There are definitely uses for this functionality, as has been > demonstrated by a number of examples contained in this thread. >
I certainly understand why someone would want such a feature. Again, I think that it's a feature that should not be enabled by default. I realize that some people that are using this feature would be inconvenienced if this default were to change. I think that inconvenience is far-outweighed by the benefits in avoiding exploitation who are unaware of this feature. I don't know how long, exactly, a LOOOOOOOONG time is. Certainly there are plenty of people who have used it longer than I have. I started investigating and studying Asterisk in 1999. I started using it in 2002. If that's not long enough to deserve a voice, then I understand. > Isn't this why you joined the list? To learn more about the product, and get > ideas and assistance from the more experienced users of the product? > I've been a list member for a very long time. Back in that day I was accustomed to joining the users list for every software I used with any interest. The point of joining the list was, yes, to learn, but also to share and to provide feedback to developers. > You raised your concern, and Tilghman (a senior developer at Digium) > explained the reasoning behind the default setting. He suggested that you > take your concern to the tracker and post a patch. You resisted. In case you weren't aware, I *DID* open a case on the bug tracker, and I *DID* write a patch as requested. However, an eager bug marshal decided to close my case before the patch was written and asked me to come to this list to discuss the subject. So Tilghman was asking me to create a *NEW* ticket and to post the patch there... yet all the while there were discussions going on on asterisk-dev about the very same subject which, as clearly stated, superseded my contribution due to merit. In other words, there was little point for me to write any patch until after those whose opinions count due to merit are done (but even then, I still wrote and contributed a patch). But please understand, I've been down this path before many times. I wasn't trying to be resistant. Instead, I was merely cognizant of the fact that I had already done enough to express my opinions and that to continue restating them over and over would have been futile and argumentative. > Now, the default extensions.conf contains the following snippet: > > <snip> > > [default] > ; > ; By default we include the demo. In a production system, you > ; probably don't want to have the demo there. > ; > include => demo > > </snip> > > Now, a lot of people never RTFM for anything. Moreover, how many people > actually read the EULA for any piece of software they use? It's not > Asterisk/Digium's fault if people don't read the available documentation that > they provide. The quite plainly clear statement above is "in a production > system, you probably don't want to have the demo there". Did you read that > bit? Did you wonder why that bit is there? Yes, I did read that. This led me to immediately remove the demo. It did not, however, lead me to set allowguest=no. > When I first started working with Asterisk, I clearly remember that line (or > something very similar) piquing my curiousity to dig a little deeper as to > why that statement was made. Lo, I discovered that this was because by > default, guest access is allowed. > You certainly took it further than I did. I accepted what it said at face-value. I didn't continue to investigate. I can't help but think there are others like me who will not read between the lines to learn that guest access is enabled by default. Indeed, the language in doc/security.txt doesn't currently make this clear, either... reading it at face value I see a bias against using the "default" context for anything involving tolls, but it still doesn't say that unauthenticated callers are permitted by default. Again, you were more inquisitive than I was. I applaud you for it. Do we expect that level of inquisitiveness from all users? > I too found the default access odd at first, but I chose to understand the > reasoning from people who knew better, instead of chucking a hissy fit. I'm sorry, I'm not sure I understand your definition of hissy fit. If you view my behavior as a hissy fit then I do apologize. Please understand, however, that I *DID* follow expected protocol, and what I did would have been more than enough to constitute a contribution in most open-source projects in which I participate. You seem disturbed that I chose to stop pursuing this once I felt that further efforts were not going to be productive. I probably came to that conclusion sooner than you did... probably because of my past experience in this regard. Thanks, Lee. _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
