On Mon, Jan 15, 2007 at 02:03:10PM +0100, Vincent Danjean wrote: > Pierre Chifflier a écrit : > > Package: wnpp > > Severity: wishlist > > Owner: Pierre Chifflier <[EMAIL PROTECTED]> > > > > * Package name : ocsinventory-agent > > Version : 1.0~rc3 > > Upstream Author : Pascal DANEK 2005 > > * URL : http://ocsinventory.sourceforge.net/index.php > > * License : GPL > > Programming Lang: Perl > > Description : Hardware and software inventory tool (client) > > > > Open Computer and Software Inventory Next Generation is an application > > designed to help a network or system administrator keep track of the > > computers > > configuration and software that are installed on the network. It also > > allows deploying softwares, commands or files on client computers. > > Last time I looked at this software, I was very disappointed by the > security on the last part : the agent was downloading and installing > new software without any verification (signature, ...). > As my lab would like to try this tool, I made a debian package. > I try to disable this remote deployment facility (as we did not want > to use it) and let only the configuration and software report part. > Even that was not secured at all ! > So, we use it for non laptop computer inside our lab (behind a > firewall), but not on our laptops that can be connected in hostile > environments. > As I did not look at this software for several months, it is > possible that some of my criticisms are wrong (and I would be very > happy in this case). > > So, I hope you will address these issues if you create a official > debian package. If you want, you are free to use the packaging I did > for the 1.0-RC2-FINAL release : > http://people.debian.org/~vdanjean/debian/pool/main/o/ocsinventory-client/ >
Thanks for your mail, and your remarks. I have indeed looked at the software deployment part, it /seems/ to be better now (I must admit I haven't tested it in a production environment) since the client and the server must have a trust relation (it uses a PKI, or a self signed certificate). I fully agree that this feature must be disabled by default if not fully secure, this point is quite important. I've downloaded your packages, thanks a lot. Version 1.0rc3 has lots of important changes since 1.0rc2 (in particular, for the installation), I believe most of your points are addressed, or will be in the next stable release. If you are still interested in the packaging, I would see no problem in co-maintaining the packages (I plan to package the server as soon as the client packages are ready). Regards, Pierre