[Fusioninventory-devel] UserAgent patch for FusionInventory

Remi Collet Fedora at FamilleCollet.com
Sun Jan 9 07:57:16 UTC 2011


Le 07/01/2011 17:21, Guillaume PROTET a écrit :
> Hi,
> 
> We plan to use useragent and agent version to control API changes and control that data sent by agent are compatible with OCS server. It is what we mean about "security".

So it is absolutely not security related.

Is there somewhere a doc about this "versioned" API ?
A real answer is probably a xml validation.

Please keep in mind that interoperability is one of the big goal/force
of OpenSource Sofware.

And I'm absolutely convinced that if a true security bug were discovered
in the fusion agent, the fusion team will fix it ASAP.

> 
> Don't forget that we are searching a solution for your agent that is not supported by OCS community, so consider that you are privileged.

The first, quick and simple solution could be to add the patch in the
contrib folder of the server, with a README which could explain this.

"You can apply this patch to allow fusion agent....
We know about the other project...
You should be aware this is not supported by the OCS team...
etc..."

This will also allow packager to work on a package with or without this
patch (I think this must stay a distribution/packager choice)

A better solution will be, after this first step, to have a
configuration file of allowed agents, with additional ones (fusion, ...)
in a contrib folder. Of course it could not be in your priority during
the RC stage, but a valuable and expected feature.

Regards
Remi.


> 
> Kind regards,
> 
> --
> Guillaume
> 
> 
> 
> ----- Mail original -----
> De: "Stéphane Urbanovski" <s.urbanovski at ac-nancy-metz.fr>
> À: "FusionInventory Developer discussion" <fusioninventory-devel at lists.alioth.debian.org>
> Cc: "developers en" <developers.en at ocsinventory-ng.org>
> Envoyé: Vendredi 7 Janvier 2011 14:13:11
> Objet: Re: [Fusioninventory-devel] UserAgent patch for FusionInventory
> 
> Guillaume Rousse a écrit :
>> Le 07/01/2011 11:23, Guillaume PROTET a écrit :
>>> Hi,
>>>
>>> Your patch won't be integrated as is because, for security reasons, it is inconceivable for us to integrate by default an agent not supported by OCS.
>> I fail to see how decing to examine or reject a message, just because of
>> client-managed user-agent string, would provide any kind of security
>> benefit. You'd better validate the content of the message against a
>> grammar, to check what is said, rather than blindy believe the client
>> claiming who he is.
>>
>> Or find another excuse than 'security'.
> 
> +1
> 




More information about the Fusioninventory-devel mailing list