I'm keen on motv. I'll build a cgi wrapper for the logs if you need to assign the task to someone. TL On Tue, 2004-04-06 at 23:31, Mark Spencer wrote:> I've been considering the nature of Asterisk, its security, the bug > tracker, and more... And i've come up with an interesting idea: A > "message of the version". The idea is that Asterisk has a compile time > 32-bit unsigned int version which is incremented whenever some major new > bug is fixed. When Asterisk starts up (and periodically, maybe once per > day), it sends a packet with the version number to a server at Digium, > along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium > server replies (if it receives the packet, if not, it might get sent again > in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are > associated with that version of the code. In this way, an asterisk > administrator could easily see if there were any major issues, critical > security updates, etc, that his system might need to be updated for. > > Now, of course, any time you put a "call home" feature in, there are > people who will be concerned about privacy. Clearly it will be able to be > disabled, but I want to run my idea about deployment by everyone here and > see if you guys had some ideas. The idea would be that *new* installs > ("make samples") would have the feature turned on for MAJOR level by > default, and that any existing install (e.g. /etc/asterisk/sip.conf > exists, but not /etc/asterisk/motv.conf) would have the file created at > the next "make install" based upon prompting the installer. > > Any feedback on: > > a) The idea itself -- is it a good one or is it stupid? > > b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it? > > Thanks! > > Mark > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
I've been considering the nature of Asterisk, its security, the bug
tracker, and more... And i've come up with an interesting idea: A
"message of the version". The idea is that Asterisk has a compile
time
32-bit unsigned int version which is incremented whenever some major new
bug is fixed. When Asterisk starts up (and periodically, maybe once per
day), it sends a packet with the version number to a server at Digium,
along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium
server replies (if it receives the packet, if not, it might get sent again
in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are
associated with that version of the code. In this way, an asterisk
administrator could easily see if there were any major issues, critical
security updates, etc, that his system might need to be updated for.
Now, of course, any time you put a "call home" feature in, there are
people who will be concerned about privacy. Clearly it will be able to be
disabled, but I want to run my idea about deployment by everyone here and
see if you guys had some ideas. The idea would be that *new* installs
("make samples") would have the feature turned on for MAJOR level by
default, and that any existing install (e.g. /etc/asterisk/sip.conf
exists, but not /etc/asterisk/motv.conf) would have the file created at
the next "make install" based upon prompting the installer.
Any feedback on:
a) The idea itself -- is it a good one or is it stupid?
b) The way to make it deployed without sneaking a "call home" in on
anybody that doesn't want it?
Thanks!
Mark
On Tue, 6 Apr 2004, Mark Spencer wrote:> I've been considering the nature of Asterisk, its security, the bug > tracker, and more... And i've come up with an interesting idea: A > "message of the version". The idea is that Asterisk has a compile time > 32-bit unsigned int version which is incremented whenever some major new > bug is fixed. When Asterisk starts up (and periodically, maybe once per > day), it sends a packet with the version number to a server at Digium, > along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium > server replies (if it receives the packet, if not, it might get sent again > in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are > associated with that version of the code. In this way, an asterisk > administrator could easily see if there were any major issues, critical > security updates, etc, that his system might need to be updated for. > > Now, of course, any time you put a "call home" feature in, there are > people who will be concerned about privacy. Clearly it will be able to be > disabled, but I want to run my idea about deployment by everyone here and > see if you guys had some ideas. The idea would be that *new* installs > ("make samples") would have the feature turned on for MAJOR level by > default, and that any existing install (e.g. /etc/asterisk/sip.conf > exists, but not /etc/asterisk/motv.conf) would have the file created at > the next "make install" based upon prompting the installer. > > Any feedback on: > > a) The idea itself -- is it a good one or is it stupid?I like the idea, but I'm not one of those people that mind my software "calling home" as long as I can review the code and make sure it's not shipping off anything other than the version numbers. This will also give Digium real-world information about who is using what version of asterisk, and from what IP block. It has a lot of poential benefits, and some drawbacks. Personally, I'd like to see that information shared with the community in some fashion. For example, a real-time website that shows the percentage breakdown of versions in use, and perhaps even a breakdown by country. The idea of a service, provided by Digium, that informs Asterisk admins of major fixes in the code base would be an incredible addition. I can't think of one piece of Open Source software that actually does this off the top of my head.> b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?Enable by default, and inform people how to shut it off. Either way, you'll piss someone off! ;) Might as well go for broke. :) -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 06 April 2004 11:31 pm, Mark Spencer wrote:> I've been considering the nature of Asterisk, its security, the bug > tracker, and more... And i've come up with an interesting idea: A > "message of the version". The idea is that Asterisk has a compile time<snip>> Any feedback on: > > a) The idea itself -- is it a good one or is it stupid?As someone who's interested in how to make support of a large number of boxes trivial, this is Great News!> b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?Make it part of an install question. One of the things I'd like to see is a script that executes on install, or after first startup, which asks for basic questions like the above. It could read the config file and see if it has already been answered. Being notified that a bug in my system has been fixed would be great! I may not even know it exisits...> Thanks! > > Mark > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users- -- Steve "They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAc5QvljK16xgETzkRAoJGAKDIJ5jLD+4H2HJsX8ORzRlcgXUpvACgwH9l xsHSrt5rBAaE8YLmIJuWaR4=srNu -----END PGP SIGNATURE-----
> Any feedback on: > > a) The idea itself -- is it a good one or is it stupid?It's an excellent idea, another example of how committed Digium is to customer service!> > b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?Make it so it has to be explicitly enabled by the user ? Regards Panny
Hi,> -----Original Message----- > Now, of course, any time you put a "call home" feature in, > there are people who will be concerned about privacy. > Clearly it will be able to be disabled, but I want to run my > idea about deployment by everyone here and see if you guys > had some ideas. The idea would be that *new* installs ("make > samples") would have the feature turned on for MAJOR level by > default, and that any existing install (e.g. > /etc/asterisk/sip.conf exists, but not > /etc/asterisk/motv.conf) would have the file created at the > next "make install" based upon prompting the installer.Sounds like a nice feature. Things to consider: - What if someone has their own development tree to work with - the 'call home server' should be configurable ? - As a security consideration, sending the local version might not be wise - what if the call home server is being dns-spoofed ? An intruder might get relevant version info... Downloading a changes matrix might be wise (maybe related to 'last time checked' rather than version) Florian
Hi> > a) The idea itself -- is it a good one or is it stupid?great idea. could be very useful if you don't have much time to track/test cvs version and/or the bugtracker> b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?make it off by default, providing infos on how to enable it. In this way you don't have to worry about user complaints about privacy (hey, you've turned on! isn't that by default), Also not all systems could have a open internet connection... so sending infos is impossible at all. Matteo. -- Matteo Brancaleoni Espia System Administrator Email : mbrancaleoni@espia.it Web : http://www.espia.it Phone : +39 02 70633354 - ext 201 IAX(2): guest@213.140.14.155 - ext 201 Iaxtel: 1-700-56-62458 - ext 201 SIP : matteo@sip.voismart.it
I'd like to give this one 10 thumbs down. IMHO a bad idea, a nasty little bad idea.. evil, spawn of Satan. If this were implemented the first job of a new update would be to rip it out and flush it down the nearest toilet. I can only wait until we see M$ like activation implemented... oh the joy... It would be much better just to have the information present on either the Digium site or some other location. I see little point in wasting your valuable time doing something like this when there are so many outstanding issues and feature requests that could offer more. Andy *********** REPLY SEPARATOR *********** On 06/04/2004 at 22:31 Mark Spencer wrote:>I've been considering the nature of Asterisk, its security, the bug >tracker, and more... And i've come up with an interesting idea: A >"message of the version". The idea is that Asterisk has a compile time >32-bit unsigned int version which is incremented whenever some major new >bug is fixed. When Asterisk starts up (and periodically, maybe once per >day), it sends a packet with the version number to a server at Digium, >along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium >server replies (if it receives the packet, if not, it might get sent again >in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are >associated with that version of the code. In this way, an asterisk >administrator could easily see if there were any major issues, critical >security updates, etc, that his system might need to be updated for. > >Now, of course, any time you put a "call home" feature in, there are >people who will be concerned about privacy. Clearly it will be able to be >disabled, but I want to run my idea about deployment by everyone here and >see if you guys had some ideas. The idea would be that *new* installs >("make samples") would have the feature turned on for MAJOR level by >default, and that any existing install (e.g. /etc/asterisk/sip.conf >exists, but not /etc/asterisk/motv.conf) would have the file created at >the next "make install" based upon prompting the installer. > >Any feedback on: > >a) The idea itself -- is it a good one or is it stupid? > >b) The way to make it deployed without sneaking a "call home" in on >anybody that doesn't want it? > >Thanks! > >Mark > >_______________________________________________ >Asterisk-Users mailing list >Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
excellent idea. eliot On Tue, 2004-04-06 at 23:31, Mark Spencer wrote:> I've been considering the nature of Asterisk, its security, the bug > tracker, and more... And i've come up with an interesting idea: A > "message of the version". The idea is that Asterisk has a compile > time > 32-bit unsigned int version which is incremented whenever some major > new > bug is fixed. When Asterisk starts up (and periodically, maybe once > per > day), it sends a packet with the version number to a server at Digium, > along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium > server replies (if it receives the packet, if not, it might get sent > again > in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are > associated with that version of the code. In this way, an asterisk > administrator could easily see if there were any major issues, > critical > security updates, etc, that his system might need to be updated for. > > Now, of course, any time you put a "call home" feature in, there are > people who will be concerned about privacy. Clearly it will be able > to be > disabled, but I want to run my idea about deployment by everyone here > and > see if you guys had some ideas. The idea would be that *new* installs > ("make samples") would have the feature turned on for MAJOR level by > default, and that any existing install (e.g. /etc/asterisk/sip.conf > exists, but not /etc/asterisk/motv.conf) would have the file created > at > the next "make install" based upon prompting the installer. > > Any feedback on: > > a) The idea itself -- is it a good one or is it stupid? > > b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it? > > Thanks! > > Mark > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Mark Spencer <markster@digium.com> wrote:>I've been considering the nature of Asterisk, its security, the bug >tracker, and more... And i've come up with an interesting idea: A >"message of the version". The idea is that Asterisk has a compile time[...]> >a) The idea itself -- is it a good one or is it stupid?It could be a useful feature *if* done right. Some other people have already made some good comments on this. I think it seems like somewhat of a waste of time with the number of truly useful things that could be done to Asterisk instead. Doug -- Doug Meredith (doug.meredith@systemguard.com) SystemGuard - Oracle remote support 877-974-8273 (87-SYSGUARD) 506-854-7997 www.systemguard.com
Mark Spencer wrote:> Any feedback on: > > a) The idea itself -- is it a good one or is it stupid? >Now this is just my views. No I do not feel we need to be sending any information back unless we want to. Like someone else said a sub job that is turned off by default. My preference would be no communication back. I would like to see on you web site more information on stable builds, bugs and easyer way to determine the version your running. Also maybe some feed back form that we can fill out and sumit to you. But all of them are manual and not automatic.> b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?> Thanks! > > Mark > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
I wouldn't want a call home feature that is enabled by default. I think it would be great though if * had some ability to update itself. Perhaps via a CLI command, as others have suggested. Something similar to RH's up2date would be great in my opinion. Anyway, thats my 2 cents. Sean Rodger
On Tue, 2004-04-06 at 23:31, Mark Spencer wrote:> > Any feedback on: > > a) The idea itself -- is it a good one or is it stupid?I like the idea of being able to see what updates/fixes are available vs. the code that I'm running. I think this would definitely be helpful to me.> b) The way to make it deployed without sneaking a "call home" in on > anybody that doesn't want it?Like others on here, I'd like to see it as a console command - I'd like to be able to come into the office in the morning and type 'check motv' on the console, and see if there's anything I need/want. Having it auto-phone-home on startup wouldn't be too useful for me, since this would only occur when we were already performing an upgrade. As far as the periodic message, again that wouldn't be too useful, I wouldn't be looking at the console to see the results. jwsh
One thing that the BSD open source operating system projects do, and many other projects for that matter, which Asterisk does not seem to do, is put CVS ID tags in the source files of the package itself. If ID tags were put into the source files, and even embedded in strings so that theyshowed up in the binary files too, that would go a long way toward helping users determine which version of Asterisk they had, and where they were relative to the current state of the development tree. It seems like this change requires no real coding, just adding a line or two to each source file, and CVS does the rest for you by bumping the version numbers as changes come in. Another advantage of this approach, is that users can succinctly and accurately point out which versions of which modules work and which ones contain critical bugs. Then you can say things like: File res_moh.c, V1.25 and later contains the fix you're looking for. Just a thought. -Brian
asterisk@sasami.anime.net
2004-Apr-07 14:13 UTC
[Asterisk-Users] res_motv: Request for Comment
On Tue, 6 Apr 2004, Mark Spencer wrote:> I've been considering the nature of Asterisk, its security, the bug > tracker, and more... And i've come up with an interesting idea: A > "message of the version". The idea is that Asterisk has a compile time > 32-bit unsigned int version which is incremented whenever some major new > bug is fixed. When Asterisk starts up (and periodically, maybe once per > day), it sends a packet with the version number to a server at Digium, > along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium > server replies (if it receives the packet, if not, it might get sent again > in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are > associated with that version of the code. In this way, an asterisk > administrator could easily see if there were any major issues, critical > security updates, etc, that his system might need to be updated for.This could easily be done with simple dns lookups and TXT records, eg do a TXT query for version#.digium.com. The nice thing is that because of the distributed and cached nature of DNS, it is inherently resistant to high loads and outages -- especially if you have secondary/tertiary servers. -Dan
YES PLEASE.
Wonderful Stuff! In my opinion just what the project needs. I deployed and
supported many GPL and commercial SmoothWall (firewall) installs and was
forced to poll a web page from time to time to see if any of my customers
needed an urgent security patch applying...not a satisfactory way to manage
many machines deployed across several countries.
The usual caveats about reviewing the 'phone home source code apply of
course as does an opt out for certain Carriers/official organisations that
prefer to remain anonymous.
Regards
Darren
--
Comgate
Telco>Internet<Broadcast
-----Original Message-----
From: asterisk-users-admin@lists.digium.com
[mailto:asterisk-users-admin@lists.digium.com]On Behalf Of Mark Spencer
Sent: 07 April 2004 04:31
To: asterisk-users@lists.digium.com
Subject: [Asterisk-Users] res_motv: Request for Comment
I've been considering the nature of Asterisk, its security, the bug
tracker, and more... And i've come up with an interesting idea: A
"message of the version". The idea is that Asterisk has a compile
time
32-bit unsigned int version which is incremented whenever some major new
bug is fixed. When Asterisk starts up (and periodically, maybe once per
day), it sends a packet with the version number to a server at Digium,
along with a message level (INFO,MINOR,MAJOR,CRITICAL) and the Digium
server replies (if it receives the packet, if not, it might get sent again
in a day) with any INFO, MINOR, MAJOR, or CRITICAL messages which are
associated with that version of the code. In this way, an asterisk
administrator could easily see if there were any major issues, critical
security updates, etc, that his system might need to be updated for.
Now, of course, any time you put a "call home" feature in, there are
people who will be concerned about privacy. Clearly it will be able to be
disabled, but I want to run my idea about deployment by everyone here and
see if you guys had some ideas. The idea would be that *new* installs
("make samples") would have the feature turned on for MAJOR level by
default, and that any existing install (e.g. /etc/asterisk/sip.conf
exists, but not /etc/asterisk/motv.conf) would have the file created at
the next "make install" based upon prompting the installer.
Any feedback on:
a) The idea itself -- is it a good one or is it stupid?
b) The way to make it deployed without sneaking a "call home" in on
anybody that doesn't want it?
Thanks!
Mark
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
I completely agree. This way you can get the same functionality on demand instead of automatically. -----Original Message----- From: Duane [mailto:digium@aus-biz.com] Sent: Thursday, April 08, 2004 5:23 AM To: asterisk-users@lists.digium.com Subject: Re: [Asterisk-Users] res_motv: Request for Comment Andy Powell wrote:> ...but the core of my 'problem' is software that calls home.I agree a separate tool is possibly the best option here for privacy reasons... Simple solution seems to me, have a version.h file in each "module" and rather then calling home publish the version info that is downloaded rather then uploaded with some sort of changelog type system, and the app running locally will detail on request the changes between the different versions... obviously gzip'ing the "changelog" will save download times... I think it's a good idea if implemented correctly, everything off by default, and give good details on what it does specifically and how to enable it and that should keep everyone happy... Those that are especially paranoid, just don't compile the version checking tool, so if anyone complains later not only did they have to run the util, but they had to compile it as well... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
I'm sure I haven't read all the relevant replies yet as I only completed those who didn't break the thread. My mindset would be to create a command line switch that returned the int you mentioned that has the version details. This int could then be fed to any app that could query your bugs database. This would help in the automation of large deployments, or the integration with other monitoring software. The next step I would see is some form of SOAP call that could return the data you mentioned. This allows a person who has collected the version numbers for each of the machines they are running to then create whatever monitor app they want in whatever language they feel happy with. As I see it fitting into my companies current monitoring schemes would be a package is created at each of the deployed asterisk servers that contained the version details. This package is routed however we have configured it to reach a central repository. At this central repository, we gather them all together and then issue our calls to your website consolidating all the version numbers necessary into the least number of calls out to you. We then filter on what is important for each of the machines in question and register the update information with our notification service. Then our notification service could notify those who have registered interest in the machine, level, or event and be notified appropriately. Of course, I would also wish to have the levels be augmented by the subsystem as has been suggested elsewhere. I only care about Zap and IAX channels, core and agi apps. The rest are not interesting at this moment. This could greatly reduce what I pull back from your servers and reduce my tossing of records due to lack of interest. Of course, I have described how it would fit into our monitoring activity, I could also see a nice web front end built on top of the same exact SOAP calls, and even run solely from the browser via the built in Mozilla Javascript SOAP bindings. The big point is build tools, not necessarily solutions. Tools can be strung together for the solution, but it can also be broke down and rebuilt easily enough from the outside. -- Steven Critchfield <critch@basesys.com>