[asterisk-gui] interface to list of providers
bkruse
bkruse at digium.com
Thu Aug 28 16:34:45 CDT 2008
See recent commit by pari number:
3717
Seems he is not listening to me :P
Bullwinkle _and_ rocky _did_ escape!
Andrew Latham wrote:
> Two Ideas...
>
> 1. This is a silly thought but can the providers offer a file for
> their service and the user has the option of updating all vendors.
> Then you can have Digium Partners as an option so that it will get all
> the partners settings at once.
>
> 2. SVN update the file....
>
>
> I feel for all sides of this small issue. What is the best way to
> enable the user? Are the ITSPs going to behave themselves with an
> open option like #1 above? Will Bullwinkle get out of his trap in
> time to save Rocky.....
>
>
>
>
>
> On Thu, Aug 28, 2008 at 4:53 PM, bkruse <bkruse at digium.com> wrote:
>
>> I suppose so. The problem is that is defeating the _very_ reason we
>> implemented this, so that
>> we can make updates to the providers list in real time.
>>
>> -Brandon
>>
>> Klaus Ruebsam wrote:
>>
>>> How about a
>>>
>>> ------------------
>>> Feature request:
>>>
>>> Additional Field somewhere underneath
>>>
>>> Options -> General Preferences
>>>
>>> By default pointing to the JS-file at DIGIUM. But everyone may be free to
>>> wget that JS-file manually, place it somewhere on his own web-server and
>>> change the above entry field to point to that own webserver. IMHO the
>>> corresponding value (URL) should be stored somewhere within
>>> /etc/asterisk/http.conf
>>>
>>> Action required:
>>> 1. Add additional variable within http.conf somewehere underneath the
>>> [general] section, let´s call it
>>>
>>> providersinfo = https://gui-dl.digium.com/providers.js
>>>
>>> No change within Asterisk itself required as variable gets only read by the
>>> GUI
>>>
>>>
>>> 2. Wihtin the above mentioned menue-section of the GUI an additional
>>> inputfield (keep it long enough) plus a button, named "Default" or "DIGIUM"
>>> that would overwrite the field with
>>> "https://gui-dl.digium.com/providers.js". The JS-file as of the release date
>>> of the GUI version used, may additionally be saved (during installation of
>>> the GUI) somewhere underneath http://myasterisk:8088/asterisk/static/config/
>>> making an additional and initial wget of the file no longer necesary.
>>> ------------------
>>>
>>> How about that one? That should make all of us happy, shouldn´t it? And
>>> implementation shouldn´t be that difficult.
>>>
>>>
>>> Best regards,
>>>
>>> Klaus
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: asterisk-gui-bounces at lists.digium.com
>>> [mailto:asterisk-gui-bounces at lists.digium.com] Im Auftrag von bkruse
>>> Gesendet: Donnerstag, 28. August 2008 21:00
>>> An: Asterisk GUI project discussion
>>> Betreff: Re: [asterisk-gui] interface to list of providers
>>>
>>> The whole idea behind this is that we _can_ push updates of Service
>>> Providers.
>>>
>>> We will test this internally, but it is better than the alternative (having
>>> a provider that does not work when they are certified to work)
>>>
>>> Not to mention this will rarely happen.
>>>
>>> As far as the remote thing, it is an equiv of a "wget", what about when you
>>> go to sites and you see "request pages from analytics.google.com", or
>>> requesting advertising javascript files. If you are worried about javascript
>>> security, and your overall security, there are much better, and more
>>> vulnerable, places to start at.
>>>
>>> -bk
>>>
>>> Pari Nannapaneni wrote:
>>>
>>>
>>>>> Not to get into semantics:
>>>>>
>>>>> The obvious fact is that the local page gets information from a
>>>>> remote page. For the purpose of usage statistics, maybe even a simple
>>>>> data file or an image would do the same.
>>>>>
>>>>>
>>>>>
>>>> Sure, i think having discussions about any security/privacy concerns are
>>>>
>>>>
>>> always a good thing.
>>>
>>>
>>>>
>>>>> This still does not address the original issue.
>>>>> Also note that the URL should be HTTPS or use some other equivalent
>>>>> messure to protect from DNS spoofs and such.
>>>>>
>>>>>
>>>>>
>>>> It is a HTTPS URL with a valid SSL cert.
>>>>
>>>> thanks,
>>>> -Pari
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Tzafrir Cohen" <tzafrir.cohen at xorcom.com>
>>>> To: asterisk-gui at lists.digium.com
>>>> Sent: Thursday, August 28, 2008 1:11:28 PM GMT -06:00 US/Canada
>>>> Central
>>>> Subject: Re: [asterisk-gui] interface to list of providers
>>>>
>>>> On Thu, Aug 28, 2008 at 08:40:45AM -0500, Pari Nannapaneni wrote:
>>>>
>>>>
>>>>
>>>>> Hi Tzafrir,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 1. Privacy implications
>>>>>> Every time I use this configuration page, it reports home.
>>>>>>
>>>>>>
>>>>>>
>>>>> "reports home" would be kind of a strong word.
>>>>>
>>>>> I would agree with what you said,
>>>>> [A] if there is 'a banner-Ad script served from a 3rd party website"
>>>>> in the gui [B] if the gui had some third party scripts like "google
>>>>>
>>>>>
>>> analytics"
>>>
>>>
>>>>> [C] if the script is a mashup
>>>>> I don't think this really qualifies as a 'mashup', as there is NOWAY
>>>>>
>>>>>
>>> the script
>>>
>>>
>>>>> can read any of your cookies set by other websites.
>>>>> - Unless you are embedding the gui in someother website via an
>>>>>
>>>>>
>>> iframe.
>>>
>>>
>>>>> [D] if the script served is obfuscated using some javascript
>>>>> obfuscator [E] OR if the script makes any XMLhttprequest to Digium or
>>>>>
>>>>>
>>> some other website.
>>>
>>>
>>>>> Its straight forward javascript file, like the rest of the scripts in the
>>>>>
>>>>>
>>> GUI.
>>>
>>>
>>>>>
>>>> Not to get into semantics:
>>>>
>>>> The obvious fact is that the local page gets information from a remote
>>>> page. For the purpose of usage statistics, maybe even a simple data
>>>> file or an image would do the same.
>>>>
>>>> A quick grep before posting this message showed me that this was the
>>>> only case of such a "remote" content.
>>>>
>>>> It also means that part of the functionality is not available if the
>>>> system has no internet access (or is behind a very strict firewall).
>>>>
>>>>
>>>>
>>>>
>>>>> The only difference being that it is loaded from a different URL, and
>>>>> the GUI tells the same to the user and loads the script only after
>>>>> taking a confirmation from the user.
>>>>>
>>>>> Yes, the webserver's log file will contain a bunch of IP addresses
>>>>> which requested the js file, but thats like saying "i won't use VOIP
>>>>>
>>>>>
>>> because the person on the other end might know my IP address".
>>>
>>>
>>>>>
>>>>>> 2. Untested code
>>>>>> This feature means I run a whole bunch of javascript code from a
>>>>>> remote site. Later on some modifications in that page may break my
>>>>>> page and I would not even be aware of that.
>>>>>>
>>>>>>
>>>>>>
>>>>> We will see what we can do about this.
>>>>>
>>>>> Right now, the providers file is on a different svn repository.
>>>>> I will see if there is a way to somehow move the providers script
>>>>> file into the gui repository, so that any changes made to the file
>>>>> would be public.
>>>>>
>>>>>
>>>>>
>>>> This still does not address the original issue.
>>>> Also note that the URL should be HTTPS or use some other equivalent
>>>> messure to protect from DNS spoofs and such.
>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-gui mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-gui
>>>
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-gui mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-gui
>>>
>>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-gui mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-gui
>>
>>
>
>
>
>
More information about the asterisk-gui
mailing list