Package: ntop Version: 3:5.0.1+dfsg1-1 Severity: important Dear Maintainer,
When working on configuring NTOP I was tweaking parameters through the /etc/default/ntop variable GETOPT. Reading the help and man page one thing I found was --skip-version-check. This sparked my interest to look at the network traffic generated. Indeed when starting the ntop service there's HTTP traffic going to kpn.ntop.org, which is the CNAME for version.ntop.org. A bunch of data is pushed to it and a version check returned. Adding the --skip-version-check option should prohibit this. It does not. NTOP comes back with the error that it needs a parameter for the option, which is not documented. Adding the parameter (like '=yes', or ' yes') allows NTOP to start. But looking at the log and the network traffic the version check is still performed. A telltail sign comes when one freshly installs the package. This is what appears in the syslog. ----------8<--------------------------------------------------------------- ntop[]: CHKVER: **********************PRIVACY**NOTICE********************** ntop[]: CHKVER: * ntop instances may record individually identifiable * ntop[]: CHKVER: * information on a remote system as part of the version * ntop[]: CHKVER: * check. * ntop[]: CHKVER: * * ntop[]: CHKVER: * You have requested - via the --skip-version-check * ntop[]: CHKVER: * option that this check be skipped and so no * ntop[]: CHKVER: * individually identifiable information will be recorded. * ntop[]: CHKVER: * * ntop[]: CHKVER: * In general, we ask you to permit this check because it * ntop[]: CHKVER: * benefits both the users and developers of ntop. * ntop[]: CHKVER: * * ntop[]: CHKVER: * Review the man ntop page for more information. * ntop[]: CHKVER: * * ntop[]: CHKVER: **********************PRIVACY**NOTICE********************** ntop[]: CHKVER: Checking current ntop version at version.ntop.org/version.xml ntop[]: CHKVER: Version file is from 'version.ntop.org' ntop[]: CHKVER: as of date is '2012-10-16T11:00:47' ntop[]: CHKVER: This version of ntop is the CURRENT stable version ----------8<--------------------------------------------------------------- So first a notice that the version check is skipped, and then it's done anyway? This cannot be right, on various levels. What I would expect is that the version check is inhibited by default, since we're relying on the Debian distribution channels for updates, not on in-application checks (which should be a general Debian Packager policy IMHO). And then centainly not those checks which flag out to the world every time when my Debian box boots up. For me enough reason to remove ntop from my box. -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ntop depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii libgdbm3 1.8.3-12 ii libgeoip1 1.6.0-1 ii libpcap0.8 1.5.3-1 ii libpython2.7 2.7.6-5 ii librrd4 1.4.7-2+b1 ii net-tools 1.60-25 ii ntop-data 3:5.0.1+dfsg1-1 ii passwd 1:4.1.5.1-1 ii python-mako 0.9.1-1 ii zlib1g 1:1.2.8.dfsg-1 ntop recommends no packages. Versions of packages ntop suggests: ii graphviz 2.26.3-16.1 ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.2 -- debconf information: ntop/password_reset: false * ntop/interfaces: none * ntop/password_empty: ntop/password_mismatch: ntop/user: ntop -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

