Package: ntop
Version: 3:5.0.1+dfsg1-1
Severity: important

Dear Maintainer,

When working on configuring NTOP I was tweaking parameters through the 
/etc/default/ntop variable GETOPT. Reading the help and man page one thing I 
found was --skip-version-check.
This sparked my interest to look at the network traffic generated. Indeed when
starting the ntop service there's HTTP traffic going to kpn.ntop.org, which is
the CNAME for version.ntop.org. A bunch of data is pushed to it and a version
check returned. 

Adding the --skip-version-check option should prohibit this. It does not. NTOP
comes back with the error that it needs a parameter for the option, which is 
not documented. Adding the parameter (like '=yes', or ' yes') allows NTOP to 
start. But looking at the log and the network traffic the version check is 
still performed. 

A telltail sign comes when one freshly installs the package. This is what 
appears in the syslog.

----------8<---------------------------------------------------------------

 ntop[]:   CHKVER: **********************PRIVACY**NOTICE**********************
 ntop[]:   CHKVER: * ntop instances may record individually identifiable     *
 ntop[]:   CHKVER: * information on a remote system as part of the version   *
 ntop[]:   CHKVER: * check.                                                  *
 ntop[]:   CHKVER: *                                                         *
 ntop[]:   CHKVER: * You have requested - via the --skip-version-check       *
 ntop[]:   CHKVER: * option that this check be skipped and so no             *
 ntop[]:   CHKVER: * individually identifiable information will be recorded. *
 ntop[]:   CHKVER: *                                                         *
 ntop[]:   CHKVER: * In general, we ask you to permit this check because it  *
 ntop[]:   CHKVER: * benefits both the users and developers of ntop.         *
 ntop[]:   CHKVER: *                                                         *
 ntop[]:   CHKVER: * Review the man ntop page for more information.          *
 ntop[]:   CHKVER: *                                                         *
 ntop[]:   CHKVER: **********************PRIVACY**NOTICE**********************
 ntop[]:   CHKVER: Checking current ntop version at version.ntop.org/version.xml
 ntop[]:   CHKVER: Version file is from 'version.ntop.org'
 ntop[]:   CHKVER: as of date is '2012-10-16T11:00:47'
 ntop[]:   CHKVER: This version of ntop is the CURRENT stable version

----------8<---------------------------------------------------------------

So first a notice that the version check is skipped, and then it's done anyway?
This cannot be right, on various levels.

What I would expect is that the version check is inhibited by default, since
we're relying on the Debian distribution channels for updates, not on 
in-application checks (which should be a general Debian Packager policy IMHO). 
And then centainly not those checks which flag out to the world every time 
when my Debian box boots up. For me enough reason to remove ntop from my box.


-- System Information:
Debian Release: jessie/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ntop depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.52
ii  libc6                  2.17-97
ii  libgdbm3               1.8.3-12
ii  libgeoip1              1.6.0-1
ii  libpcap0.8             1.5.3-1
ii  libpython2.7           2.7.6-5
ii  librrd4                1.4.7-2+b1
ii  net-tools              1.60-25
ii  ntop-data              3:5.0.1+dfsg1-1
ii  passwd                 1:4.1.5.1-1
ii  python-mako            0.9.1-1
ii  zlib1g                 1:1.2.8.dfsg-1

ntop recommends no packages.

Versions of packages ntop suggests:
ii  graphviz  2.26.3-16.1
ii  gsfonts   1:8.11+urwcyr1.0.7~pre44-4.2

-- debconf information:
  ntop/password_reset: false
* ntop/interfaces: none
* ntop/password_empty:
  ntop/password_mismatch:
  ntop/user: ntop


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to