Announcement

Collapse
No announcement yet.

OXReportClient Information Request

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OXReportClient Information Request

    We are a small company with a paid software maintenance license for the SE version of OX and have had continued software maintenance with varieties of Open-xchange through the years. As those licensed for software maintenance are made aware, support is only guaranteed in the form of software updates unless additional support is purchased for troubleshooting system problems.

    I'm particularly concerned with the recent requirement for the installation of a tool that is, in essence, spyware in order for users to continue obtaining software updates even if under a currently valid maintenance agreement. Open-xchange has noted this tool is only for Open-xchange to "improve its own support and maintenance offerings for you". However, I believe the rationale Open-xchange is using is only partially for improved technical support and mainly for tracking paid licensed use.

    I do find the need to track number of utilized seat licenses reasonable to ensure Open-xchange remains viable and profitable. And, we all know there are those who'll try to game licensing schemes.

    We may disagree but, I do not like to idea of forcing current users into installing a tool that is of minimal use to them especially with the threat of discontinuing software support. And, especially to those who are already under a valid software maintenance contract.

    Please allay my fears and provide more detailed information regarding what your tool is transmitting back to Open-xchange.

    From the Wiki entry, the following information is transmitted to Open-xchange

    1. Version number of the Open-Xchange server package

    Makes sense from a paid support/incidence standpoint.

    2. Version number of the Open-Xchange admin package

    Makes sense from a paid support/incidence standpoint.

    3. Total user count.

    Also, makes sense from a license standpoint but doesn't the license key already handle that? Or are there users that deploy multiple instances with the same license key?

    4. Total context count

    As per item 3.

    5. Detailed context information: context age, creation date or date of creation, user count, context id

    Are these the exact fields transmitted to Open-xchange? Are there any other fields that contain identifiable or personal information?

    6. Detailed user information (per context): User access combination flags (which modules have been activated for the users)

    What exact fields for "detailed" user information is transmitted? Are user names or any other potential identifying information transmitted? Could you please provide a list of the exact fields being transmitted? I do want to understand any security implications to our organization and to have a detailed understanding of the information that is being sent to Open-xchange. Will the list of transmitted items change in the future and how are users notified?
    For example, I assume that the current license key information is transmitted but it is not in the list of the Wiki detailed transmitted items. So, I make the assumption, there are items transmitted that have not been listed in the Wiki or elsewhere.

    Also, as a curiosity, is the information transmitted encrypted?

    I really do not want to discover proprietary or personal information being leaked by a software tool on our server now or in the future. Please help me feel better about this and point me towards a detailed list. Additional information is appreciated.

    Thank you.

    Best regards,

    Jay.

  • #2
    Hi Jay,

    to find out what information are obtained by this tool, you might run the -d mode (display only).

    Example output:
    Code:
    mbraun@mail:~$ /opt/open-xchange/sbin/report -d
    /opt/open-xchange ~
    Starting the Open-Xchange report client. Note that the report generation may take a little while.
    
    module    version    
    admin     6.14.0 Rev8
    groupware 6.14.0 Rev8
    
    contexts users
    1        2423 
    
    id age created                      module access combination users
    1  0   Mon Dec 21 15:08:58 GMT 2009 132382719                 2423
    The total user count makes sense since there is no restriction when installing a license nor is there any hard limit when creating users. We believe that the customer should not be restricted in deploying on a technical side, this report procedure is for support only. To ensure fair customers don't have a disadvantage against those who buy support/maintenance for 20 but run 2000 seats, the tool reports the number of user accounts. The amount of contexts or OX instances is not restricted by the license, it's reported for data consistency.

    The information you see at this example output is all that is transfered. I agree that "detailed" is not exact in this case. The access combination shows what and how many modules are accessible to users in general. While Server Edition licenses are always "full groupware" there are other models for hosting environments where the "webmail only" accounts are accounted as a flat-fee and upsell accounts are paid on a specific rate. There is *no* detailed information about user accounts transfered other than the available modules and amount of users. Since the tool only acts when being executed you have the chance to review information before it is transfered. Open-Xchange also does not have any interest in leaking any of your users data, this tool is solely used for support and license information. Indeed, the license keys registered with the corresponding OX instance is also included in the report to match the report information against a license key.

    The transfer of user data is SSL encrypted and executed with the host "activation.open-xchange.com" which offers a valid certificate and assures the information is only transfered to the right people. You can check this for yourself by listening to the network traffic. There is only very few data transfered so there won't be any negative influence to your network infrastructure.

    The source code of the "report" client and the server are available through public CVS if you want to verify this information for yourself. Repository is "open-xchange/com.openexchange.report.client".

    Greetings
    Last edited by Martin Heiland; 12-23-2009, 10:44 AM.

    Comment


    • #3
      Hi Martin

      Could you post a table which explains the "module access" numbers?
      Just seeing the number I've no idea how to decrypt.


      Regards

      Comment

      Working...
      X