Important information for our customers, partners and community related to the new package verification policy of the OTRS AG
The c.a.p.e. IT GmbH and the OTRS community criticize the secret action of package verification of OTRS AG. We also close the vulnerability of the new OTRS package management for all OTRS users.
Just between the lines, namely only in the release notes as part of last patch release, the OTRS AG informed that immediately all information of all installed OTRS packages within every OTRS system will be sent to the so called Verification Server of OTRS AG. This affects all OTRS installations from the version 3.1.16 and 3.2.7, regardless whether one has, had or might have any service or maintenance contract with the OTRS AG.
The verification starts automatically while one clicks on the package management in the admin interface as well when one updates installed packages or adds a new one. OTRS AG gets to know all locally installed OTRS packages (including organization-specific packages). The verification method analyses the package names and checksums, and the administrator receives notification from the OTRS AG - if one's packages do not come originally from the OTRS AG - that these packages can affect the security and stability of the system.
c.a.p.e. IT - as well as the OTRS community - criticized this approach. It is not acceptable that such a verification procedure was implemented without any official preliminary information, but “hidden” in patch release lines of OTRS AG. There was no communication with the community and the OTRS users. Moreover, the verification method leads to uncertainty and doubts in case of using of community-modules from known sources as OTRS Package Archive (OPAR). Despite requests from the community, the verification criteria and the possible costs of the verification procedures for individual community developers are not known. Specific requests from the community related to the verification guidelines weren't answered in detail by the OTRS AG.
Together with other community representatives, including OtterHub, c.a.p.e. IT worked on a solution. On short run, we provided a new and free additional module called ConfigureCallHome for OTRS 3.1 and 3.2. The module is available on OPAR and on our website in the download area.
Free community OTRS module ConfigureCallHome
ConfigureCallHome allows the OTRS administrators to configure whether any information about installed packages will be sent and if yes, to which address. By default, the external package verification is disabled. The additional module should be copied locally on the one's OTRS server or be installed without network connection via command line. c.a.p.e. IT will include this additional functionality in future versions of KIX4OTRS.
The c.a.p.e. IT GmbH will continue to support its customers and the community - regardless whether they only use standard-OTRS modules or additional modules from OPAR.