Cumulus Support

HansR wrote: ↑Wed 10 Apr 2024 6:52 am

saratogaWX wrote: ↑Tue 09 Apr 2024 9:04 pm now. I'd like to use a package that doesn't require a CDN/external URL source to run correctly and is under MIT or Apache license (free).

I do not see why a non-CDN would have preference? Contrary: my version selector for Highcharts is based on the CDN possibility.

Hans as Ken explained earlier if you have to load code from a website outside of your own server you expose a potential security issue where that site could be compromised without your knowledge and load code exposing the end user to viruses etc, this is not just a theory it has happened in the past and probably will in future. From a security point of view having the code loaded from your own server only significantly reduces this exposure. This is why a non-CDN option is much more preferable.

Stuart

broadstairs wrote: ↑Wed 10 Apr 2024 9:17 am Hans as Ken explained earlier if you have to load code from a website outside of your own server you expose a potential security issue where that site could be compromised without your knowledge and load code exposing the end user to viruses etc, this is not just a theory it has happened in the past and probably will in future. From a security point of view having the code loaded from your own server only significantly reduces this exposure. This is why a non-CDN option is much more preferable.

Yes, I read it and I understand it.

On the other hand: we may assume users take the highest precautions themselves (even Ray is now on https ) and we may assume CDN providers do the best they can to prevent malicious attacks. As long as everybody does his/her thing, we may take the risk to be small. If you want no risk at all then don't get on the internet. I will make use of all possibilities of the modern internet and will do anything to prevent being attacked (there are many weather sites which are being flagged by my security system, I whitelist those which is a risk as I do not know if they really are safe).

My point is: we should not be afraid of progress in technology, but we should make sure everything is done to prevent malice.

So in summary: I think Ken is right but I also think: Don't throw the baby out with the bathwater.

[And now I'm offline again, the new modem comes today so with some luck I'll be online again tonight.]

@HansR, I'm not trying to avoid technological progress, just trying to minimize the 'attack surface' of a hobbyist's website.

Recently, there have been multiple 'supply chain' attacks where miscreants have infiltrated backdoors/other malware via open-sourced software via CDN distributions. Some have been massive and taken many folks to reverse and expunge the added malware (and clean up from website compromises).

Before I retired in 2004, I'd held a CISSP (security certificate) and specialized in 'Defense against the Dark Arts' at a major Semiconductor company. I still follow the security newsfeeds and see these CDN compromise issues at least once a month. That's another reason to have a local, known copy hosted on your own website -- just eliminates one additional point of entry to compromise of your website.

@SaratogaWX:
I think we differ in how far and with what angle we need to approach this type of problems.

There are many security issues and nobody can close all holes. The naked fact that an amateur has a site is enough to conclude there is a risk. I don't believe CDN poses special or enlarged risks. If that were the case they would already long have been banned or avoided and that is not the case.

But this thread is not about yes or no using CDN but on the Highcharts issue. So let's focus there and in the final choice we may meet again. Or I just deviate in the implementation. I won't turn this in a heated yes/no debate.

I heard your point.

I understand your point Hans but I'm afraid I agree with Ken, I will not allow in future any code on my website which uses scripts which need to be from a 3rd party website. Better safe than sorry, I have already removed all CMX code from my site which does this and I'm even less happy that the dashboard does this so for now it stays but I really hope the accepted solution has no 3rd part involved, or at least it gives me an option to turn it off on the dashboard.

Sorry if this is in your view extreme but after 40 years professionally in IT I am only too well aware of what can happen.

Stuart

@Broadstairs:
I understand all angles in any security issue and everybody must do what he/she thinks best.
But don't come with 40 years of experience: it's the same for me with a somewhat lighter view of things. My bad I guess.

Years ago when installing a central heating system in my house, I asked the company which delivered the system about saving gas (isolation etc...) apparently I wanted too much and he reacted: if you really want to save gas, turn it off.

if we're voting.... then I'd go for the non-cdn version also

Trusted CDN providers have exceptional levels of security.

I have no issue with using them and they can speed up website load times for users in other parts of the world.

Mapantz wrote: ↑Thu 11 Apr 2024 7:47 pm Trusted CDN providers have exceptional levels of security.

This might be, but The XZ Utils Backdoor?

what about mrtg , or nagios ?
as far i know they are licence free to.

Ay progress @Ken / @Mark?

Sorry, my spare time recently has been bogged down in v4 issues/tweaks/improvements.

I come to this issue late, and it seems to be a proper nuisance.

I would suggest that Mark (and other sub-developers - eg Hans R for CUtils) make it absolutely clear to all their users that they now need the non-commercial licence, and to renew it annually. Provide the link to guide them how to do it.

That should absolve Mark et al of any responsibility, and it's then down to individual users whether they comply or take whatever risk there is. Users' judgements on this might of course depend whether they are using Highcharts on outwardly-available site.

This could be in the interim, or permanently. I do think it important that the developers can visibly demonstrate that they have taken steps to encourage compliance.

I have no idea how or if Mark will handle this. My attitude to this is that I have no desire to use any software which at any point could either require annual licensing on become commercial so I will not use any graphs on my local interface, I already do not use Highcharts on my public website anyway. I will, when I find time, look to use an alternative program for graphs which is totally free on my public website.

Stuart

I applied for one from Highcharts
Was pretty quick to do
Reached out to Highcharts support and advised what it was for and gave links to the web pages that use Highcharts.
Was directed to here https://shop.highcharts.com/contact/personal
Filled it out and a day later got an email with license certificate PDF file
Didn't appear as though any further actions needed
It wouldn't surprise me if this is a marketing ploy on Highcharts part to test market saturation, good way to get contact details of me.

Barry