UNMS
UNMS copied to clipboard
Ubiquiti-App
any way to have access to the real code?
Wow! Just observed that there are tar.gz archives submited to git?! The only thing that went into my mind was WTF! WTH! OMG! .... nope, that's clear not how to code.
@ssbarnea This GitHub repo doesn't include UNMS source code. This repo includes mostly fragments/packages which are generated during our build process from other private GitHub repositories. We are using this GitHub as a delivery platform because it allows us to quickly update UNMS wiki, release notes, support scripts and cooperate on reported issues. I think that it's amazing for beta phase of development.
We haven't decided it yet but we are for example considering to move our wiki completely to help.ubnt.com and UNMS installation scripts to unms.ubnt.com after we switch to stable phase.
@mathse On the other hand we are thinking about opening UNMS code as well. It could have a lot of benefits, but there are multiple things which have to happened first. There are technical limitation such as shared libraries or legal question etc. There wasn't a significant demand for it so far. But we are creating UNMS for our users and if it's interesting and beneficial for them we can focus on it.
So short answer is, that it's not possible now. But if you would like to improve UNMS, just send me email ([email protected]) with more details and we can try to find a way how to realize it.
I seems that I was confused by the fact that this repository does not have a license assigned to it. I didn't even knew that GitHub allowed that.
I didn't had time to investigate yet what is inside these archives but my gut feeling is that we could find some GPL/LGPL code and if that's true it already smells like a licensing breach.
I do love contribute to open-source, for non open-source, I always demand to be payed for doing so and I am already full time employed, so no thanks.
PS. Usually adding the LICENSE is part of the first commit to a github repo.
@ssbarnea Thank you for pointing us to missing license file. We will fix it. Archives includes installation scripts for UNMS (docker, docker compose, external data, in-app install hook and UNMS user). UNMS application is stored in docker repository. I fully understand your attitude to open-source / no open-source SW. It's very reasonable.
I have to agree with the earlier concerns that the contents of this repository are disappointing. I had a momentary hope that Ubiquiti's new management system would be an open source platform. Sadly, it's nothing but an abuse of GitHub used to deliver closed software. This looks poorly on Ubiquiti.
If there is any chance to open the UNMS code, please consider doing so. If you truly care about your users, a fully open platform is one of the most meaningful gestures you can make. Ubiquiti wouldn't have EdgeOS if it wasn't for the world of open source. Perhaps now is the time to give back and contribute to that same community.
Excited to see UBNT in Github! Hooray and Welcome! 🎉 🎈 Except, for now, you are doing it wrong... However, I do hope that you find ways of open sourcing your software - it would promote the open dialogue between you and your customers, bring transparency and in overall would elevate UBNT to an entirely new level! It's quite amazing which companies are nowadays behind the most active repos here - check it out, Cheers! 🍻
Would be awesome to see this project open sourced. UBNT is killing it with the UniFi dashboard and now UNMS, but that’s only part of the value prop. In terms of hardware, features, configurability, and especially quality/price, nothing else comes close.
And no matter how many UBNT devices someone has, there will always be more connected devices that aren’t UBNT. The UNMS interface is already better than any OSS network management project out there, opening it up would allow the broader community to create clients for additional devices (eg IoT, RPi) and add additional features.
I’m sure UNNT management is concerned about dumping dev hours into an open source project, but there’s precedent for it paying dividends, in terms of marketing, brand identity, trust and loyalty.
I was liking 0.10.3 while it was working. Fired an update & now this turd docker container has issues. The source code for this needs to be released so at least when broken it can possibly be fixed by handling it ourselves, if need be. No source codes makes it useless & now I have to shelve it until it's actually useful. :/
npm update check failed blah blah.
@pcmerc I am sorry, that you are having issues with the update. If you give me more details I can pass them to developers and we will try, to solve the situation with you.
Fresh install of 0.10.4 errors out with errors in the log relative to permissions is what it appears to be.
From: Radek Skrivan [email protected] Reply-To: Ubiquiti-App/UNMS [email protected] Date: Monday, November 13, 2017 at 12:09 AM To: Ubiquiti-App/UNMS [email protected] Cc: John Gisler [email protected], Mention [email protected] Subject: Re: [Ubiquiti-App/UNMS] any way to have access to the real code? (#86)
@pcmerchttps://github.com/pcmerc I am sorry, that you are having issues with the update. If you give me more details I can pass them to developers and we will try, to solve the situation with you.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Ubiquiti-App/UNMS/issues/86#issuecomment-343842437, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGsPVSrDPVSPtXwgxB-iS62Np1yiJHE9ks5s1_kTgaJpZM4PtwXj.
Hello guys,
Are there any plans to develop the code out in the open and allow us to contribute?
For anyone that wants to grab the code, it is unencrypted Node.JS, grab it this way:
Grab the CONTAINER ID of the ubnt/unms container from Docker:
:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e46c4f8dacae ubnt/unms-nginx:0.11.3 "/entrypoint.sh ngin…" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp unms-nginx
1b0141ef560f ubnt/unms:0.11.3 "/usr/bin/dumb-init …" 2 hours ago Up 2 hours unms
05617827f222 rabbitmq:3 "docker-entrypoint.s…" 2 hours ago Up 2 hours unms-rabbitmq
4ec987499590 postgres:9.6.1-alpine "/docker-entrypoint.…" 2 hours ago Up 2 hours unms-postgres
0a428aa40885 redis:3.2.8-alpine "docker-entrypoint.s…" 2 hours ago Up 2 hours unms-redis
44e175f2e8be unms_fluentd "/entrypoint.sh /bin…" 2 hours ago Up 2 hours 5140/tcp, 127.0.0.1:24224->24224/tcp unms-fluentd
Then enter the container:
docker exec -i -t <container id> /bin/bash
Grab the source and output to a tar file in the data directory accessible outside of the environment:
tar -cf data/source.tar .
(this isn't perfect as it includes the data directory too).
You'll have all the Node.JS code for UNMS, plus the Dockerfile their container is built from.
Why don't you just post your working repository on GitHub Ubiquiti? It'll be a great step forward!
Regards, iamacarpet
https://github.com/stonedonajax/ubnt-unms-nodejs
we can already see your code. will you choose to share?
Hi guys, I would like to ask you to remove UNMS Node.js source code from public github repo. The main reason, why UNMS backend isn’t obfuscated is a simpler process of identifying bugs and access to readable stack traces. I think that it’s a huge benefit for UNMS community. We know, that you can access UNMS code in UNMS container, it’s not a secret, but we are not ok, that you are sharing it on a public github repo. It’s important to say that your actions are not helpful for my discussion with our lawyers and actually you are significantly complicating any open source related activities. On the other hand if you write me an email that you are interested to add XYZ to UNMS, you are expert in Javascript, Node.js, React or even functional programming then this will be a motivation for us to vindicate pushing UNMS to be more open.
No open source, easy enough to not use til then. Thank you!
-------- Original message -------- From: Jindrich Flidr [email protected] Date: 3/24/18 13:54 (GMT-08:00) To: Ubiquiti-App/UNMS [email protected] Cc: John Gisler [email protected], Mention [email protected] Subject: Re: [Ubiquiti-App/UNMS] any way to have access to the real code? (#86)
Hi guys, I would like to ask you to remove UNMS Node.js source code from public github repo. The main reason, why UNMS backend isn't obfuscated is a simpler process of identifying bugs and access to readable stack traces. I think that it's a huge benefit for UNMS community. We know, that you can access UNMS code in UNMS container, it's not a secret, but we are not ok, that you are sharing it on a public github repo. It's important to say that your actions are not helpful for my discussion with our lawyers and actually you are significantly complicating any open source related activities. On the other hand if you write me an email that you are interested to add XYZ to UNMS, you are expert in Javascript, Node.js, React or even functional programming then this will be a motivation for us to vindicate pushing UNMS to be more open.
You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Ubiquiti-App/UNMS/issues/86#issuecomment-375924243, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGsPVaKtcusfgaxulEJw6oQrnh02dpszks5thrKHgaJpZM4PtwXj.
@pcmerc They have stated they will open source the software, however they are a large company and need to go through many layers to do so, including lawyers to make sure it's done correctly to protect themselves. They are kind enough to allow the public to give input into the software and the beta, as well as state they are okay with people diving into the code but not sharing it publicly yet. No one here cares if are you going to throw a little fit and not use their software because it's not open sourced yet.
@jflidr you can contact Github to have it removed, as it's your software, and they are not compliant by releasing it publicly, especially since it doesn't have a license attached, meaning it's not under license to share publicly.
I don't recall throwing a fit, @Taubin, that was probably your kids. Easy enough not to use until it's open sourced.
The whole lawyer thing seems a bit pre-historic. Surely with all of the big companies doing it, even Microsoft of all people for their years of Linux and open source hate, there aren’t really any questions still open around the main open source licenses.
That being said, while I might not be able to provide code for a feature right now, in the spirit of open source security, has anyone pointed out there are critical security vulnerabilities in two of the node package dependencies at the versions specified for that 0.11.3 release?
@iamacarpet there are quite a few non-trivial questions that any company has to carefully consider before committing to and supporting an open source program. Licensing is only a part of it, but does include things you might not have considered, like exposure, liability, infringement and enforcement. All of which come at a real cost to the business and happen to be the kind of things lawyers concern themselves with.
@jflidr has a totally reasonable ask. Posting a link to the extracted source isn’t clever or helpful.
Surely most of the issues you are alluding to, like liability, exposure, etc, all became an issue as soon as they started distributing the raw source on an open platform themselves (DockerHub). There isn’t really much difference in them posting the code there or here, it is still out in the open, by them. The only thing it doesn’t include is commit transparency and the ability to raise PRs.
Unless what we are saying is the lawyers, being non technical, don’t understand that posting to DockerHub this way when the code was Node.JS, would expose them in the same way and they were hoping no-body would point that out to them?
It has been a year since the first builds were released publicly here, so don’t we think if they were going to open source organically, they would have done it by now?
@Taubin was quick to jump in and say they were going to open source it if we give them time, but unless he has some inside information, this isn’t actually what @fjlidr said at all. He said, “you are significantly complicating any open source related activities”, which doesn’t sound like he’s saying there are any plans to open source this specifically. To be honest, it sounds like it is complicating their plans for using so many open source Node.JS modules from npm without giving back... Are there some in use which require upstream source disclosure I wonder?
@iamacarpet not sure what exactly you’re after, why you think this approach is at all constructive. Might consider how connecting with the developers, making contributions, adding value could potentially be a more effective route.
Just installed 0.12 today and the "ejs" version in use is still vulnerable to 3 CVEs, 1 of them being RCE.
I pointed out the security issues in this thread before you published 0.12; did anybody even check?
Hi @iamacarpet, yes, we have checked it. UNMS uses ejs only for generating email templates. They can be used only by logged in users from data which were created by logged in users and are validated therefore we think that mentioned ejs issues can't create any real vulnerability for UNMS. We are checking UNMS with NSP periodically. But we have to always consider potential impact of any vulnerability, upgrade compatibility issues, time for retests, etc. Anyway, I would like to thank you for pointing to this issue. I think that we know about all publicly know potential vulnerabilities and we are monitoring them. But If you know how to practically exploit them or if you know about any other possible attack to UNMS then I would like to ask you to share it with UNMS team via UBNT security bug bounty program: https://hackerone.com/ubnt It's possible to get a bounty for a real attack with a detailed description and it will give us time to fix it ASAP.
all became an issue as soon as they started distributing the raw source on an open platform themselves
Disclaimer: I'm not a lawyer, do your own research...
General warning to anyone that is technically capable, but is not experienced with software IP - @iamacarpet is correct that their source is accessible if you know where to look, but "source available" DOES NOT mean "open source". Please don't try to reuse (or redistribute) the UNMS source code thinking that you are legally OK to do so - without an explicit license they still own their source code.
I do think fair use applies to this e.g. you can discuss their source code, quoting small bits of it as needed to aid your discussion, without concern. That's a good tool for clarifying the various technical concerns that have been raised in this and other issues
