IRC logs of #tryton for Monday, 2012-12-17 #tryton log beginning Mon Dec 17 00:00:01 CET 2012
Demosthenexso i'm shopping for business software... nothing complex. i run a services business of low volume. bill hours currently in freshbooks, and do my own billable travel expenses in ledger (the most complicated part). i'm seeking an accounting platform to tie those elements in together, and maybe replace the other tools. would tryton be suitable, or is it just a base?08:40
iamnoobhi good day09:34
iamnoobcan anyone please help me on the "incompatible version of the server" problem? whats the proper version do i need to use?09:35
corroiamnoob: just use versions from the same release (2.2.x, 2.4.x or 2.6.x) for both server and client09:38
iamnoobhi corro.. i downloaded ver 2.0.1 server and client and installed it. but when i check the version it saids tryton = 2.6.0 , trytond = 2.0.1  im using ubuntu 11.10 btw. any idea why this is happening? thanks10:01
corroiamnoob: how did you install the packages? Via apt or pip/easy_install?10:04
iamnoobi downloaded the .deb files on download page.. i got the server now to version 2.2.3. im trying to make the client to 2.2.3 too but got an error..  unistalling then installing it again now..10:09
iamnoobafter unistalling/installng the client and installing th client 2.2.3 (to match up with my 2.2.3 server)  when i try to run it. nothing happens =(10:12
corroiamnoob: does not provide .deb packages, only a link to the official ubuntu repository. Anyway, try running the client in the console and look for an error message.10:13
iamnoobcorro: i got the following error when running tryton on a terminal10:14
iamnoob    from tryton.config import CONFIG10:14
iamnoob  File "/home/haw/.local/lib/python2.7/site-packages/tryton/", line 191, in <module>10:14
iamnoob    os.path.join(PIXMAPS_DIR, 'tryton-icon.png').encode('utf-8'))10:14
iamnoobglib.GError: Failed to open file '/usr/bin/share/pixmaps/tryton/tryton-icon.png': No such file or directory10:14
corroiamnoob: looks like you have some artifacts of a previous installation under ~/.local. Try renaming ~/.local/lib/python-2.7/site-packages to something else.10:21
rmuiamnoob: also applies for ubuntu10:23
iamnoobok ill try it corro,rmu thanks10:39
rmusomehow i managed end up with a user with number "10" in login_try column14:00
rmuin res_users14:01
rmu--> server sleeps 1024s14:01
rmui suggest that in a new design that decouples login_try from res_users this value is limited to some "useful" upper maximum and/or replaced with locking of account if there are too many tries.14:03
cedkrmu: limitation is already done on number of thread/connection14:09
rmucedk: not really if i reconnect again from different machine, and try again after restart of server, on next day, etc....14:11
cedkrmu: and what is the problem?14:11
rmucedk: it seems this number can become arbitrarily large. sleeping more than 30seconds because of wrong password is not necessary14:13
rmuand it seems you could possibly DOS the server14:13
cedkrmu: ha you are talking about the sleep14:22
cedkrmu: I don't see how it can DDOS the server, sleep cost nothing14:22
cedkrmu: and it doesn't prevent other connections to work14:22
rmucedk: it takes one thread per sleep14:29
rmujust wanted to try it with proteus and noticed that proteus with trytond doesn't do a login? at least it doesn't check the password14:30
cedkrmu: yes but the number of thread is limited14:31
cedkrmu: for proteus no need to login if you use trytond14:31
rmucedk: so if the thread-limit is reached, the server is effectively DOSed14:31
cedkrmu: no, he still serves the existing threads14:32
rmui can easily make the "sleeping" thread sleep for days14:32
rmui can fill issue if you want14:33
cedkrmu: and what is the problem?14:34
rmuthe problem is: user tries to login (with wrong password, but doesn't notice), login is unresponsive. user kills client. ad nauseum.14:35
rmueach try, login_try is incremented, and one server thread sleeps 2^login_try seconds14:35
rmuproblems: the user doesn't get feedback that he entered wrong password, at least not in time (who waits for 15minutes or more for some result that should show in mere seconds)14:36
rmuand it is possible to DOS the server. even if you say that existing connections continue to work, new ones also should work14:37
cedkrmu: yes, it could be improved by stopping the thread if the connection is closed by the user16:00
rmuwhat use is this sleep anyway16:06
rmustopping the thread if the user closes the connection would effectively mean getting rid of the sleep16:07
cedkrmu: sleep is very important to prevent brute-force attack16:10
rmucedk: but it doesn't really prevent brute force attack16:12
rmucedk: you can open another connection and try again (modulo maximum thread count)16:12
cedkrmu: yes so it prevents16:13
rmucedk: you prevent legitimate users from logging in/verifying their password if idle too long16:13
cedkrmu: not if you type your right password16:14
rmuok not password verif., this is blocked only when running the production wizard16:14
cedkrmu: but that's an other issue16:15
rmucedk: legitimate users won't wait 2^20 seconds until some "bad login/passwort" dialog pops up, but call support16:15
rmucedk: yes thats another issue... but related somehow16:16
cedkrmu: there is no reason to have to wait so much except if it tries 20 bad password16:19
cedkrmu: or if someone try to brute-force his password so it is still good to inform the support to find the cracker16:20
rmubecause of missing feedback, seemingly blocking client in case of long sleep, user may think something is strange, kill the client, and try agai16:21
cedkrmu: missing feedback is the important part of the security16:22
rmuno, not really, the client could say /something/16:23
rmubut as it is, the user doesn't really know if the VPN is having trouble or the login is waiting...16:23
rmubut, as i said, nevermind, i logged a wishlist-issue; if this login_try gets redesigned, perhaps somebody will have a look at it16:24
rmuand, btw, deactivating an account after 5/10/whatever missed logins, and telling the user "account disabled", would not be a security problem.16:26
cedkrmu: it is a security issue for me because it will make so easy to disable any login by some malicious people16:27
rmucedk: but malicious people can already deactivate any login, they just have to keep 10 connections open16:28
rmuor whatever is configured16:28
cedkrmu: it doesn't because if password is right it returns directly without sleep16:32
rmucedk: without having looked at the source, you can't have the sleep block the connection and not need a separate thread at the same time16:37
cedkrmu: don't understand16:46
yangoonrmu: +1, security by obscurity is never a good choice16:46
cedkyangoon: what is obscurity ?16:48
yangooncedk: missing feedback as part of security16:48
cedkyangoon: I don't understand what you mean, it is not usefull to say such mantra that doesn't apply at all to the subject16:49
yangooncedk: where do you not understand, that this mantra doesn't apply to the subject?16:51
cedkyangoon: there is no obscurity16:53
yangoonnot giving feedback lets the user in obscurity16:54
bechamelyangoon: I think that when cedk said "it is a security issue for me because it will make so easy to disable any login by some malicious people" he wasn't talking about the user feedback, but about the account desactivation (am I right cedk ?)16:54
yangoonbechamel: I am just referring to (16:22:35) cedk: rmu: missing feedback is the important part of the security as answer to (16:21:54) rmu: because of missing feedback, seemingly blocking client in case of long sleep, user may think something is strange, kill the client, and try again16:56
cedkbechamel: yes16:56
cedkyangoon: ok it is not missing feedback but delay feedback for exponential time16:56
yangooncedk: which results indeed in being missing feedback for a long time in certain circumstances16:58
rmuin ideal software, behaviour like this would be configureable, because requirements and habits regarding passwords and login depend on the organization16:59
rmui'm just writing a test to DOS my own server ;)17:00
bechamelIMO DOS is really hard to avoid, even without login timeout, example:
cedkrmu: I never said that trytond could not be DOS, indeed I think there are no software fully secure on this topic17:02
cedkrmu: all you can do is trying to stay alive17:02
rmui know17:03
cedkrmu: also the firewall should take a good part in the protection17:08
rmuall i'm arguing for is that endlessly doubling the time in sleep is nonsense... there should be an upper limit of about 15 to 30 seconds, like e.g. in the windows ctl-alt-del login dialog17:09
rmuthat is enough to prevent brute forcing the password17:10
rmuand it would be easier on the resources, as this sleep-call binds one database connection17:11
cedkrmu: I don't agree with a limit you just delay the brute-force17:11
rmui didn't test what happens when the client closes the connection and the server-thread is sleeping17:13
rmuif this does abort the sleep, then brute-forcing is possible at near "full speed"17:13
cedkrmu: agree that we could improve to close the DB connection before sleeping17:13
rmucedk: but then nothing prevents the brute-forcer to open as much connections as he likes17:14
cedkrmu: don't understand17:14
cedkrmu: yes of course but each one will sleep more and more17:14
rmuwait for 1s, see if positive answer arrives, if not, try next password17:14
rmui think the thing that probably limits first is the number of db-connections17:15
rmuthe client can assume that the server answers with "login ok" if he tries the correct password... if this answer doesn't arrive within (short) timeout, try again17:17
rmuso if you keep db-connection while sleeping, this amounts to complete DOS in no time (after about 100 tries 64 threads will sleep for days each)17:18
cedkrmu: yes but there is nothing to do against that, at least not at trytond level17:19
rmuif you don't keep db-connection while sleeping, the client can try as much parallel logins as threads are available (doesn't seem to be limited in python, so some os-limit will define this)17:19
rmucedk: i agree there is not that much you can do against malicious users DOSsing the server, if they really want17:20
rmucedk: but usually, you don't have malicious users on the network where tryton is accessible (hopefully), and user-error is your main problem17:21
cedkrmu: before we got a thread limit that was removed because SocketServer.ThreadingMixIn did not have such option but it could be re-added17:22
rmuand a typical tryton users are half-computer-illiterate folks that CAPS-LOCK without noticing, entering the password a few times, and then think the computer is dead17:22
cedkrmu: we can not do anything against such people17:23
rmucedk: you shouldn't do anything against your users ;-) you should make their life easier17:23
cedkrmu: life easier == no password17:24
rmuthat would be "too big" easy17:25
Piloulife easier == SSO ;)17:25
rmuwhat would you do if SSHing to a machine doesn't react for 1000s of seconds? assume that someone tried to brute force the password?17:26
rmui would assume the network had a problem ;)17:26
cedkrmu: after I type the password, no I will not assume that17:27
rmubut typical MTU-related problems especially prevalent with certain kinds of VPN manifest just that way17:28
cedkrmu: the first time you use it but not on daily usage17:30
Demosthenexso i'm shopping for business software... nothing complex. i run a services business of low volume. bill hours currently in freshbooks, and do my own billable travel expenses in ledger (the most complicated part). i'm seeking an accounting platform to tie those elements in together, and maybe replace the other tools. would tryton be suitable, or is it just a base?17:37
cedkDemosthenex: difficult to say, it could but you should test it17:39
rmucedk: I would not bet on it - in reality, these things are in permanent flux, expecially in large organizations, and only ever really tested/deployed for windows clients.17:42
Demosthenexcedk: i figure the expenses piece i'm going to have to reimplement...17:44
cedkDemosthenex: you said that you do it directly in ledger?17:46
Demosthenexcedk: currently, i'm one of the more prolific ledger (cli, text files) users17:50
Demosthenexa combination of frequent splits, heavy metadata, scanned images, etc.17:50
Demosthenexand all custom logic on top in shell scripts and perl (pdf generation)17:51
Demosthenexi'm trialing Xero and Kashoo, because i need something with business accounting structures already built in to reconcile my bank accounts against17:52
cedkDemosthenex: expense are like supplier invoice17:54
Demosthenextravel expenses, billed at actual to client17:55
Demosthenexlots of little items, subject to rules by client17:55
Demosthenexlet's not forget importing from csv/ofxc17:56
Demosthenexi'm outgrowing text, and moving to a DB my choices are: a scratch reimplementation or use an existing product to build on17:57
cedkDemosthenex: with Tryton you will be able to customize the generic workflow to yours17:57
Demosthenexcedk: i'm certain, in fact, i rather like what i've read so far for building the expenses workflow18:00
Demosthenexwhat i'm concerned about is whether the accounting backend has what's needed.18:00
cedkDemosthenex: what do you need?18:03
Demosthenexi guess my question is, is tryton more of a toolkit or does it have working components already?18:08
cedkDemosthenex: it is both18:08
cedkDemosthenex: it is a toolkit because we try to make it flexible and customizable as much as possible18:08
cedkDemosthenex: but it is also a working components for basis18:09
cedkDemosthenex: indeed it was the subject of a talk at the TUL, that's Tryton is somehow both and that is difficult to communicate on it18:12
Demosthenexknow anyone doind postgres binary blobs for scanned images with tryton?18:12
cedkDemosthenex: I will suggest to use the same storage as we do for attachment18:14
cedkDemosthenex: store the data on the filesystem18:14
cedkDemosthenex: even if postgresql manage blobs quite well, it is still better to have it on the filesystem18:15
cedkDemosthenex: as it is data that don't change, you can backup only the diff18:15
cedkDemosthenex: but in DB, you have to dump everything each time18:15
Demosthenexwhy? i've read some folks argue this back and forth in internet threads... my only argument is sync issues18:15
Demosthenexwe're talking static scanned images.18:15
cedkDemosthenex: we store attachment based on their hash in 2 levels directories18:16
Demosthenexi've seen that before, that's not too bad.18:16
cedkDemosthenex: and we never remove files18:17
cedkDemosthenex: just delete reference in the DB18:17
cedkDemosthenex: the main advandage for me is the backup system18:17
Demosthenexdiff on FS, vs dumping blobs.18:18
Demosthenexi can see that18:18
Demosthenexso i hear on the site there's companies and indivduals providing commercial support...18:18
Demosthenexperhaps i should check them out18:18
cedkDemosthenex: I'm from B2CK18:19
Demosthenexwell i do run a successful business, and i'm not shy about paying reasonable amounts to get things done.18:26
Demosthenexi'm just sick of accounting ;]18:26
Demosthenexcedk: so how about quoting me on customizing tryton to a use case?19:02
cedkDemosthenex: B2CK provides such services19:08
Demosthenexcedk: i'19:10
Demosthenexcedk: i'm all ears19:10
Demosthenexi can describe my workflow pretty easily19:10
Demosthenexat this point i write it myself or pay someone to customize an existing system.19:10
cedkDemosthenex: send us your use case19:11
Demosthenexcedk: have an email?19:11
Demosthenexor contact data19:11
cedkDemosthenex: I will also suggest you to try the demo server to have some idea about how Tryton works etc.19:14
Demosthenex*nod* i'm having a peek and writing up a use case ;]19:16
Demosthenexi'd rather put my money toward OSS solutions...19:16
Demosthenexmy business isn't unique19:16
PilouDemosthenex: Would you want distribute these custom modules ?19:32
DemosthenexPilou: they can remain oss19:35
Demosthenexcedk: sent one off19:51
-!- Demosthenex( has left #tryton20:04

Generated by 2.11.0 by Marius Gedminas - find it at!