Using the "Direct" Method
While the idea of having separate documentation for the channel viewer protocol is good, I do not think the mislabeled "direct" approach should be mentioned here. It is a very ugly hack depending on exposing the server's database file to the world, thus providing neither current information nor any kind of security. If you want to retrieve server information, use the Ice interface together with one of the CVP providers, or make solid proposals towards an alternative as has already been discussed. Ngollan 09:13, 25 July 2011 (UTC)
- Having looked at the code and used the plugin, I thought it was very elegant. Did you look at the code very closely? It hardly "exposes the server's database file to the world" and gives the web surfer exactly what they came for, a list of who is on the server and in what channel. I fail to see your point "thus providing neither current information"?? As to your point "nor any kind of security", as if putting the plain-text ICE password in an ini file is great security. My host, Dreamhost who hosts hundreds of thousands of websites, seems fit to give all it's users access to the SQLite3 PHP library by default but not to ZeroC ICE, which should tell you something about how secure ICE is. Also, using SQLite3 to access the Murmur database directly from a PHP file is no less secure then using PHP file to access MySQL, the databases are just in different places. Mod_Murmur is as safe as using ICE and if Mumble developers were worried about their database, they would password protect it, but it isn't. The point here is that those without access to ICE have no method by which to get channel information out of Mumble and it is a critical problem. The entry here I spent considerable time writing, documents the various options available to create a channel viewer and should be left alone, even if you don't agree with the method. Mrsdonovan 15:40, 25 July 2011 (UTC)
- Direct reading and/or writing the database is unsupported and there is no guarantee that it will work in the future. We don't want anyone to promote that. Also putting the database on a public webserver is a very bad idea, it contains private SSL keys, user/channel passwords, etc. (Parsing the server log is also slow...) PCGod 16:11, 25 July 2011 (UTC)
- Yes that's why the "Direct" method is "unofficial" and it up to the script writer to keep it updated. Is any method that doesn't use ICE forever banned even if they are simpler and easier to actually get working? Why did the Mumble developers use an open standard like SQLite3 to create the database if they didn't want people writing scripts against it? As for putting the database on a public webserver, the SQL database is in a directory not accessible to the general public, so the security issue isn't one. For example my murmur server is "/home/<username>/murmur" and my mod_murmur script is "/home/<username>/website.com/mod_murmur.php" - The database can't be downloaded. Unless Mumble developers password protect the SQLite database, then using a PHP script to access it can hardly be "forbidden". I added a security warning to the article. Mrsdonovan 17:30, 25 July 2011 (UTC)
- Using a standard database instead of trying to implement your own is just a matter of common sense, and password protecting it isn't possible, even if mumble were not open source. The main issue is that this wiki is somewhat of an official documentation, and if you add stuff to it, you will need to live with it being reviewed and put into context by the Mumble team. Even if that means they delete it -- they have their reasons.
- That said, your example code clearly states copying the database over http, which equals the database being downloaded. Whether or not you tell people the URL to the database doesn't matter from a security standpoint, and if a PHP script can download the database, so can anyone else. -- Svedrin 17:34, 25 July 2011 (UTC)