1

It’s been almost a year since the question was last asked , and we’re now more than ten months since the last update for Spiceworks Desktop .

In my opinion, this period of relative silence from Spiceworks is inexcusable and probably terminal for our relationship.

I realize that we get what we pay for, and maybe that’s the lesson here, but neglecting the on-prem app for this long is professionally negligent. The Desktop app bundles a variety of web application components (Apache, Ruby, etc.) that require regular patching to resolve security vulnerabilities (among other things.)

In these specific cases, the last version of Spiceworks Desktop, 7.5.00101, is using Ruby Interpreter version 2.1.5p273. Ruby ended support (including security updates) of Ruby 2.1.10 (a subsequent version) on March 31 of 2017 ( Support of Ruby 2.1 has ended ) and has published at least six new CVE disclosures since then ( Security )

Likewise, 7.5.00101 shipped with Apache Server 2.2.31, which is no longer supported in any way. Apache retired the 2.2 branch on July 11, 2017 ( Welcome! - The Apache HTTP Server Project ), and they have published several CVEs and other issues with the 2.2 branch between 2.2.31 and the final version, 2.2.34 ( http://www.apache.org/dist/httpd/CHANGES_2.2 and Apache HTTP Server 2.2 vulnerabilities - The Apache HTTP Server Projectnot insignificant vulnerabilities: Apache Http Server version 2.2.31 : Security vulnerabilities, CVEs )

The bottom line for me is that Spiceworks is a web application, and web applications and the platforms that run them inherently require constant maintenance to maintain any semblance of security, and Spiceworks seems to have abdicated that responsibility entirely.

Maybe they’re working on the next great thing, and maybe it will truly be great, but at the end of the day, the echo of the void over the last ten months has shattered my faith in the organization’s ability to support their core product, and I am no longer comfortable running it in production to support any organization of consequence (especially my own.)

I love the community, and I intend to stick around for the banter, the news, and the enlightening discussions, but as a professional product choice, I’m moving on, and I will be encouraging my peers to do the same.

Is Spiceworks Dead? Are you moving on?
  • Spiceworks is Thriving
  • Spiceworks is Alive and Well
  • Spiceworks is Alive
  • Spiceworks is Evolving
  • Spiceworks is Struggling
  • Spiceworks is Dying
  • Spiceworks is Dead
  • Spiceworks is Dead to Me
  • What is Spiceworks?
0 voters
84 Spice ups
2

Version 8 is in beta now.

26 Spice ups
3

They’re alive and well. They’re also working on “the next great thing” whose progress you can follow here:

https://community.spiceworks.com/beta/inventory-8-0

Although you definitely bring up good points regarding security.

21 Spice ups
4

Spiceworks, the inventory/scanning program, is dead. Spiceworks, the ticketing system, is as good as any free product, but dying of neglect.

Spiceworks, the community, is struggling to find its niche as it matures. But it’s not dead.

38 Spice ups
5

That’s great! It doesn’t really resolve the issue of the maintenance gap between the last release, though :frowning:

5 Spice ups
6

I should add that while my primary concern is the security implications of the maintenance gap, I think the real problem for Spiceworks is communication. If there was going to be a deliberate maintenance gap or if 7.5.00101 was going to be a final release before 8.0, that ought to have been advertised in banner marquee, both as a reassurance that the app isn’t dead and to clarify expectations.

7 Spice ups
7

Well, I’ll tell you based on the information presented by Jay at Spiceworld Austin this year, it seems that there is now a much heavier focus on the Spiceworks community than anything else or ever before. That being said, the products certainly have not been abandoned. I suggest checking out Version 8 if you’re dead set on sticking to the Desktop version over cloud.

If you’re concerned with the maintenance gap, and feel it is a problem, talk about it (and not on an annual basis) that is part of why this community exists you know?

@jay

8 Spice ups
8

Good advice, rbleattler. For us, it’s not a matter of being dead-set on sticking to the Desktop version, our security requirements won’t allow us to move to the cloud. (Not unless Spiceworks is willing to sign or provide a HIPAA Business Associate Agreement and provide verification of a third party security audit.)

15 Spice ups
9

I haven’t given any thought about the software that Spiceworks runs on, and if that software isn’t being updated, that is a risk. It also makes it a harder sell for companies in regulated industries. I haven’t run the software in some time, but if I did, I don’t know how I would explain to auditors that I’m using a platform that has known bad vulnerabilities and they aren’t being resolved. Especially one that has a lot of info about the network.

I’m looking forward to seeing what Spiceworks leadership says about that part.

As for the community, it’s growing and it’s highly active. There has been a lot of transitions and direction changes within the community to help Spiceworks get more clicks for advertising money. On that side, that’s part of life when using a produce that’s free. I don’t mind that, which is why I’m active here.

12 Spice ups
10

Personally for my organization we use the spice work at applications as a backup to our core applications. It can monitor many of the same things but isn’t always as reliable, to me, as the alternatives. Not to mentions, I don’t have to do nearly as much work with the core apps to get what I’m looking out of those apps.
I wouldn’t say that this is dead, but I understand and agree with your frustration.

1 Spice up
11

Due to changes in my career I no longer use the applications. However, I am becoming active in the community again and it seems like it is still chugging along just fine.

8 Spice ups
12

The best people to tag for this question would be Francois (Spiceworks) and Jackie (Spiceworks)

I have to say I am interested in the reply as well. The 8.0 beta has been out since Spiceworld 2017 (so October or so) as a result I would have expected more movement on it…

@jackie @francois-sw

7 Spice ups
13

Fair enough, but I’ve got to say, if your compliance restrictions are so heavy, perhaps moving to a paid solution (no disrespect to SW here) is your best bet. I mean, I love this community beyond what words can express, but I don’t think even the folks Spiceworks will tell you that their products are 100% for everyone, or the best at everything they can do. There is a whole section of this community dedicated to finding, reviewing, researching, and purchasing IT Services/Products. JM2C.

4 Spice ups
14

All, good thread, with good questions and comments. We are working on a response, which should be posted soon. Stay tuned.

Like always, thanks for taking the time, we appreciate it.

13 Spice ups
15

I think that’s the conclusion we’ve reached, rbleattler. Either way we have external pressures pushing us in another direction.

16

I don’t think version 8 will fix your security concerns with SW.

2 Spice ups
17

I stopped using the inventory module a couple of years ago due to it depending on a buggy WMI inventory call that returns uninstalled Microsoft applications as installed instead of checking the registry’s installed application list. The helpdesk component is still viable, but is starting to show its age with the rise of ITIL requirements.

The community is alive and well.

10 Spice ups
18

Just so you’re aware, Spiceworks checks the registry now for installed programs. However, installers leave remnants behind, so this isn’t necessarily perfect.

4 Spice ups
19

It checks via a WMI call that scans the registry. I went around and around with Spiceworks Support on this two years ago and they finally gave me the WMI call they’re using. This WMI call doesn’t check the add/remove programs lists. Instead it scans the registry ignoring the fact that it’s darn near impossible to automatically completely remove all traces of a program. The worst offender of this issue is Microsoft Office.

13 Spice ups
20

Spiceworks would be better if all uninstallers would work properly. But Spiceworks is not alone in finding registry instances- OpenVAS and Nessus also find them and deliver them up as proof you have not patched. It would be better for everyone if all software would be easier to patch and those *(&(&)(^(^^ hackers would find a productive job.

7 Spice ups