I am not sure how the creation of a self signed certificate as part of the 
installation of the FOSSology software improves the situation.

From a technical point of view, of course, we could even add a self signed 
certificate creation step in the post install operations. But, for most cases, 
would self signed certificates work right out of the box? – we need to know the 
hostname of the machine we re on … maybe this is possible, but I, just do not 
know how reliably you can determine the hostname. And if some is using the 
fossology in a localhost setup, is it helpful to create a certificate with the 
hostname and then the user call localhost and the certificate does not match … 
I am missing the possibilies here, please let me know how this could work.

I have not seen a documentation (as part of the FOSSology documentation) of how 
to create a self signed certificate.

Kind regards,

From: <fossology@lists.fossology.org> on behalf of "Jeremiah C. Foster" 
Date: Wednesday, 1. April 2020 at 18:43
To: "fossol...@fossology.org" <fossol...@fossology.org>
Subject: Re: [FOSSology] Hi I have a questions before using fossology

On Tue, 2020-03-31 at 21:42 +0000, Michael C. Jaeger wrote:

  thanks for reaching out to us. To your questions:

*) is source code leaking out from a fossology server? Answer:

  1.  Usually  not , the fossology solution is entire self contained. You can 
run fossology entirely without access to the internet. The main point why you 
would need Internet access is about updating your OS and packages.
  2.  But please understand that despite the FOSSology server can run 
everything on its own database, it your responsibility to secure your server 
installation from being hacked. One first task would be to enable a connection 
using https.

Is there documentation on doing this? I understand that there is plenty of 
documentation already on the internet that describes using TLS and certificates 
with apache and nginx, but there doesn't appear to be a ton of documentation on 
the way that FOSSology sets things up. For example, FOSSology does not appear 
add a self-signed cert which would enable https upon installation. Am I 
mistaken, is there more info on this?




This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

Links: You receive all messages sent to this group.

View/Reply Online (#3345): https://lists.fossology.org/g/fossology/message/3345
Mute This Topic: https://lists.fossology.org/mt/72670290/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  

Reply via email to