On Tue, Aug 21, 2007 at 04:12:32PM +0200, Natanael Copa wrote: > I use the gentoo framework to build binary packages. I noticed that most > packages creates the ssl certificate during src_install(). This makes > all binary packages contain the ssl certs which is a security threat. I filed bug #174759 to the security team back in April on this issue, and then fixed the openldap package where I had originally found it.
Anybody using binpkgs obtained from a public repository that contain SSL certs should ensure that they regenerate the SSL certs on each machine. For packages, there are two possible fixes: 1. Move the docert call into pkg_postinst. 2. Provide scripts that generate certs (courier-imap and qmail do this). -- Robin Hugh Johnson Gentoo Linux Developer & Council Member E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgppzsT4NuWk7.pgp
Description: PGP signature
