Hi Lonnie,

On 7 January 2014 18:51, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:
> Hi Matthew,
>
> I built 0.9.2 and see the certs get generated.  Of course we remove them 
> anyway.
>
> Question, what is your reason for generating certs vs. let developers/users 
> handle that outside of prosody ?  Aren't you still setting-up the risk of 
> private keys getting distributed ?

Hmm, right - it's possible that packages could still generate
certificates at build time, and distribute binary packages containing
these certificates. The correct thing for packages to do is to pass
--no-example-certs to ./configure now (I've just documented this at
https://prosody.im/doc/packagers#section09 ).

There is a balance to strike, and it's a tough one. I can't
immediately see a way to automatically prevent packagers from making
this mistake, except by removing all forms of automatic cert
generation, which would inconvenience users building from source.
Perhaps now we have prosodyctl able to generate certificates, this
isn't terrible. More thought required.

Regards,
Matthew

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to