Hi Lonnie, On 7 January 2014 18:51, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > Hi Matthew, > > I built 0.9.2 and see the certs get generated. Of course we remove them > anyway. > > Question, what is your reason for generating certs vs. let developers/users > handle that outside of prosody ? Aren't you still setting-up the risk of > private keys getting distributed ?
Hmm, right - it's possible that packages could still generate certificates at build time, and distribute binary packages containing these certificates. The correct thing for packages to do is to pass --no-example-certs to ./configure now (I've just documented this at https://prosody.im/doc/packagers#section09 ). There is a balance to strike, and it's a tough one. I can't immediately see a way to automatically prevent packagers from making this mistake, except by removing all forms of automatic cert generation, which would inconvenience users building from source. Perhaps now we have prosodyctl able to generate certificates, this isn't terrible. More thought required. Regards, Matthew -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/groups/opt_out.