On Jan 10, 2014, at 12:45 PM, Matthew Wild wrote:

> Hi Lonnie,
> On 7 January 2014 18:51, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:
>> Hi Matthew,
>> I built 0.9.2 and see the certs get generated.  Of course we remove them 
>> anyway.
>> Question, what is your reason for generating certs vs. let developers/users 
>> handle that outside of prosody ?  Aren't you still setting-up the risk of 
>> private keys getting distributed ?
> Hmm, right - it's possible that packages could still generate
> certificates at build time, and distribute binary packages containing
> these certificates. The correct thing for packages to do is to pass
> --no-example-certs to ./configure now (I've just documented this at
> https://prosody.im/doc/packagers#section09 ).
> There is a balance to strike, and it's a tough one. I can't
> immediately see a way to automatically prevent packagers from making
> this mistake, except by removing all forms of automatic cert
> generation, which would inconvenience users building from source.
> Perhaps now we have prosodyctl able to generate certificates, this
> isn't terrible. More thought required.
> Regards,
> Matthew

Yes, I discovered the --no-example-certs configure option shortly after I 
posted, which we now use to keep it simple.

Perhaps --no-example-certs should be the default and --with-example-certs would 
generate them.

You are correct, it is a tough balance.


You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to