Build the certs at first run and stick them in /var/prosody (or
wherever prosodyctl sticks them) and use certs from /etc in preference
to the ones in /var/prosody when they exist?

    -Etan

On Fri, Jan 10, 2014 at 1:45 PM, Matthew Wild <mwi...@gmail.com> wrote:
> Hi Lonnie,
>
> On 7 January 2014 18:51, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:
>> Hi Matthew,
>>
>> I built 0.9.2 and see the certs get generated.  Of course we remove them 
>> anyway.
>>
>> Question, what is your reason for generating certs vs. let developers/users 
>> handle that outside of prosody ?  Aren't you still setting-up the risk of 
>> private keys getting distributed ?
>
> Hmm, right - it's possible that packages could still generate
> certificates at build time, and distribute binary packages containing
> these certificates. The correct thing for packages to do is to pass
> --no-example-certs to ./configure now (I've just documented this at
> https://prosody.im/doc/packagers#section09 ).
>
> There is a balance to strike, and it's a tough one. I can't
> immediately see a way to automatically prevent packagers from making
> this mistake, except by removing all forms of automatic cert
> generation, which would inconvenience users building from source.
> Perhaps now we have prosodyctl able to generate certificates, this
> isn't terrible. More thought required.
>
> Regards,
> Matthew
>
> --
> You received this message because you are subscribed to the Google Groups 
> "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to prosody-dev+unsubscr...@googlegroups.com.
> To post to this group, send email to prosody-dev@googlegroups.com.
> Visit this group at http://groups.google.com/group/prosody-dev.
> For more options, visit https://groups.google.com/groups/opt_out.

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to